RSA, the security division of EMC Corp. in Hopkinton, fired back Tuesday against a report from a group of European computer scientists that suggests RSA’s SecurID technology may be open to attacks by hackers.
The flaw, first reported Monday on the computer technology website Ars Technica, allows someone to obtain encryption passwords from the RSA SecurID 800 device, used by many businesses to protect computer data.
But according to RSA spokesman Kevin Kempskie, the method employed by the researchers requires access to the SecurID device and to the user’s PIN. If attackers had these items, they’d be able to access the information anyway, Kempskie said, regardless of any software weakness.
In addition, Kempskie said the problem was already known to RSA scientists, who created a fix for it last year. “While this research is scientifically interesting, it does not demonstrate a new or useful attack against the RSA SecurID 800,” he said.
RSA’s response was seconded by Marcus Carey, a security researcher with Rapid7 Inc., a network security company in Boston. He praised the scientists’ efforts, but said, “I don’t think this is a big concern for most businesses or companies, or people in general.”
Graham Steel, one of the researchers who discovered the problem, said Bedford-based RSA should take the threat more seriously, but he acknowledged that it has been overstated on some websites and online forums.
“Some of the stuff that’s been flying around the Internet [about the report] has been exaggerated,” said Steel, who was attending a computer security forum at Harvard University Tuesday. Still, he said, the flaw could be used to help someone steal encryption keys, giving that person access to encrypted e-mail messages sent from the affected computer. Steel said such a breach could also be accomplished by sending a stream of e-mails, so the attacker wouldn’t need physical contact with the computer.
The SecurID system is used by millions around the world to access secure computer networks. Users carry a small electronic device, similar to a key fob, with a screen that displays a six-digit random number. The number changes once a minute based on a unique digital “seed’’ assigned to each device. Inside the network, a SecurID computer with a copy of each device’s seed generates the same random number. Users get into the network by typing the correct number and a separate password.
Last year, unknown intruders broke into RSA’s computer network and stole information that could be used to defeat the random number system. Not long afterward, US defense contractors Lockheed Martin Corp., L-3 Communications Holdings Inc., and Northrup Grumman Corp. reported that intruders had attacked their SecurID systems in an effort to steal secret data from their corporate networks. RSA agreed to replace millions of its digital devices to protect consumers from similar breaches.
But the flaw discovered by the European scientists has nothing to do with SecurID’s random number system. Instead, it involves a “smart card” feature found on the SecurID 800. That version of the device can be plugged into a computer’s USB port. A user who enters a PIN can then use the SecurID 800 to encrypt files on the computer, so unauthorized people can’t view them. The same process decrypts the files, making them readable again.
The security researchers, based in France, Italy, the United Kingdom, and Norway, figured out a weakness in PKCS, a common program that generates new encryption keys. That enabled them to figure out the encryption keys being generated by the SecurID 800, as well as several other security products that use PKCS.
Despite RSA’s assertion that the problem poses virtually no threat, Dan Kaminsky, chief scientist at San Francisco security company DKH LLC , said it’s a serious issue. “This is a feasible attack where in a matter of minutes, if the smart card is plugged into the computer, the computer can clone the smart card,” said Kaminsky. This might enable an attacker to regain access to secret information at any time.