From Politico Morning Cybersecurity

The physical security tokens carried by senior government officials and industry executives can be hacked, according to blockbuster research revealed Monday. The software used to generate private cryptographic keys for the tokens’ chips, which are manufactured by a company called Infineon, can be reverse-engineered, letting hackers “factor” – or identify – the keys and intercept or spoof any data they are supposed to protect. The attack threatens to shatter the expectation of public key cryptography – that documents and messages signed by someone’s private key genuinely originated with that person. Beyond personal conversations and file exchanges, the vulnerability also affects cryptographically signed software updates, raising the possibility that hackers could spoof a verified update to install malware on someone’s computer. Such tactics have been used before.

Source: ROCA: Vulnerable RSA generation (CVE-2017-15361) [CRoCS wiki]