[Cryptech Tech] [FORGED] News item: Major HSM vulnerabilities impact banks, cloud providers, governments
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Jun 12 04:27:55 UTC 2019
Warren Kumari <warren at kumari.net> writes:
>Major HSM vulnerabilities impact banks, cloud providers, governments
>https://www.zdnet.com/article/major-hsm-vulnerabilities-impact-banks-cloud-providers-governments/
>From TFA:
The duo's research paper is currently available only in French,
Devilishly clever! That way Thales and Gemalto can fix their HSMs while the
non-French-speaking hackers have to wait for Black Hat to find out what the
vulns are.
Despite the inexplicable lack of being taught phrases like "couche de resine
epoxy" while still learning everyday useful things like "le ballon tombe dans
les fleurs", the gist of the paper is that running externally-updatable
ancient unpatched Linux (an unstripped, unhardened 2.26 (!!!) kernel) with
buggy PKCS #11 firmware on your HSM isn't a good idea.
This isn't really an HSM, it's more an IoT device with a crypto accelerator
attached. Once I read to the description of the configuration, my only
surprise was that it took this long to get pwned. Not wanting to downplay the
authors' achievement, but it's a hack of a generic, run-of-the-mill IoT
device, just one that happens to be advertised as an HSM.
It's also not surprising that you can attack the PKCS #11 API directly, as the
authors correctly point out it's very complex and therefore has a very large
attack surface. I'm sure many PKCS #11 client-app developers have
inadvertently "attacked" their PKCS #11 implementation just by passing in
incorrect parameters while developing code (I have, for several
implementations).
In addition, with what they're running as the firmware as an indicator, it's
also not overly surprising that the crypto code itself is of, uhh, sub-par
quality. Sorta confirms the comment I made in my book that "A great many
security systems in use today are secure only because no-one's ever bothered
attacking them".
All in all a nice piece of work, and an interesting read.
Peter.
More information about the Tech
mailing list