​Bitdefender finds eavesdropping vulnerability in public cloud

Bitdefender has developed a technique that enables a third party to tap into TLS-encrypted communication between an end-user and a virtualised instance of a server.
Written by Asha Barbaschow, Contributor

Security firm Bitdefender has found a vulnerability in public cloud infrastructures which it said allows a third party to eavesdrop on communications encrypted with transport layer security (TLS) protocol.

The vulnerability is leveraged by Bitdefender for its own research purposes, developing a technique called TeLeScope, which is only effective against virtualised environments that run on top of a hypervisor.

According to Bitdefender, such infrastructures are provided by industry giants Amazon, Google, Microsoft, and DigitalOcean, with the security vendor flagging banks, companies dealing with either intellectual property or personal information, and government institutions as the sectors likely to be affected by the security flaw.

Rather than exploiting a flaw in TLS, Bitdefender said the attack technique relies on extracting the TLS keys at the hypervisor level by clever memory probing and while the company said accessing a virtual machine's virtual resources was not new, real-time decryption of the TLS traffic without pausing the virtual machine at a particular moment had not been achieved before.

"We discovered this attack vector while researching a way to monitor malicious outbound activity on our honeypot network without tampering with the machine, and without tipping attackers off in any way that they are being watched," Bitdefender said in a statement.

The company said once major vulnerabilities such as Heartbleed or Logjam are found and patched, companies and their customers might not be completely protected once these flaws are plugged.

Speaking last month at the HITB Conference in Amsterdam, Bitdefender security researcher Radu Caragea demonstrated in a proof of concept that encrypted communication can be decrypted in real-time using a technique that has virtually no footprint and is invisible to almost everyone.

The security firm said Caragea's staged attack makes it possible for a malicious cloud provider, or one agreeing to give access to government agencies, to recover the TLS keys used to encrypt every communication session between a virtualised server and a organisation's customers.

"If you are a CIO and your company outsources the virtualisation infrastructure to a third party vendor, assume that all the information flowing between you and your users has been decrypted and read for an undetermined amount of time," Bitdefender said.

"There is no telling whether your communication has been compromised and for how long it has been happening because this approach does not leave any anomalous forensic evidence behind."

Additionally, Bitdefender said its proof of concept uncovers a fundamental lapse that cannot be fixed or mitigated without rewriting the cryptographic libraries currently in use.

The security firm said the only fix for the vulnerability is to prevent access to the hypervisor by a company running its own hardware inside its own infrastructure, adding that if an organisation does not own its own hardware, it does not own the data, either.

Editorial standards