Two security researchers have recently revealed vulnerabilities that can be exploited remotely to retrieve sensitive data stored inside special computer components known as HSMs (Hardware Security Modules).
HSMs are hardware-isolated devices that use advanced cryptography to store, manipulate, and work with sensitive information such as digital keys, passwords, PINs, and various other sensitive information.
In the real world, they can take the form of add-in computer cards, network-connectable router-like devices, or USB-connected thumb drive-like gadgets.
They are usually used in financial institutions, government agencies, data centers, cloud providers, and telecommunications operators. While they've been a niche hardware component for almost two decades, they are now more common than ever, as many of today's "hardware wallets" are, basically, fancily-designed HSMs.
Remote attack discovered in one HSM brand
At a security conference in France this past week, two security researchers from hardware wallet maker Ledger have disclosed details about several vulnerabilities in the HSM of a major vendor.
The duo's research paper is currently available only in French, but the two are also scheduled to present their findings at the Black Hat security conference that will be held in the US in August.
They started by using legitimate SDK access to their test HSM to upload a firmware module that would give them a shell inside the HSM. Note that this SDK access was used to discover the attacks, but is not necessary to exploit them.
They then used the shell to run a fuzzer on the internal implementation of PKCS#11 commands to find reliable, exploitable buffer overflows.
They checked they could exploit these buffer overflows from outside the HSM, i.e. by just calling the PKCS#11 driver from the host machine
They then wrote a payload that would override access control and, via another issue in the HSM, allow them to upload arbitrary (unsigned) firmware. It's important to note that this backdoor is persistent – a subsequent update will not fix it.
They then wrote a module that would dump all the HSM secrets, and uploaded it to the HSM.
The Cryptosense team also points out that the attack methods used by the Ledger research team are not particularly novel, and that others could have very well discovered these security flaws.
"Certainly well-funded vulnerability research teams at state-level intelligence agencies could have carried out similar work and discovered this attack," Cryptosense researchers said.
"The disruption caused to a target country's financial system by revealing certain secret keys would be pretty interesting to those looking to carry out cyber warfare.
"Perhaps the most concerning part of the attack is that the firmware update backdoor is persistent. There could be live HSMs deployed in critical infrastructure now containing similar backdoors," they added.
The future of food includes self-driving tractors, precision agriculture, robots, AI, and IoT