ROBOT exploit from 1998 resurrected, leaves top websites' crypto vulnerable

The 19-year-old vulnerability impacts websites from Facebook to Paypal as well as popular software.
Written by Charlie Osborne, Contributing Writer
File Photo

A number of the most popular websites and services online, including Facebook and PayPal, are vulnerable to an exploit which has resurfaced from 1998.

The security flaw, dubbed ROBOT, was first discovered almost two decades ago by Daniel Bleichenbacher.

PKCS #1 1.5 padding error messages produced by secure sockets layer (SSL) servers allow for an adaptive-chosen ciphertext attack which "fully breaks the confidentiality of TLS when used with RSA encryption," according to researchers Hanno Böck and Juraj Somorovsky from Hackmanit GmbH, Ruhr-Universität Bochum, and Tripwire VERT's Craig Young.

The server implementation bug could be used to perform RSA decryption and key signing in order to decrypt traffic.

"We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today's Internet," the team says.

The original vulnerability was altered by adding signals able to distinguish between error types like timeouts, connection resets, and duplicate TLS alerts.

This means that for websites vulnerable to ROBOT, attackers are given the opportunity to record traffic streams for decryption later. Private keys are not recovered during the process and so certificates do not need to be revoked.

"For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack," the researchers say. "We believe that a server impersonation or man in the middle attack is possible, but it is more challenging."

When the 19-year-old vulnerability was first uncovered, the developers of TLS implemented countermeasures. However, these protections are incredibly complex to implement and it appears that due to implementation complications, they have not been implemented correctly.

"We used minor variations of the original attack and were successful," the researchers say. "This issue was hiding in plain sight."

A research paper describing the vulnerability's return has been published (.PDF) at the Cryptology ePrint Archive.

According to the team, 27 out of the top 100 Alexa domains are vulnerable, alongside at least seven vendors including F5, Citrix, and Cisco.

Facebook has since patched its servers, and available patches are listed below:

It is important to note that MatrixSSL and JSSE are old vulnerabilities, but as the team detected vulnerable hosts, they have been included.

However, the team says that other vendors "have fixes pending" and so will not be named at the moment.

The researchers have released a test for public HTTPS servers, alongside a Python tool to test hosts for vulnerabilities.

"Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures," the team says. "We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy."

Best gifts: Top tech for co-workers

Previous and related coverage

    Keylogger uncovered on hundreds of HP PCs

    For the second time this year, HP has been forced to issue an emergency fix for pre-installed keylogger software.

    MoneyTaker hacking group steals millions from US, UK, Russian banks

    Researchers say the cyberattackers have been able to steal potentially millions of dollars in the past two years alone.

    Bangladesh minister: We want to 'wipe out' Philippines bank after $80 million heist

    The finance minister said he wants to "wipe out Rizal Bank from Earth" due to the cyberattack.

      Editorial standards