There are two security researchers from Hardware wallet maker ‘Ledger’ have unveiled the vulnerabilities in Hardware Security Module (HSM) vendors.
The French Security Researchers talk about HSM Hacking in their research paper.
The presentation session will be on BlackHat USA 2019 in August, This highly technical presentation targets an HSM manufactured by a vendor whose solutions are usually found in major banks and large cloud service providers. It will demonstrate several attack paths, some of them allowing unauthenticated attackers to take full control of the HSM.
The presented attacks allow retrieving all HSM secrets remotely, including cryptographic keys and administrator credentials. Finally, we exploit a cryptographic bug in the firmware signature verification to upload a modified firmware to the HSM. This firmware includes a persistent backdoor that survives a firmware update.
What is Hardware Security Module (HSM)?
A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.
HSMs may have features that provide tamper evidence such as visible signs of tampering or logging and alerting, or tamper resistance which makes tampering difficult without making the HSM inoperable, or tamper responsiveness such as deleting keys upon tamper detection.
Hardware Security Module Uses?
A hardware security module can be employed in any application that uses digital keys. Typically the keys must be of high-value – meaning there would be a significant, negative impact to the owner of the key if it were compromised.
The functions of an HSM are:
- Onboard secure cryptographic key generation
- Onboard secure cryptographic key storage, at least for the top level and most sensitive keys, which are often called master keys.
- Key management.
- Use of cryptographic and sensitive data material, for example, performing encryption or digital signature functions
- Offloading application servers for complete asymmetric and symmetric cryptography.
- Securing a full software stack from logical or physical attacks.
According to Cryptosense, translated a brief summary of what the Ledger researchers Gabriel Campana and Jean-Baptiste Bédrune did. There were plenty of technical challenges to solve along the way, in what was clearly a thorough and professional piece of vulnerability research:
- They started by using legitimate SDK access to their test HSM to upload a firmware module that would give them a shell inside the HSM. Note that this SDK access was used to discover the attacks, but is not necessary to exploit them.
- They then used the shell to run a fuzzer on the internal implementation of PKCS#11 commands to find reliable, exploitable buffer overflows.
- They checked they could exploit these buffer overflows from outside the HSM, i.e. by just calling the PKCS#11 driver from the host machine
- They then wrote a payload that would override access control and, via another issue in the HSM, allow them to upload arbitrary (unsigned) firmware. It’s important to note that this backdoor is persistent – a subsequent update will not fix it.
- They then wrote a module that would dump all the HSM secrets, and uploaded it to the HSM.
We have translated the research paper some point as follows-
In Brief Introduction to PKCS #11
PKCS # 11 is a standard that defines a generic interface for interact with a cryptographic device. A cryptographic device graphic is a hardware capable of performing cryptographic operations like an HSM or a smart card. The standard has been developed by RSA Laboratories, in connection with other companies and institutions since 2013, maintained and updated by OASIS PKCS11 Technical Committee.
“Impact Once arbitrary code execution is achieved the question the choice of the payload. It is executed with root rights . All actionsare possible: recovery of keys, reading of memory for recover secrets, dump the flash. The chosen solution is a patch of the PIN verification function,to log in as administrators with any word password.”
“The administrator has the rights to install modules. Load next is a module retrieving the entire encrypted flash, and its key decryption. The content is then decrypted offline, revealing all the secrets contained in the HSM. The exploit is a simple binary to run on the host.”
At the end they said,
“This study, however, is not exhaustive and does not claim to be a state of the art security of all models of HSM available on the market. It is quite possible that the level of security varies strongly from one manufacturer to another, and even between different models from the same manufacturer.”
“Regarding the model analyzed, it is regrettable that no hardening is applied to the firmware of a security product. Indeed, even if it is impossible to guarantee the absence of vulnerabilities, An attacker’s job should be a priority. Finally, the vulnerabilities presented are exploited on the PCI version of the studied HSM model. he would be interesting to determine if the network versions of this range are also vulnerable, and remotely exploitable without access to the host machine.”