Major Vulnerabilities in HSMs Discovered
Yesterday’s announcement of this HSM hacking in the 2019 BlackHat program caused a lot of excitement for a good reason: the authors claim to have discovered unauthenticated remote attacks, giving full control of an HSM and full access to the keys and secrets stored in it.
For the moment, very few details are available in English about how this attack was led by Ledger researchers, but fortunately for Francophones, this work was presented in detail earlier this week at the annual conference on Security of France SSTIC. Francophones can watch the video or read the document proceedings.
What really happened?
For non-Francophones, the Cryptosense bilingual team translated a brief summary of what Ledger researchers Gabriel Campana and Jean-Baptiste Bédrune did. Many technical issues needed to be resolved along the way, as part of a thorough and professional vulnerability survey:
- They started using the SDK’s legitimate access to test HSM to load a firmware module that would give them a shell inside the HSM.
- Then, they used the shell to run a fuzzer in the internal implementation of PKCS #11 commands for reliable and exploitable buffer overflows.
- They verified that they could exploit this buffer overflows out of the HSM, that is, by simply calling the PKCS #11 driver of the host machine.
- Then they wrote a payload that would overload the access control and allow them, to load an arbitrary firmware (without signature). It is important to keep in mind that this back door is persistent, a subsequent update will not solve it.
- Then they wrote a module that would dump all the secrets of HSM and load it into the HSM.
The vulnerabilities have now been fixed. The manufacturer is not mentioned in the presentation, but it is possible to solve it, looking at the latest security announcements of major manufacturers of HSM.
Well-Funded vulnerability research teams within state intelligence agencies could have done similar work and discovered this attack. The disruption caused by the disclosure of certain secret keys to the financial system of the target country would be very interesting for those seeking to wage cyberwar. The most disturbing part of the attack may be that the firmware update is persistent. There may be HSM deployed in critical infrastructure now with similar backdoors.