Posted on June 10, 2019 at 3:55 PM

HSM Vulnerabilities Detected: Flaws Affecting Major Institutions, Banks, and Even Governments

The security of sensitive data is one of the top priorities in modern times, which is all the more crucial for hardware and software to be properly secured and managed. However, according to two security researchers, a special computer component known as HSM (Hardware Security Module) contains a major flaw. The flaw can be exploited remotely, and if someone does it — they could gain access to all the sensitive data stored within it.

HSM is a hardware-isolated device which is used for storing sensitive information in a secure way. The device uses advanced cryptography, which allows it to work with and manipulate any type of sensitive data, such as passwords, PINs, digital keys, and alike. It was believed to be one of the safest ways to manage sensitive information.

Physically, the device can look like a computer card, a router, or even a USB-connected thumb drive-like gadget. Most of the time, they are used by data centers, financial institutions, governments, and government agencies, and other institutions that require high levels of secrecy and confidentiality when it comes to storing and sharing data. These days, many of these devices come in the form of hardware wallets used for storing cryptocurrencies.

HSM brand falls victim to remote attacks

While most believed that HSM devices are the ultimate way of safely storing data, the recent security conference in France brought disturbing news. Two security researchers used the opportunity to reveal several flaws found in devices issued by a major HSM producer.

The researchers, Jean-Baptiste Bedrune and Gabriel Campana — employed by a hard wallet maker, Ledger — released their research paper in French.

Here is the original paper (in french) for this talk: https://t.co/WpMn6ogrSG The HSM vendor is not disclosed, but its SDK apparently uses a struct named CK_BIP32_CHILD_DERIVE_PARAMS… ?? https://t.co/IFABDlCwFx

— sam280 (@sam280) June 7, 2019

However, they will also present their discovery in August, during the US-based Black Hat security conference. The summary of their research and presentation points out that the discovered vulnerabilities could allow hackers to launch a remote attack, and gain access, as well as control of a specific vendor’s HSM.

The researchers point out that the attack could result in accessing and retrieving secrets, credentials, and even cryptographic keys. Further, the bug can also be exploited for uploading things, such as modified firmware. The two mentioned that the uploaded firmware might install a backdoor that can remain even after a firmware update.

Researchers have yet to name the vendor

Naturally, a flaw that can allow such a massive level of access and compromise not only the device but its content as well, is a major issue for HSM users and producers alike. So far, the two researchers refused to publicly announce which vendor offers flawed products.

However, they did reveal that they contacted the HSM maker, and notified the brand of the flaw, as well as of potential consequences of not fixing it immediately. The vendor supposedly responded by rapidly publishing firmware updates that fixed the reported security flaws.

Even so, there are already speculations online regarding the vendor’s possible identity, and many believe that it might be Gemalto. The assumption is based on the fact that Gemalto suddenly issued a security update for its Sentinel LDK. The update went live only a month ago, and it improved the API for managing hardware keys on HSM components.

The summary of researchers’ report

The summary of the research published by Ledger’s researcher describes how the process they used to determine the boundaries of what the vulnerability allows. They uploaded a firmware module by using legitimate SDK access to the tested HSM. Uploading the module provided them with a shell inside the HSM itself. Typically, SKD access is used for uncovering vulnerabilities, but it is not needed in order for them to be exploited.

After that, they used the created shell to run a fuzzer on the internal implementation of PKCS#11 commands. This allowed them to locate buffer overflows, which could be exploited. Next, they needed to check if the buffer overflows could be exploited from outside the HSM.

The next step was writing a payload that allowed them to override access control. However, another issue they discovered in the HSM let them upload unsigned firmware as well — one that cannot be nullified by uploading a fix. Finally, they wrote a module that could retrieve all the files and content stored on the HSM, and they then uploaded it on the HSM to test whether it will work.

The attack method used by the researchers is not exactly revolutionary, meaning that others could have potentially discovered these flaws as well. In other words, it is possible that many already have, particularly when it comes to well-funded government agencies. The use of such attacks could cause disruptions to financial systems, and lead to entire cyber warfare.  But, the most troubling detail regarding the attack is that the firmware update backdoor cannot be erased with updates, meaning that, if HSMs were already affected at the time the fix was released — the update did nothing to protect them.