ROBOT Attack: Who Says the Past Doesn’t Hurt?
Bleichenbacher Attack is back, and some big names are caught napping.
The world of cybersecurity is a lot like the Game of Thrones – shocking revelations, plot-twists, high-profile victims and the walking dead. Yes, you read that right; the walking dead are real. Speaking of which, a 19-year-old attack named Bleichenbacher Attack, has made a stunning comeback by the name ROBOT (Return Of Bleichenbacher’s Oracle Threat), and many high-profile names including Facebook, Cisco and PayPal were/have been found vulnerable. According to the official blog post, subdomains of 27 of the top 100 domains are affected by this vulnerability.
This vulnerability discovered in 1998 by Daniel Bleichenbacher, a cryptographic researcher, allows an attacker to break the TLS encryption done using RSA encryption. Bleichenbacher found a flaw in RSA encryption that allowed him to decrypt ciphertext without having access to the private key.
In his findings Bleichenbacher found that a hacker could relentlessly send ciphertexts (encrypted information/text) to the server and the server would respond in ‘Yes’ or ‘No,’ depending upon the validity of the ciphertext. If the server responds with ‘No,’ the hacker will try another one and so on – trial and error in simple terms. And if the server responds ‘Yes’…voila!
ROBOT also works along the similar lines, but “with some variations” – in the researchers’ terms.
What Aare the Potential Dangers?
For starters, a hacker could intercept the traffic and decrypt it without getting a hold of the private key. Needless to say, this is quite dangerous. Moreover, a perpetrator can also execute MiTM attacks by impersonating as the real server, and the end-user will have no clue that he/she’s talking to a dummy server. However, such attacks are highly complicated to execute.
Who Is Affected?
Simply put, the websites that have vulnerable hosts and only support RSA encryption are affected according to the researchers. As far as the numbers go, around 2.8% of the top 1 million websites have been affected. Keep in mind that we’re talking here about RSA encryption, not RSA signatures. Most SSL/TLS certificates, including ours, use RSA for signatures.
Hanno Böck, Juraj Somorovsky, and Craig Young, the researchers behind this attack found this vulnerability and informed Facebook about it. Facebook applied the patches sometime later and also paid a bounty to the researchers under their bug bounty program.
“We are grateful to the researchers who brought this to our attention. We quickly fixed the issue, which was introduced by a custom patch we developed and wasn’t caught in our testing or an external audit. We are not aware of any abuse of this issue, and we paid awards to the researchers through our bug bounty program. We also assisted the researchers in further exploring the impact of this issue for other services around the web,” said a Facebook spokesperson in an e-mail responding to this discovery.
Responding to the researchers, Cisco informed them that they could not patch their ACE product line as it was discontinued years ago. Here’s an excerpt from the ROBOT blog:
“Cisco informed us that the ACE product line was discontinued several years ago and that they won’t provide an update. Still, we found plenty of vulnerable hosts that use these devices.
These devices don’t support any other cipher suites, therefore disabling RSA is not an option. To our knowledge it is not possible to use these devices for TLS connections in a secure way.
However, if you use these products you’re in good company: As far as we can tell Cisco is using them to serve the cisco.com domain.”
Am I Affected? How Do I check It?
If you want to (As you should) check your server for this vulnerability, you should head straight to SSL Server Test developed by SSL Labs.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown