If you spend much time using computers as an adult, the chances are that you’ve had to electronically sign a document at some point. Many countries accept electronic signatures as legally binding, including the US, Canada, and the UK, where the Law Commission officially concluded that electronic signatures are valid in August 2018.
In some ways, electronic signatures are arguably better than handwritten ones. As they digitally hash the content of the document, they can prove to future viewers that no one has altered it.
Many software products support electronic signatures, mostly using the Portable Document Format (PDF) introduced by Adobe in 1993. The PDF file specification has supported digital signatures since 1999, and people have been happily signing documents ever since, but researchers at Ruhr-University Bochum in Germany just gave everyone pause.
The researchers published a paper revealing a flaw that PDF document viewers have presumably contained for the last 20 years. They found a way to add new content to documents without breaking the electronic signatures.
In a website dedicated to documenting the attacks, the researchers said:
With our attacks, we can use an existing signed document (e.g., amazon.de invoice) and change the content of the document arbitrarily without invalidating the signatures. Thus, we can forge a document signed by email@example.com to refund us one trillion dollars.
The researchers outline three separate kinds of attack:
Universal Signature Forgery (USF): This attack manipulates the digital signature itself, making it impossible for the viewer to verify it. Nevertheless, the viewer still reports the signature as valid.
This was one of the least successful attacks, blocked by most viewers, although Adobe Acrobat Reader DC and Adobe Reader XI were both caught out by it, the researchers said:
The attack seems trivial, but even very good implementations like Adobe Reader DC preventing all other attacks were susceptible against USF.
Incremental Saving Attack (ISA): Here a fraudster adds new content to the end of a signed PDF using a feature of the file format called incremental saving. Saving new content incrementally to an already-signed file is a valid thing to do, but the file viewer is supposed to tell users that the document has been altered. ISA stops that from happening by altering metadata in the newly saved part of the file, fooling the viewer into displaying the new content without flagging it as altered.
Signature Wrapping Attack (SWA): This was the attack most likely to work across a range of viewers and online file validators. It takes the originally signed content and moves it to a different part of the document, inserting new, fraudulent content at the original position.
One key weakness common to all these attacks is the
ByteRange parameter. This defines which bytes in the PDF file contain the content as the input for the hashing function that generates the digital signature. Each attack either directly manipulates this parameter or, in the case of ISA, simply stores the new content outside the document area defined in the
A wide range of viewers were susceptible to various combinations of these attacks. Of the 22 audited by the researchers, all of them were nobbled by at least one signature-squishing technique. The least susceptible was LibreOffice, which only fell to the ISA attack, and then only under certain conditions. Hooray for open source!
The researchers had two ideas about why so many readers fell victim to these flaws. Firstly, they said that the PDF specification is vague about how to validate signatures. Secondly, the viewers themselves err on the side of tolerance when opening, validating, and displaying malformed files, they added.
Luckily, the researchers followed responsible disclosure, working with the viewer developers to help them fix the flaws before publishing the paper. So as long as you update your software, the chances are that your electronic signature will still be worth more than the paper it’s (not) written on.