Researchers crack digital safe using HSM flaw

Two French researchers have found a bug in a hardware security module (HSM) that, if exploited, could enable an attacker to steal an organization’s most highly prized secrets.

An HSM is a physical security device that stores a range of secrets, including the digital keys used in encryption. It acts as a digital safe for secrets used in a variety of situations.

HSMs are used to store the digital keys used in certificates during public key encryption, for example, or in card payment systems. Even hardware-based cryptocurrency wallets use them. In short, these are devices designed to keep secrets under physical lock and key in very sensitive situations when software solutions simply won’t do.

An insecure HSM is a big deal.

Jean-Baptiste Bédrune and Gabriel Campana, both researchers at French security company Ledger, published the details of the hack in a technical paper (written in French). They will be presenting their research at the English-speaking BlackHat Las Vegas conference in August. Cryptosense analysed it to work out what they did.

The HSM in this case, which comes from an unnamed vendor, is a card that can be plugged into a computer’s PCIe bus. It is certified to level 3 of the US government’s FIPS 140-2 standard.

The researchers found that the firmware built into the module was signed, but not encrypted. This meant that they could analyze how it worked, and they found that it allowed them to upload and run additional custom code.

They used the software development kit (SDK) provided with the HSM to upload a custom firmware module to the unit. This gave them access to a shell inside the HSM that they could use to run a debugger and analyze the inner workings of the unit.

From there, they ran a fuzzer, which sends a lot of queries to the HSM’s PKCS #11 API. PKCS #11 is a cryptographic API created by RSA. They hit the API with a large number of parameters looking for data that might throw the HSM into an unstable state. These tests uncovered several buffer overflow error bugs that they could trigger by sending the HSM certain commands.

The researchers were able to write a module that they could run as unsigned custom firmware on the HSM that enabled them to dump all its secrets. They could recover keys, read secrets directly from the HSM’s memory, and dump the contents of the module’s flash storage, including its decryption key. The paper, translated from French, says:

The content is then decrypted offline, revealing all the secrets contained in the HSM. The exploit is a simple binary to run on the host.

Because the firmware is stored on its 64Mb flash memory, it is also persistent; you can’t get rid of it by simply rebooting the HSM.

The researchers have already sent the details of the bug to the vendor and the system has since been patched. However, it’s entirely possible (and likely) that many of these systems are still out there and exploitable in the wild.

Apparently, in the digital world as in the physical one, safe cracking is alive and well.