Three researchers have found that a cryptographic flaw in the implementation of the RSA algorithm, discovered by Daniel Bleichenbacher, can still be exploited today. An updated version of this attack has now been dubbed ROBOT, short for Return of Bleichenbacher's Oracle Threat, and reportedly affects 27 of the Alexa Top 100 websites, including major sites like PayPal and Facebook. Three researchers, Hanno Böck, Juraj Somorovsky and Craig Young, discovered that an attacker could potentially obtain the private encryption keys necessary for the decryption of HTTPS traffic under certain conditions. So far, there have not been any reported or recorded abuses of ROBOT.
ROBOT was based on the flaw found by Bleichenbacher in 1998, which allowed the use of brute force attacks to successfully guess a session key and decrypt the HTTPS messages between TLS (HTTPS) servers and the client browser. This could happen if the session key was encrypted with the RSA algorithm and used the PKCS #1 1.5 padding system. The attacker could send session keys to the TLS server and inquire if it was valid—the server would answer ‘yes’ or ‘no’ until the attacker acquired the session key. Despite this flaw being around for almost two decades, ROBOT can still be leveraged today because the flaw’s countermeasures are complicated and not properly implemented.
According to the researchers, “for hosts that are vulnerable and only support RSA encryption key exchanges it's pretty bad. It means an attacker can passively record traffic and later decrypt it. For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack. We believe that a server impersonation or man in the middle attack is possible [sic], but it is more challenging.”
To demonstrate the plausibility of a ROBOT attack, the researchers signed a message with the private key of Facebook's HTTPS certificate, meaning they could successfully impersonate the site. Facebook fixed the flaw in October, providing a bug bounty to the research team. The researchers also notified other vulnerable sites and vendors. The ROBOT page has an updated list with the status of their patches.
An attacker still has to be able to intercept existing network traffic to and from the would-be victim to exploit this flaw, which helps reduce the risk. Since it can be used to decrypt encrypted data and sign communications using a site’s private encryption key, website owners should check if they are vulnerable and take the steps to patch or fix the issue.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).