Recently, three security researchers have discovered a variant of a 19-Year-Old cryptographic attack that can be exploited to obtain the private encryption key needed to decipher sensitive HTTPS traffic under certain conditions.
ROBOT Attack: 19-Year-Old Bug Returns To Target Facebook & PayPal
Three security researchers have discovered a variant of an old cryptographic attack that can be exploited to obtain the private encryption key needed to decipher sensitive HTTPS traffic under certain conditions. It is called ROBOT, which comes from Return Of Bleichenbacher’s Oracle Threat. This new attack is a variant of the Bleichenbacher attack on the RSA algorithm discovered almost two decades ago.
A 19-year old attack
In 1998, Daniel Bleichenbacher of Bell Laboratories discovered an error in the way TLS servers operate when the owners of the servers chose to encrypt the key exchanges between the client and the server with the RSA algorithm.
By default, before a client (browser) and a server start communicating through HTTPS, the client will choose a random session key that will encrypt with the public key of the server. This encrypted session key is sent to the server, which uses its private key to decrypt the message and save a copy of the session key that it will then use to identify each client.
Because RSA is not a secure algorithm, it also uses a filler system to add an additional layer of random bits over the encrypted session key. Bleichenbacher discovered that if the session key was encrypted with the RSA algorithm and the filler system was PKCS #1 v1.5, an attacker could simply send a random session key to the TLS server and ask if it was valid. The server would respond with a simple “yes” or “no”.
This, as we can imagine that by means of a simple brute force attack, an attacker could guess the session key and decrypt all the HTTPS messages exchanged between the TLS server (HTTPS) and the client (browser).
Instead of replacing the insecure RSA algorithm, the designers of the TLS standard decided to add measures to hinder the brute-force guessing process. Make it harder to achieve the goal.
This was an incomplete and insufficient solution to the original attack of Bleichenbacher, and since then, researchers have published new variants of the original attack of Bleichenbacher in 2003, 2012, 2014 and 2015.
The most recent research on this topic was the DROWN attack, which affected one-third of all HTTPS sites, published in March 2016.
Today a new variant of Bleichenbacher called ROBOT has come to light. It is also based on circumventing the measures implemented by the creators of TLS in 1998 and beyond.
The problem, according to the researchers, is that the TLS standard is very complex and many vendors of server equipment do not correctly implement Section 220.127.116.11 of the TLS standard (RFC 5246), which defines the original attack measures of Bleichenbacher.
The research team that found and reported the ROBOT attack says that companies such as Cisco, Citrix, F5 and Radware offer products that are vulnerable to ROBOT attacks in certain configurations. That configuration is if the server owner decides to encrypt the TLS session key with the RSA algorithm and use the PKCS #1 v1.5 filler system.
Until the patches for vulnerable products arrive, the ROBOT research team and the CERT-US recommend that owners of vulnerable devices disable the RSA encryption TLS session key on their devices. This will not be a problem since most devices also support Elliptic Curve Diffie Hellman (ECDH) session key encryption as a better solution for RSA.
The ROBOT research team says that despite being a variant of a 19-year old attack, 27 of the Alexa Top 100 websites are vulnerable to the ROBOT attack. These sites include Facebook and PayPal. The scientific document on the ROBOT attack includes a case study on how the research team deciphered Facebook traffic.
So, what do you think about this? Simply share all your views and thoughts in the comment section below.