A group of researchers from Ledger company which produces hardware cryptocurrency wallets, identified several vulnerabilities in the Hardware Security Module (HSM) devices, which can be used to extract keys or perform a remote attack to replace the firmware of HSM device.HSM is a specialized external device designed to store public and private keys used to generate digital signatures and to encrypt data.
HSM allows significantly increase protection, as it completely isolates keys from the system and applications, only by providing an API to perform basic cryptographic primitives implemented on the device side. Typically HSM is used in areas where you need to provide the highest protection, for example, in banks, cryptocurrency exchanges, certification centers for checking and producing certificates and digital signatures.
The proposed attack methods allow unauthenticated user gaining complete control over the contents of the HSM, including extracting all stored on the device the cryptographic keys and administrative credentials.
The problems are caused by a buffer overflow in the internal PKCS#11 command handler and an error in the implementation of the cryptographic protection of the firmware, which bypasses the firmware check using the PKCS#1v1.5 digital signature and initiates loading own firmware in the HSM.
As a demonstration, was organized modified firmware download, to which was added a backdoor, remaining active after subsequent installations of regular firmware updates from the manufacturer. It is argued that the attack can be made remotely (the attack method is not specified, but it probably means the substitution of the downloaded firmware or the transfer to process specially designed certificates).
The problem was revealed during the fuzzing testing of the internal implementation of the PKCS#11 commands proposed in the HSM. Testing was organized by uploading module to HSM using the standard SDL. As a result, in the implementation of PKCS#11, was detected a buffer overflow, which turned out to be possible to exploit not only from the internal HSM environment, but also through a call to the PKCS#11 driver from the main operating system of the computer to which the HSM module is connected.
Next, the buffer overflow was exploited to execute the code on the HSM side and redefine access parameters. In the course of studying the filling, another vulnerability was discovered that allows downloading a new firmware without a digital signature. Ultimately, private module was written and uploaded to HSM, which leaks all the secrets stored in the HSM.
The name of manufacturer that produced vulnerable HSM devices has not yet been disclosed, but it is argued that problem devices are used by some large banks and cloud service providers. At the same time it is reported that information about the problems was previously sent to the manufacturer and he has already eliminated vulnerabilities in the fresh firmware update.
Independent researchers suggest that the problem may be in the devices of Gemalto company, which in May released an update to Sentinel LDK with the elimination of vulnerabilities, access to information about which is still close.