History of Risks & Threat Events to CAs and PKI
In Risk Management terms, History refers to the series of attack events that are documented and examinable, for the purpose of validating threat attack models.
This is an ongoing effort to document those events that have been reasonably seen as attacks and threats relevant to the CA and the usage of certificates. The purpose of this page is to help risk assessments validate their threat models against recorded events.
Only attacks with whose existence is established by sufficiently reliable reporting are listed here. Consequences need to be identifiable, but they do not need to be against any specific party. To some extent, where we set the bar is difficult to justify because we lack a clear history of user damages, and those that do the damage are not talking. However, some history is better than none.
The above index indicates first known deployment which is a very uncertain measurand in secret affairs. However, in history, date is always first, so the above timeline is updated as new information comes in.
2001. False certs. An unknown party used weaknesses in validation to get two certificates issued in the name of Microsoft.com (Guerin). The attacker was thought to be of the reputational variety: interested in embarrassment of CA not exploitation.
2003. Phishing. This attack bypasses the security afforded by certificates due to weaknesses in the secure browsing model (Grigg1). The existence of an unsecured mode of communication (HTTP) alongside a secure mode (HTTPS) provides an easy borders-of-the-map or downgrade attack, which user interfaces offer little resistance against. Consequences: Best guesstimate runs at around $100m per annum (FC 1343).
2006. Dual_EC. The NSA caused the supply of bad number generators to industry (Anatomy of a NSA intervention), possibly impacting the signing of certificates. Short story: in the early 2000s, NIST standardised the approach for generating random numbers as a Special Publication 800-90 (SP800-90). This approach included a number of standard stretchers as the third phase in a collector/mixer/stretcher design. NSA designed and pushed a particular approach based on 2 elliptic curves, which was accepted as Dual_EC within SP800-90 in 2006. ISO (International Standards Organisation) followed suit (iso18031). NSA then coordinated and/or directly influenced at least one major supplier in the USA to make Dual_EC the default for all products shipped by that supplier. In 2007, Dual_EC was shown to be suspicious. In 2013, Snowden's revelations pointed the finger at a NIST 2006 product, and within a month, NIST withdrew endorsement over Dual_EC. The supplier immediately followed. Consequences: no evidence of direct breaches as yet, only indirect reputation effects. The supplier's credibility is ruined because it did not act when the warnings were clear, and instead followed NIST's lead without question (and/or under influence of government contracts). This supplier was a major player in the CA industry. Broader questions are raised about the entire crypto supply industry of the USA (Where do we stand?), NIST's role in crypto standards, and all FIPS-certified cryptographic products as they were typically required to use SP800-90 (Greene). Which includes most HSMs used to generate CA keys and sign certificates. This is no single event, consequences are spread as early as 2006 (shipments) to 2013 (confirmation) and probably later as default users will take a long time to switch away from Dual_EC.
2007.1. Flame. A malware called Flame was signed by a Microsoft sub-CA that was perverted by means of an older algorithm MD5 (arstechnica). The sub-CA was also wrongly approved for code-signing. The signature was attacked and a new signature forged onto a new certificate that signed the malware (wikipedia1, Stevens).
"Using a technique from  dubbed counter- cryptanalysis, it was found that the certificate was generated by a chosen-prefix collision attack on MD5, i.e., an attack that extends two prefixes P and P′ with suffixes S and S′ such that P∥S and P′∥S′ have the same hash value: a collision. Although the attack seems to be based on the same principles as published collision attacks, such as the attack by Wang et al. from  and the attack by Stevens et al. from , it has not been published before." Fillinger)
The malware was produced by Operation OlympicGames (NSA, CIA, Israel) against Iran's nuclear project (wikipedia2, wapo), see also Stuxnet. The certificate was apparently attacked in 2009 but the malware was in circulation as early as 2007 (skywiper). Consequences: Damages to Iran are unknown as yet. As it was an intelligence-gathering malware, it is hard to attribute damages directly. Microsoft revoked 3 sub-CAs in a security update effecting all distributions.
2007.2. Stuxnet. Two code-signing certificates, stolen from two separate chip manufacturers in Taiwan, were used to sign drivers that were installed as part of a rootkit to infect Windows machines (Krebs), (Wikipedia1). The overall goal was a highly targetted sabotage of Iranian centrifuges engaged in production of high-grade nuclear material. Stuxnet was actually two attacks with the same goal, but different methods (Langner), the first in 2007 or before, the second in 2009. Consequences: Various estimates suggested that Stuxnet succeeded in knocking out and perhaps destroying some 1000 centrifuges, estimated at 10% of Iran's centrifuge capacity (ISIS) and delaying Iran's weapon building program by 1.5-2 years (NYT20120601.2, Langner). DEBKA suggests the damage is far more severe and sweeping than first reported, effecting and targetting thousands or even millions of significant computers (DEBKA1), and carrying on into 2012 (DEBKA2). Claims have been made that collateral damage effected other similar plants in Russia (kaspersky). Attack was part of Operation OlympicGames (NSA, CIA, Israel) (NYT, wapo, Wired, IBT/DerSpiegel, FP), see also Flame and Regin1, Regin2.
2008.1. Interface breach. One CA created a false certificate for a vendor by probing the RA of a competitor for weaknesses (Leyden). Consequences: limited to lowered reputations for all of those involved.
2008.2. Weak root. An academic group succeeded in attacking a CA with weak cryptographic protections in its certificates (Sotirov et al). This resulted in the attackers acquiring a signed certificate over two keys, one normal and one that acted as a sub-root. This gave them the ability to sign new certificates that would be accepted by major vendors. Consequences: as the root that was attacked was slated to be removed within the month, consequences were limited. Faster rollout of the new root, perhaps a few certificate re-issuances and reputation damage.
2009 Etisalat's mass surveillance attack. A CA/telco signed a false certificate for a mobile network operator, signed a firmware update, and delivered it to all mobile subscribers in its network (pcworld). The attack worked because the mobile's software accepted any update from any channel signed by any CA in the rootlist of the device (post-PRISM). The firmware update contained spyware that registered phone details (including the PIN) and forwarded all emails on demand to Etisalat (Blackberrycool-1). It was spotted within a week because the spyware was delivered through unexpected channels, and it drained the battery of the mobile. The spyware was supplied by SS8 (Blackberrycool-2), an American company specialising in legal intercepts. Consequences: 140,000 subscribers were annoyed by battery draining and having to install / run anti-virus. Compromise of secret emails, and secret PINs. Damage to reputation for Etisalat (spying on customers), SS8 (crappy code) and RIM (poor security).
2009 Duqu. A malware signed with a valid but abused signature, from the same family as Flame and Stuxnet. Its purpose is "to be used for espionage and targeted attacks against sites such as Certificate Authorities (CAs)" (mcafeee) and "one of Duqu's actions is to steal digital certificates (and corresponding private keys, as used in public-key cryptography) from attacked computers to help future viruses appear as secure software." (wikipedia1). Duqu was fingered against a Hungarian CA (The//Intercept) and operated from 2009 to 2011, when unearthed in a hack on a secure firm in Hungary. Consequences: unknown, difficult to quantify as damage appears to be limited, and the malware was self-cleaning.
2010 Critical cert. A developer's laptop used to sign HP distros in 2010 was breached, a malware inserted itself into the signing process, got signed, then mailed itself back home Krebs. The malware wasn't used on HP, instead it was discovered 4 years later by Symantec. Meanwhile the certificate expired, but the cert holder still plans to revoke the certificate, and is expecting support issues as the revoked certificate blocks various and many packages. The base plan is to re-sign, but this does not apply to recovery partitions which can reset software back to factory config. Consequences: No direct damages reported. Indirectly, it could cause chaos if packages actually take the revocation seriously.
2011.1. False certs. A claimed-lone Iranian attacker, ichsunx2, breached approximately 4 CAs. His best success was to use weaknesses in an Registration Authority to acquire 9 certificates for several high profile communications sites (Zetter). It was claimed that the attacker operated under the umbrella of the Iranian state but no evidence for that was forthcoming. Consequences. No known user damages. Browser vendors revoked-by-patch ioerror.
Same CA also suffered a "compromise of its ‘UTN-USERFirst- Hardware’ certificate" which signed directly 85k certificates including 50 intermediate CAs, bringing it up to a total market-impact of 120k domains (WEIS 2013 Asghari et al). Consequences: unknown, the total market patch is interesting but not germane as yet.
2011.2. Breached / collapsed CA. The same attacker, icksunx2, breached a Dutch CA and issued 531 certificates (wikipedia). The CA’s false certs were first discovered in an attack on Google’s gmail service, suggested to be directed against political activists opposed to the Iran government. Controls within the CA were shown to be grossly weak in a report by an independent security auditor (FOX-IT1, FOX-IT3, also see enisa report), and the CA filed for bankrupcy protection (perhaps for that reason). Vendors discovered that revocation was not an option, and issued new browsers that blocked the CA in code. Consequences: Rework by google, and vendor-coordinated re-issuance of software to all browser users. Potential for loss of confidentiality of activists opposed to Iranian government. Many Netherlands government agencies had to replace their certificates. Tantalising hint from Brazil case that the CA may have been hacked by NSA.
2011.3. Certificate Stealing. 3 separate incidents indicate that certificates are now worth stealing. Infostealer.Nimkey is a malware distributed through traditional spam/phishing channels (Yahoo). Once it infects, it searches the victim computer for keys and sends them to a server in China. Duqu is a variant of Stuxnet that used a stolen code-signing cert to install drivers (Wikipedia2). From inspection of the malware, the attack was variously quoted as IP/data collection/espionage, stealing keys, or attacking CAs (McAfee). Identity fraud of some form was used to get a valid certificate issued in the name of a company by intercepting the verification communications to that company's employee (F-secure). Consequences: Re-issuance of certificates and reviews of security. In none of these 3 cases were any direct damages assessed.
2011.4. Spear Phishing. A group of 9 certificates were identified in targetted malware injection attacks (FOX-IT2). As the certificates were all alleged to be only 512 bits, the conjecture is that new private keys were crunched for them. Consequences: One public-facing sub-CA in Malaysia was dropped, 3 other CAs re-issued some certs and reviewed controls. No known customer breaches, but probably replacement certs for the holders (minor).
2011.5. Website hack. A captive CA for a telecom had its website hacked, and subscriber information and private IP compromised (Goodin). Attacker was listed as a hacker who tipped off the media, claiming not to be the first. Parent telecom shut down the website.
2012.1. Weak Key scan. Two academic groups independently scanned the net for all published certificates (6-11 million examples) and analysed them (Heninger, et al) and (Lenstra, et al). They found that 1% of certificates were in common, and 0.4% were constructed with poor parameters which permitted the revealing of the secret keys. The keys were traced to 3 popular hardware devices that had one popular software package at its core. Consequences: Damages have not been assessed but would involve some rework and reputational loss by the suppliers of these devices. Gain in reputation for the academic groups.
2012.2. CA breached contract against MITMs. A CA announced that it had issued a subroot to a company for the purposes of intercepting the secure communications of its employees (SpiderLabs). This is contrary to contract with vendors and industry compact. At some moment of clarity, the CA decided to withdraw the subroot. Consequences: loss or damage to that customer due to contract withdrawal. Such contracts have been estimated to cost $50k. Destruction of the equipment concerned, maybe $10k. Loss of reputation to that CA, which specialises in providing services to US government agencies. Potential for delisting the CA concerned in vendors' trust lists which could be a bankruptcy event (TheRegister). Loss of time at vendors which debated the appropriate response.
2012.4 In the vendor's words: "We recently received two malicious utilities that appeared to be digitally signed using a valid [Vendor] code signing certificate. The discovery of these utilities was isolated to a single source. As soon as we verified the signatures, we immediately decommissioned the existing [Vendor] code signing infrastructure and initiated a forensics investigation to determine how these signatures were created. We have identified a compromised build server with access to the [vendor] code signing infrastructure. We are proceeding with plans to revoke the certificate and publish updates for existing [vendor] software signed using the impacted certificate. ...." If nothing else, kudos for a model disclosure!
2012.5 A CA here issued 2 intermediate roots to two separate customers 8th August 2011Mozilla mail/Mert Özarar. The process that allowed this to happen was discovered later on, fixed, and one of the intermediates was revoked. On 6th December 2012, the remaining intermediate was placed into an MITM context and used to issue an unauthorised certificate for *.google.com DarkReading. These certificates were detected by Google Chrome's pinning feature, a recent addition. "The unauthorized Google.com certificate was generated under the *.EGO.GOV.TR certificate authority and was being used to man-in-the-middle traffic on the *.EGO.GOV.TR network" wired. Actions. Vendors revoked the intermediates microsoft, google, Mozilla. Damages. Google will revoke Extended Validation status on the CA in January's distro, and Mozilla froze a new root of the CA that was pending inclusion.
2012.6 writes Symantec: "the VOHO attack campaign of June, 2012. What was particularly interesting about this attack was the use of the watering hole attack technique and the compromise of B9’s trusted file signing infrastructure. The VOHO campaign was ultimately targeting US defense contractors whose systems were protected by B9’s trust-based protection software but when the Hidden Lynx attackers’ progress was blocked by this obstacle, they reconsidered their options and found that the best way around the protection was to compromise the heart of the protection system itself and subvert it for their own purpose. This is exactly what they did when they diverted their attention to B9 and breached their systems. Once breached, the attackers quickly found their way into the file signing infrastructure that was the foundation of the B9 protection model, they then used this system to sign a number of malware files and then these files were used in turn to compromise the true intended targets."
2012.7 A security provider's code-signing cert was compromised through a misconfigured VM and the cert was used to sign dozens of malware. This was part of a targetted attack at a particular unnamed segment of industry, presumably one which was served by the provider. Consequences. "compromised specific Websites (a watering hole style attack...). We believe the attackers inserted a malicious Java applet onto those sites that used a vulnerability in Java to deliver additional malicious files, including files signed by the compromised certificate."
2013.1 Brazil. The Ministry of Mines and Energy was attacked by the 5E group of intelligence agencies, led by Canada's CSEC, in what seems to be a state-industrial espionage campaign (globo).
...the author of the presentation makes the next steps very clear: among the actions suggested is a joint operation with a section of the American NSA, TAO, which is the special cyberspy taskforce, for an invasion known as “Man on the Side”. All incoming and outgoing communications in the network can be copied, but not altered. It’s like working on a computer with someone looking over your shoulder.
A vague accusation was previously made on Brazilian TV that certificate-based MITM attacks may have been made against many overseas corporations by the NSA:
Now, documents published by Fantastico appear to show that, far from “cracking” SSL encryption—a commonly used protocol that shows up in your browser as HTTPS—the spy agencies have been forced to resort to so-called “man-in-the-middle” attacks to circumvent the encryption by impersonating security certificates in order to intercept data. ... However, in some cases GCHQ and the NSA appear to have taken a more aggressive and controversial route—on at least one occasion bypassing the need to approach Google directly by performing a man-in-the-middle attack to impersonate Google security certificates. ... One document published by Fantastico, apparently taken from an NSA presentation that also contains some GCHQ slides, describes “how the attack was done” to apparently snoop on SSL traffic. The document illustrates with a diagram how one of the agencies appears to have hacked into a target’s Internet router and covertly redirected targeted Google traffic using a fake security certificate so it could intercept the information in unencrypted format.
The attack happened, but the role of certificates is obscured by the fog of journalism (ElReg). Consequences: uncertain, the purpose is economic or industrial espionage: the aim of the Canadian agency: “Discover contacts of my target” – the Ministry of Mines and Energy of Brazil.
- 2013.2 Android's Secure Random. The default random number generator for all Android was found to be weak which resulted in a Bitcoin theft. Likely, this has impacted any certificates or cert-protected operations on Androids. No evidence of that as yet, though. Need more details here...
2013.3 Lavabit. FBI subpoened the SSL encryption key of a small email provider (Register). While stating they were only interested in tracking one customer (Snowden) it gave them access to all customers, and was probably an illegally broad request, not particularised. "On Aug. 5, Judge Claude M. Hilton ordered a $5,000-a-day fine until Mr. Levison produced the keys in electronic form. Mr. Levison’s lawyer, Jesse R. Binnall, appealed both the order to turn over the keys and the fine. After two days, Mr. Levison gave in, turning over the digital keys — and simultaneously closing his e-mail service, apologizing to customers on his site. That double maneuver, a prosecutor later told his lawyer, fell just short of a criminal act" (NYT). Consequences: loss of an entire business. Compromise of entire customer base's secret communications, as the key has probably now gone to the NSA, and we know the NSA escrow encrypted traffic for future decryption. Indirect damage to reputation of all SSL sites, as it is clear that the USA courts will overreach to demand keys (something that UK's RIP permitted but was apparently never used).
2013.4 Signed Trojans. In two separate incidents, trojans were discovered to be signed by valid certificates signed by the same CA (1, 2). In both cases, the trojans seemed to be attacks on online banking, and one cert had signed 70b variants of trojans. The claimed companies for the certificates, one in Brazil, the other in France, did not exist, although it looks like the Brazilian name was registered as a company (whatever that means). Consequences: revocation and press reports (embarrassment).
2013.5 Fibre Tapping. Over the last several years, a major public email and phone supplier put SSL protection by default on all email and other services users. The NSA bypassed the protections of SSL by tapping unencrypted links between data centers (WaPo, FC1). The graphic reveals the story better than words. Consequences: potential breach of all and any services that might have been exposed over the unencrypted links, including access capabilities, intellectual property, financial data. Reports of entire databases, etc, being compromised in copying make this breach far bigger than the credit card hacking breaches, possibly the largest corporate breach to date. For the future, encrypted links seem more likely, and more end-to-end security models will likely be used. Reputation for security has taken a big hit, as the encryption of offsite data and the tapping of fibre is a widely known threat (FC2).
2013.6 ANSSI. The French cyberdefense agency (their description) ANSSI national government CA issued an intermediate CA cert to the French Ministry of Finance who went on to issue several fraudulent certificates for Google domains (google, SSI). The usage was apparently to decrypt SSL traffic within the ministry. The intermediates were revoked by the CA. Consequences. This should result in revocation of the top-level CA by browsers as several warnings have been shot in this direction. However, it is unlikely that they will do so; the CAs exercise considerable pressure in secret over the vendors. As this is a top-level western powers government CA, likely a compromise will be found (ElReg). Damages likely reduced to embarrassment and annoyance (bugzilla).
2014.1 Heartbleed. Researchers discovered and announced a flaw in the OpenSSL implementation of the TLS protocol for some recent versions allowed an attacker to access private data including keys from effected clients and servers. This in effect compromised (made uncertain) all keys in webservers running the buggy versions, as well as opened up client certificates to compromise. The attack did not cause any diagnostics to differentiate, therefore detection was difficult. Only action is to upgrade OpenSSL and regenerate keys and certs where effected. Consequences: Massive re-issuance and re-install exercise for all OpenSSL sites. CRA reported credible exploit over 900 customers but no damages as yet. Schneier claimed 6 weeks after "In the end, the actual damage was also minimal, although the expense of restoring security was great." Costs in rework have been suggested as high as $500m FC CHS lost 4.5m records.
2014.2 This discovery of Heartbleed above triggered a wide-spread review of common cryptographic libraries used and [[|processes]] employed for TLS/SSL; other suppliers reported goto fail similar finds, as well as more for OpenSSL CVE-2014-0224. Good history of SSL/TLS. Although not an attack on CAs nor PKI, it does break open the customer by attacking near to the certs. Consequences: No damages reported as yet. Gotofail and Poodle may have been implicated by review. Breaches like this (Heartbleed, Lucky13, gotofail) are setting an overall ceiling on expectations over security using secure browsing stack of HTTPS and TLS and causing rethinks at all levels.
2014.3 An intermediate CA was compromised in India and several false certs were issued for google sites and also Yahoo. Google took the unusual step of restricting the certs under that CA to Indian domains. Microsoft's auto-update system revoked the certs. No damages reported.
2014.4 Facebook analysis "we have designed and implemented a method to detect the occurrence of SSL man-in-the-middle attack on a top global website, Facebook. Over 3 million real-world SSL connections to this website were analyzed. Our results indicate that 0.2% of the SSL connections analyzed were tampered with forged SSL certificates, most of them related to antivirus software and corporate-scale content filters. We have also identified some SSL connections intercepted by malware."
2014.5 Poodle attack is a downgrade attack on TLS to SSL v3 which then breaks open the packet using an attack on the weak padding. This allows older servers to be broken. Cloudflare reports low levels of SSL3.0 usage -- 0.65% of all HTTPS. Mozo and Chrome both announced intent to drop SSL3.0 entirely in short term (within 2m), which may disrupt some laggards. Later, it was discovered that TLS 1.0 and 1.1 were also susceptible to puddle if the padding wasn't checked correctly which was detected on around 3-4% of scanned servers. Consequences: No damages reported as yet.
2014.6 Emmental attack consists of man-in-the-browser trojan introduced into user's platform via phishing that corrupts both DNS resolver and platform's CA root list. It then proceeds to pop up warnings to trick the user into installing matching malware on user's mobile phone, which is listed as the second channel. Is targetted at 34 banks in Europe. Consequences. None reported in the paper.
2014.7 Kaspersky published details of a 4 year operation called DarkHotel that attacked against high-profile guests at hotels. By tricking the user and/or laptop into doing an upgrade, trojans were inserted. The updates were signed by somewhat valid RSA keys and Kaspersky strongly suggests that the majority of keys were factored / forged 512 bit keys, whereas some longer ones were stolen. Consequences. The somewhat vague description suggest that various executives had their corporate intellectual property stripped. As it was highly targetted, and a very expensive attack, this suggests defence companies or state secrets.
2014.8 GoP. Over the year, Sony Pictures Entertainment got hacked by "Guardians of Peace" being North Korean interests (meaning, probably state-endorsed cyberwarefare units) upset at the release of a politically sensitive comedy. Within the month, malware appeared signed by Sony certs. GoP release file dumps with a selection of business certs (banking, infra, servers) and "a Sony Corp. CA 2 “root” certificate - a digital certificate issued by Sony’s corporate certificate authority to Sony Pictures to be used in creating server certificates for Sony’s Information Systems Service (ISS) infrastructure. This may have been used to create the Sony Pictures certificate that was used to sign a later version of the malware that took the company’s computers offline." Consequences. Although there is no reported damages on the certificate-related aspects of the hacking, the cost to SEP overall includes an estimated $90m for pulling the movie with suggestions the total will be likely larger than the 2013 Playstation hacking cost of $170m. Several unreleased films were pushed out onto filesharing networks, dampening their revenue prospects.
2014.9 Code-signed malware. In an alternate play, Regin, a state-level attack, appears distributed in signed malware but the certs were just pretending to be Microsoft code-signing certs. Presumably people would be tricked into thinking these were real certs and Microsoft protection was just buggy.
Help in improving the facts gratefully accepted. Be careful with speculation, we need facts for this exercise. Embarrassing the victims does not help the mission of this page, so names of CAs and vendors are typically dropped.
Commentary & References
Discussed in this mozilla thread and comments incorporated 20120411.
SSL/TLS in a post-PRISM world is another list of breaches, includes "a video parody to explain the problem to non-technical people."