History of Risks & Threat Events to CAs and PKI
In Risk Management terms, History refers to the series of attack events that are documented and examinable, for the purpose of validating threat attack models.
This is an ongoing effort to document those events that have been reasonably seen as attacks and threats relevant to the CA and the usage of certificates. The purpose of this page is to help risk assessments validate their threat models against recorded events.
Only attacks with whose existence is established by sufficiently reliable reporting are listed here. Consequences need to be identifiable, but they do not need to be against any specific party. To some extent, where we set the bar is difficult to justify because we lack a clear history of user damages, and those that do the damage are not talking. However, some history is better than none.
2001. False certs. An unknown party used weaknesses in validation to get two certificates issued in the name of Microsoft.com (Guerin). The attacker was thought to be of the reputational variety: interested in embarrassment of CA not exploitation.
2003. Phishing. This attack bypasses the security afforded by certificates due to weaknesses in the secure browsing model (Grigg1). The existence of an unsecured mode of communication (HTTP) alongside a secure mode (HTTPS) provides an easy borders-of-the-map or downgrade attack, which user interfaces offer little resistance against. Consequences: Best guesstimate runs at around $100m per annum (FC 1343).
2006. Dual_EC. The NSA caused the supply of bad number generators to industry (Anatomy of a NSA intervention), possibly impacting the signing of certificates. Short story: in the early 2000s, NIST standardised the approach for generating random numbers as a Special Publication 800-90 (SP800-90). This approach included a number of standard stretchers as the third phase in a collector/mixer/stretcher design. NSA designed and pushed a particular approach based on 2 elliptic curves, which was accepted as Dual_EC within SP800-90 in 2006. ISO (International Standards Organisation) followed suit (iso18031). NSA then coordinated and/or directly influenced at least one major supplier in the USA to make Dual_EC the default for all products shipped by that supplier. In 2007, Dual_EC was shown to be suspicious. In 2013, Snowden's revelations pointed the finger at a NIST 2006 product, and within a month, NIST withdrew endorsement over Dual_EC. The supplier immediately followed. Consequences: no evidence of direct breaches as yet, only indirect reputation effects. The supplier's credibility is ruined because it did not act when the warnings were clear, and instead followed NIST's lead without question (and/or under influence of government contracts). This supplier was a major player in the CA industry. Broader questions are raised about the entire crypto supply industry of the USA (Where do we stand?), NIST's role in crypto standards, and all FIPS-certified cryptographic products as they were typically required to use SP800-90 (Greene). Which includes most HSMs used to generate CA keys and sign certificates. This is no single event, consequences are spread as early as 2006 (shipments) to 2013 (confirmation) and probably later as default users will take a long time to switch away from Dual_EC.
2008.1. Interface breach. One CA created a false certificate for a vendor by probing the RA of a competitor for weaknesses (Leyden). Consequences: limited to lowered reputations for all of those involved.
2008.2. Weak root. An academic group succeeded in attacking a CA with weak cryptographic protections in its certificates (Sotirov et al). This resulted in the attackers acquiring a signed certificate over two keys, one normal and one that acted as a sub-root. This gave them the ability to sign new certificates that would be accepted by major vendors. Consequences: as the root that was attacked was slated to be removed within the month, consequences were limited. Faster rollout of the new root, perhaps a few certificate re-issuances and reputation damage.
2009 Etisalat's mass surveillance attack. A CA/telco signed a false certificate for a mobile network operator, signed a firmware update, and delivered it to all mobile subscribers in its network (pcworld). The attack worked because the mobile's software accepted any update from any channel signed by any CA in the rootlist of the device (post-PRISM). The firmware update contained spyware that registered phone details (including the PIN) and forwarded all emails on demand to Etisalat (Blackberrycool-1). It was spotted within a week because the spyware was delivered through unexpected channels, and it drained the battery of the mobile. The spyware was supplied by SS8 (Blackberrycool-2), an American company specialising in legal intercepts. Consequences: 140,000 subscribers were annoyed by battery draining and having to install / run anti-virus. Compromise of secret emails, and secret PINs. Damage to reputation for Etisalat (spying on customers), SS8 (crappy code) and RIM (poor security).
2009 Duqu. A malware signed with a valid but abused signature . It is thought to be from the same family as Flame and Stuxnet. It's purpose is thought to be "to be used for espionage and targeted attacks against sites such as Certificate Authorities (CAs)" (mcafeee) and/or "one of Duqu's actions is to steal digital certificates (and corresponding private keys, as used in public-key cryptography) from attacked computers to help future viruses appear as secure software." (wikipedia1). Consequences: unknown, difficult to quantify as damage appears to be limited, and the malware was self-cleaning.
2009.2. Flame. A malware called Flame was signed by a Microsoft sub-CA that was perverted by means of an older algorithm (arstechnica). The sub-CA was wrongly approved for code-signing, was signed using MD5, which enabled the signatre to be attacked and grafted onto a new certificate that signed the malware, using a hitherto unknown attack method (wikipedia1, Stevens). The malware was produced by Operation OlympicGames (NSA, CIA, Israel) against Iran's nuclear project (wikipedia2, wapo), see also Stuxnet. The certificate was apparently attacked in 2009 but the malware may have been in circulation as early as 2007. Consequences: Damages to Iran are unknown as yet. Microsoft revoked 3 sub-CAs in a security update effecting all distributions.
2010. Stuxnet. Two code-signing certificates, stolen from two separate chip manufacturers in Taiwan, were used to sign drivers that were installed as part of a rootkit to infect Windows machines (Krebs), (Wikipedia1). The overall goal was a highly targetted sabotage of Iranian centrifuges engaged in production of high-grade nuclear material. Consequences: Various non-authoritive reports suggested that Stuxnet succeeded in knocking out and perhaps destroying some 1000 centrifuges, estimated at 10% of Iran's centrifuge capacity (ISIS) and delaying Iran's weapon building program by 1.5-2 years (NYT20120601.2). DEBKA suggests the damage is far more severe and sweeping than first reported, effecting and targetting thousands or even millions of significant computers (DEBKA1), and carrying on into 2012 (DEBKA2). Attack was part of Operation OlympicGames (NSA, CIA, Israel) (NYT, wapo, Wired, IBT/DerSpiegel, FP), see also Flame.
2011.1. False certs. A claimed-lone Iranian attacker, ichsunx2, breached approximately 4 CAs. His best success was to use weaknesses in an Registration Authority to acquire 9 certificates for several high profile communications sites (Zetter). It was claimed that the attacker operated under the umbrella of the Iranian state but no evidence for that was forthcoming. Consequences. No known user damages. Browser vendors revoked-by-patch ioerror.
Same CA also suffered a "compromise of its ‘UTN-USERFirst- Hardware’ certificate" which signed directly 85k certificates including 50 intermediate CAs, bringing it up to a total market-impact of 120k domains (WEIS 2013 Asghari et al). Consequences: unknown, the total market patch is interesting but not germane as yet.
2011.2. Breached / collapsed CA. The same attacker, icksunx2, breached a Dutch CA and issued 531 certificates (wikipedia). The CA’s false certs were first discovered in an attack on Google’s gmail service, suggested to be directed against political activists opposed to the Iran government. Controls within the CA were shown to be grossly weak in a report by an independent security auditor (FOX-IT1, FOX-IT3, also see enisa report), and the CA filed for bankrupcy protection (perhaps for that reason). Vendors discovered that revocation was not an option, and issued new browsers that blocked the CA in code. Consequences: Rework by google, and vendor-coordinated re-issuance of software to all browser users. Potential for loss of confidentiality of activists opposed to Iranian government. Many Netherlands government agencies had to replace their certificates. Tantalising hint from Brazil case that the CA may have been hacked by NSA.
2011.3. Certificate Stealing. 3 separate incidents indicate that certificates are now worth stealing. Infostealer.Nimkey is a malware distributed through traditional spam/phishing channels (Yahoo). Once it infects, it searches the victim computer for keys and sends them to a server in China. Duqu is a variant of Stuxnet that used a stolen code-signing cert to install drivers (Wikipedia2). From inspection of the malware, the attack was variously quoted as IP/data collection/espionage, stealing keys, or attacking CAs (McAfee). Identity fraud of some form was used to get a valid certificate issued in the name of a company by intercepting the verification communications to that company's employee (F-secure). Consequences: Re-issuance of certificates and reviews of security. In none of these 3 cases were any direct damages assessed.
2011.4. Spear Phishing. A group of 9 certificates were identified in targetted malware injection attacks (FOX-IT2). As the certificates were all alleged to be only 512 bits, the conjecture is that new private keys were crunched for them. Consequences: One public-facing sub-CA in Malaysia was dropped, 3 other CAs re-issued some certs and reviewed controls. No known customer breaches, but probably replacement certs for the holders (minor).
2011.5. Website hack. A captive CA for a telecom had its website hacked, and subscriber information and private IP compromised (Goodin). Attacker was listed as a hacker who tipped off the media, claiming not to be the first. Parent telecom shut down the website.
2012.1. Weak Key scan. Two academic groups independently scanned the net for all published certificates (6-11 million examples) and analysed them (Heninger, et al) and (Lenstra, et al). They found that 1% of certificates were in common, and 0.4% were constructed with poor parameters which permitted the revealing of the secret keys. The keys were traced to 3 popular hardware devices that had one popular software package at its core. Consequences: Damages have not been assessed but would involve some rework and reputational loss by the suppliers of these devices. Gain in reputation for the academic groups.
2012.2. CA breached contract against MITMs. A CA announced that it had issued a subroot to a company for the purposes of intercepting the secure communications of its employees (SpiderLabs). This is contrary to contract with vendors and industry compact. At some moment of clarity, the CA decided to withdraw the subroot. Consequences: loss or damage to that customer due to contract withdrawal. Such contracts have been estimated to cost $50k. Destruction of the equipment concerned, maybe $10k. Loss of reputation to that CA, which specialises in providing services to US government agencies. Potential for delisting the CA concerned in vendors' trust lists which could be a bankruptcy event (TheRegister). Loss of time at vendors which debated the appropriate response.
2012.4 In the vendor's words: "We recently received two malicious utilities that appeared to be digitally signed using a valid [Vendor] code signing certificate. The discovery of these utilities was isolated to a single source. As soon as we verified the signatures, we immediately decommissioned the existing [Vendor] code signing infrastructure and initiated a forensics investigation to determine how these signatures were created. We have identified a compromised build server with access to the [vendor] code signing infrastructure. We are proceeding with plans to revoke the certificate and publish updates for existing [vendor] software signed using the impacted certificate. ...." If nothing else, kudos for a model disclosure!
2012.5 A CA here issued 2 intermediate roots to two separate customers 8th August 2011Mozilla mail/Mert Özarar. The process that allowed this to happen was discovered later on, fixed, and one of the intermediates was revoked. On 6th December 2012, the remaining intermediate was placed into an MITM context and used to issue an unauthorised certificate for *.google.com DarkReading. These certificates were detected by Google Chrome's pinning feature, a recent addition. "The unauthorized Google.com certificate was generated under the *.EGO.GOV.TR certificate authority and was being used to man-in-the-middle traffic on the *.EGO.GOV.TR network" wired. Actions. Vendors revoked the intermediates microsoft, google, Mozilla. Damages. Google will revoke Extended Validation status on the CA in January's distro, and Mozilla froze a new root of the CA that was pending inclusion.
2012.6 writes Symantec: the VOHO attack campaign of June, 2012. What was particularly interesting about this attack was the use of the watering hole attack technique and the compromise of B9’s trusted file signing infrastructure. The VOHO campaign was ultimately targeting US defense contractors whose systems were protected by B9’s trust-based protection software but when the Hidden Lynx attackers’ progress was blocked by this obstacle, they reconsidered their options and found that the best way around the protection was to compromise the heart of the protection system itself and subvert it for their own purpose. This is exactly what they did when they diverted their attention to B9 and breached their systems. Once breached, the attackers quickly found their way into the file signing infrastructure that was the foundation of the B9 protection model, they then used this system to sign a number of malware files and then these files were used in turn to compromise the true intended targets.
2013.1 Brazil. The Ministry of Mines and Energy was attacked by the 5E group of intelligence agencies, led by Canada's CSEC, in what seems to be a state-industrial espionage campaign (globo).
...the author of the presentation makes the next steps very clear: among the actions suggested is a joint operation with a section of the American NSA, TAO, which is the special cyberspy taskforce, for an invasion known as “Man on the Side”. All incoming and outgoing communications in the network can be copied, but not altered. It’s like working on a computer with someone looking over your shoulder.
A vague accusation was previously made on Brazilian TV that certificate-based MITM attacks may have been made against many overseas corporations by the NSA:
Now, documents published by Fantastico appear to show that, far from “cracking” SSL encryption—a commonly used protocol that shows up in your browser as HTTPS—the spy agencies have been forced to resort to so-called “man-in-the-middle” attacks to circumvent the encryption by impersonating security certificates in order to intercept data. ... However, in some cases GCHQ and the NSA appear to have taken a more aggressive and controversial route—on at least one occasion bypassing the need to approach Google directly by performing a man-in-the-middle attack to impersonate Google security certificates. ... One document published by Fantastico, apparently taken from an NSA presentation that also contains some GCHQ slides, describes “how the attack was done” to apparently snoop on SSL traffic. The document illustrates with a diagram how one of the agencies appears to have hacked into a target’s Internet router and covertly redirected targeted Google traffic using a fake security certificate so it could intercept the information in unencrypted format.
The attack happened, but the role of certificates is obscured by the fog of journalism. Consequences: uncertain, the purpose is economic or industrial espionage: the aim of the Canadian agency: “Discover contacts of my target” – the Ministry of Mines and Energy of Brazil.
2013.2 Android's SecureRandom. The default random number generator for all Android was found to be weak which resulted in a Bitcoin theft. Likely, this has impacted any certificates or cert-protected operations on Androids. No evidence of that as yet, though. Need more details here...
2013.3 Lavabit. FBI subpoened the SSL encryption key of a small email provider (Register). While stating they were only interested in tracking one customer (Snowden) it gave them access to all customers, and was probably an illegally broad request, not particularised. "On Aug. 5, Judge Claude M. Hilton ordered a $5,000-a-day fine until Mr. Levison produced the keys in electronic form. Mr. Levison’s lawyer, Jesse R. Binnall, appealed both the order to turn over the keys and the fine. After two days, Mr. Levison gave in, turning over the digital keys — and simultaneously closing his e-mail service, apologizing to customers on his site. That double maneuver, a prosecutor later told his lawyer, fell just short of a criminal act" (NYT). Consequences: loss of an entire business. Compromise of entire customer base's secret communications, as the key has probably now gone to the NSA, and we know the NSA escrow encrypted traffic for future decryption. Indirect damage to reputation of all SSL sites, as it is clear that the USA courts will overreach to demand keys (something that UK's RIP permitted but was apparently never used).
2013.4 Signed Trojans. In two separate incidents, trojans were discovered to be signed by valid certificates singed by the same CA (1, 2). In both cases, the trojans seemed to be attacks on online banking, and one cert had signed 70b variants of trojans. The claimed companies for the certificates, one in Brazil, the other in France, did not exist, although it looks like the Brazilian name was registered as a company (whatever that means). Consequences: revocation and press reports (embarrassment).
2013.5 Fibre Tapping. Over the last several years, a major public email and phone supplier put SSL protection by default on all email and other services users. The NSA bypassed the protections of SSL by tapping unencrypted links between data centers (WaPo, FC1). The graphic reveals the story better than words. Consequences: potential breach of all and any services that might have been exposed over the unencrypted links, including access capabilities, intellectual property, financial data. Reports of entire databases, etc, being compromised in copying make this breach far bigger than the credit card hacking breaches, possibly the largest corporate breach to date. For the future, encrypted links seem more likely, and more end-to-end security models will likely be used. Reputation for security has taken a big hit, as the encryption of offsite data and the tapping of fibre is a widely known threat (FC2).
Help in improving the facts gratefully accepted. Be careful with speculation, we need facts for this exercise. Embarrassing the victims does not help the mission of this page, so names of CAs and vendors are typically dropped.
Commentary & References
Discussed in this mozilla thread and comments incorporated 20120411.
SSL/TLS in a post-PRISM world is another list of breaches, includes "a video parody to explain the problem to non-technical people."