State Machine Attacks


Transport Layer Security (TLS) handles quite a bit of “heavy lifting” in the digital world.

Responsible for processing multiple protocol variations, number of different extensions and authentication modes, and “handshakes” between a variety of exchange methods – exchange methods with unique combinations of message sequence between servers and clients, no less – the fact that it works at all is a marvel of modern engineering.

To really stress test the capabilities of TLS, though, a number of individuals have been searching out and hunting for state machine bugs, all in an effort to uncover as many security vulnerabilities as possible.

This kind of “white hat” hacking is a critical part of digital security these days.

Without it, vulnerabilities – some that have existed for years inside of TLS libraries – would have continued to be exploited by bad actors, usually without anyone being the wiser.

Let’s outline how these targeted attacks were conducted and what was uncovered along the way.

Breaking Down the Threat Model

Better the gate, it’s important to understand that each and every single one of the attacks that we conducted on TLS were done specifically to interfere with, hijack, or somehow obfuscate the “handshake messages” in TLS itself.

Through a variety of different approaches we were able to “fuzzy things up a little bit”, especially when it came to tampering with the DNS (Domain Name Systems) information used throughout TLS in the first place.

Some of this involved refining the DNS information passed through the handshake agreement, but other attacks were little more overt – involving straight up domain name seizure in some cases.

Messaging Attacks on TLS

One of the largest hurdles to clear with these kinds of attacks was figuring out how to handle the variety of cipher suites that are taken advantage of in each TLS message sequence.

For example, and some cipher suites (like ECDHE) a server cannot become authenticated until a server key exchange message has had a handshake with TLS.

At the same time, the RSA cipher suite requires absolutely no server key exchange message whatsoever – skipping it entirely – throughout the authentication process.

Interestingly enough, throughout the research we were able to uncover the fact that a lot of TLS implementations simply allowed for this authentication message to be skipped over and worked around – even if the protocol “required” this kind of authentication message to proceed.

Further research showed that a big piece of this security vulnerability was due to the fact that so many different TLS libraries out there use the same code base as so many others. One vulnerability in the “original code” significantly amplifies that same vulnerability across every other new piece of code that uses it as a baseline.

A number of the attacks pushed out during the research showed that TLS can be worked around completely in some circumstances. All a server has to do is pretend that it has already exchanged the data with the client and you are off to the races.

Interestingly enough, some of the most secure (supposedly) HTTPS API tools – including those used by PayPal, Amazon, and Google – continued use code with these vulnerabilities built right in.

SKIP-TLS Risk Audit – Finding Your Level of Vulnerability

Our research shows that it is mission-critical to conduct a risk audit specifically targeted towards SKIP-TLS to root out these kinds of vulnerabilities.

The overwhelming majority of people that are going to suffer from these vulnerabilities are going to be taking advantage of clients using compromised code base as we highlighted above.

Any code base using TLS libraries to connect to HTTPS across insecure networks (like open Wi-Fi networks or public Wi-Fi networks, for example) are especially vulnerable.

We also discovered that any clients that are still taking advantage of OpenSSL (with sole exception of the most up-to-date version) are likely suffering from these same kinds of vulnerabilities, too.

A quick way to do a risk audit for these types of attacks all on your own is to simply point your own HTTPS client to the auditor through Java.

If this connection reports an exception you are likely safe and secure from these kinds of threats.

If not, you have vulnerabilities that need to be taking care of.

FREAK: RSA Export Key Factoring

Another state machine issue that researchers were able to uncover has to do with servers impersonating some of the most popular web browsers on the market today and basically hijacking them through export cipher suites.

This particular type of attack (the Factoring RSA export keys attack) were made possible because of regulations implemented by the United States government – particularly on the national intelligence side of things – to create “backdoors” that would allow them to decrypt foreign communications that have been otherwise encrypted already.

The same regulations locked down more advanced encryption algorithms completely, not allowing them to be exported overseas. The government went so far as to classify these encryption algorithms as “weapons of war”!

Because of this approach, however, a variety of different platforms (including those run by the government) are purposefully using systems with known security vulnerabilities.

The week encryption algorithms are widespread throughout the OpenSSL environment, even though many of them have been toggled “disabled” by those that are little bit more security aware.

Unfortunately, these vulnerabilities can be exploited by lower-level decryption algorithms these days (including cipher suites that are exportable) – all by using a dummy browser as a bit of a “man in the middle” security trick.

The exploit convinces the system to produce a very weak export key, the kind of export keys that comes in at lower than 512 bits.

This can be factored out using Amazon systems in less than 12 hours (for less than $100) – cracking systems maintained by the federal government (including the FBI, NSA, and CIA) as well as some of the biggest businesses on the planet.

Talk about a security threat, right!

FREAK Risk Audit – Finding Your Level of Vulnerability

Finding your level of vulnerability to these specific kinds of attacks can be a little bit challenging, if only because there are so many websites, so many servers, and so many platforms that are running OpenSSL with these types of vulnerabilities in the first place.

Sure, some platforms turn off all cipher suites completely (including platforms like Facebook) – but the overwhelming majority of platforms out there running OpenSSL are not even aware of these vulnerabilities in the first place.

A number of platforms have decided to rollout server wide updates to patch and disable the cipher suites in recent years. Many of them have enjoyed considerable success, but there are still a lot of platforms out there that maintain these vulnerabilities even to this day.

Anything running OpenSSL version 1.01k (or anything earlier) have these kinds of vulnerabilities, as well as anything running BoringSSL versions before the November 10, 2014 update.

Secured Transport, S Channel, LibReSSL, Mono, and even IBM JSSE versions all have these kinds of vulnerabilities “baked right in” as well.

Some of the most popular web browsers under the sun are also quite vulnerable to these types of attacks.

Chrome, Internet Explorer, Safari, Opera, Android Browser, Blackberry Browser, and the Cisco browser are all easily exploited with the FREAK attack.

The most important thing you can do to shore up your defenses against this kind of attack is to make sure that your web browsers are patched, upgraded, and as up to date as humanly possible.

It’s a good idea to make sure that the same web browsers have automatic updates turned on as well, guaranteeing that you automatically have the latest version of these browsers downloaded and installed on your devices so that you don’t have to do this kind of maintenance on your own moving forward.

Of course, it’s also a good idea to make sure that you aren’t doing anything involving sensitive information or data on networks that are not totally secured.

You don’t want to bank, pay bills, or access sensitive information on open or public networks – like at the coffee shop, the airport, or the library.

This is the kind of work you only ever want to do on a totally secured network, ideally one that you have complete and total control over as far as the admin capabilities are concerned.

Finally, make sure that if you are connecting to any website that has HTTPS protocols in place that it allows for export cipher suites.

Websites that do not have this feature enabled are significantly more vulnerable than others.

It takes only a couple of seconds to click the little lock button in your web browser to confirm the status of the connection on the sites and servers you are connecting to. Take the time to make this a real habit, digging deep into the information provided by the servers you’re looking to transmit sensitive information across, and you won’t have to worry about huge cyber vulnerabilities compromising your information quite as much.

The information throughout this guide won’t completely protect you from these types of attacks in the future (more TLS vulnerabilities are being discovered on a regular basis) but you’ll certainly be better protected than you were previously.