Private Keys Can Be Pilfered With Heartbleed Exploits
CloudFlare challenge to steal private keys via Heartbleed flaw finds a handful of winners
A challenge to exploit the infamous Heartbleed flaw to get encryption private keys has been accepted and completed by a number of researchers, highlighting the severity of the vulnerability.
The more skeptical corners of the security community believed Heartbleed, which was revealed to affect scores of websites last week, could not be exploited in normal conditions to get at private keys used in web connections, but were proven wrong.
The vulnerability lay in an extension of OpenSSL encryption, known as Heartbeat. In a normal Heartbeat transaction, a user machine would send packets of data to a server to keep a supposedly secure HTTPS connection open. If the data sent back by the server was the same as that sent, the connection would be kept alive.
But a trick meant that an attacker could send a malformed slice of data, containing a small payload disguised as a normal, larger one. The server would then extract the message and to ensure it was sending back the same amount of data as it thought it had received, would take chunks of memory from the server and give it back to the attacker.
That meant the hacker could get at 64KB of data back every time they sent a malicious request.
Private keys nabbed
Yet CloudFlare, a content delivery network provider, wasn’t too sure hackers could get at private keys held of vulnerable servers and so set up a challenge to acquire them from a server it had especially set up.
It was soon proven private keys could be acquired. Fedor Indutny, a Russia-based software engineer, was said to be the first to complete the challenge, followed by three others.
“This result reminds us not to underestimate the power of the crowd and emphasizes the danger posed by this vulnerability,” CloudFlare said in a blog post.
The effects of Heartbleed have been felt across the technology industry, from big name Internet providers like Yahoo, to network vendors Cisco and Juniper, to Android mobile users.
NSA ‘knew of Heartbleed’
It’s also been claimed the US National Security Agency (NSA) knew about the Heartbleed vulnerability for two years. The flaw was introduced into the OpenSSL code two years ago. Citing people familiar with the matter, Bloomberg suggested the NSA quickly found out about the vulnerability and exploited it to steal passwords and spy on targets.
But the NSA denied knowing about it until last week. “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,” a spokesperson said.
Love security? Try our quiz!