A flaw in the Transport Layer Security (TLS) protocol can allow man-in-the-middle attackers to access apparently encrypted communications, researchers have warned.
Experts at Austria-based IT services provider Research Industrial Systems Engineering (RISE) presented their findings last month at the USENIX conference. Additional details on the attack method along with a video demonstrating its practicality have been published on Monday.
TLS is designed to protect sensitive communications against cyberattacks. However, numerous research papers have been published over the past period to demonstrate the existence of various vulnerabilities that expose encrypted communications, including Logjam and Bar Mitzvah.
The new method, dubbed “Key Compromise Impersonation (KCI) attack,” leverages a vulnerability in the protocol specification of TLS. The technique allows an MitM attacker to gain complete control over the client-side code running in the victim’s browser. Malicious actors can eavesdrop on communications, replace legitimate elements on a website with arbitrary content, and even perform actions on the victim’s behalf.
In the first phase of the attack, the attacker tricks the user into installing a TLS client certificate for which they possess the private key. Then, by interfering with the initialization of the TLS protocol between the client and the server, the attacker can trick the client into believing that it’s communicating with the legitimate server when in reality it’s talking to the attacker.
By initiating a normal, encrypted connection to the server, the attacker can control the data that goes from the client to the server and vice versa.
“For many web and mobile applications, a successful attack means that a user’s session or profile is completely compromised and under the control of the attacker from this point on: Electronic payments may be initiated and re-directed to the attacker’s account, private messages could be read and spoofed, etc. Possible damage is in most cases only limited by the attacker’s imagination and creativity,” researchers explained.
A proof-of-concept (PoC) video published by experts shows a KCI attack scenario in which the attacker targets hotel guests using a rogue Wi-Fi network. The attacker tricks the victim into installing the malicious certificate by informing them that the certificate is needed to access the hotel’s Internet connection.
Once the certificate has been accepted, the attacker interferes with the initialization of the connection to Facebook and forces the client to use an insecure handshake with client authentication. The attacker then replaces the pictures and other elements on the victim’s Facebook profile with arbitrary content.
According to researchers, the problem affects services that support a certain class of key agreement and authentication methods, namely non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication.
Experts said they reported their findings to Google, Microsoft and Apple before public disclosure so users running popular web browsers on recent operating system versions should be safe. Facebook has also taken steps to protect users against potential KCI attacks.
“The immediate impact is not as serious as, for example, the one from the recent Logjam attack, because support for the necessary options in TLS clients and servers (both is necessary) is currently not as widespread as a malicious attacker would hope for,” researchers explained. “However, without adequate measures, this situation could change anytime in the future: Recently, OpenSSL developers have just added support for the vulnerable fixed DH handshake to the newest branch (1.0.2) of the library, and they seemed to be on track for also adding support for the fixed ECDH handshake option.”
The complete paper, titled “Prying open Pandora’s box: KCI attacks against TLS,” is available online in PDF format.