Cybersecurity is one of the most dynamic and complex industries in the world today. A business that provides cybersecurity software or products is not just competing against other companies; they’re competing against countless peoples’ ingenuity. To protect networks, servers, users, and more, the security system must be able to defend against countless attempts to use old and new tactics to break-in. If even a minute vulnerability is discovered, the entire system can be at risk. The situation detailed below occurred recently when two security researchers discovered a vulnerability in an unnamed company’s HSM products. The researchers were able to remotely retrieve protected data from a database secured by an HSM. They notified the company and a patch was quickly released, but the ramifications are far reaching. Even if a product is advertised as absolutely secure, it’s vital to take necessary precautions to eliminate the risk that your network could be compromised.
The backstory behind this vulnerability begins with a pair of French security researchers discovered a significant vulnerability in the HSMs of a company. An HSM (Hardware Security Module) is an encrypted hardware device that is used to store sensitive data, such as digital certificates, digital keys, credentials, PINs, and much more. They are commonly found in data centers, government agencies, financial institutions, and others that have important data that requires added security measures. The researchers discovered they could remotely access the particular brand’s HSM and transfer data from it without anyone noticing. They reported their findings to the company, which published updates with security fixes. But it’s important to note that the pair did not use any new techniques for accessing the HSM. It’s unclear how long this vulnerability existed, or if it was exploited by others before the researchers. The potential ramifications could have been devastating, so what did the pair discover in this security flaw?
They began with their test HSM and used legitimate SDK (software development kit) access to upload a firmware module that would give them a shell inside the HSM. This gave them access to run a fuzzer, which is used to discover coding errors and security loopholes. They discovered buffer overflows they could exploit and communicate with outside the HSM. Via another issue in the HSM, they wrote and delivered a payload that allowed them to override access control and upload firmware. A module was written and uploaded to the HSM that would dump all the desired data via the buffer overflows with which they could communicate. The team was able to successfully access much of the HSM’s protected data using methods that they describe as “not particularly novel.” These were all methods used in other types of online attacks, but not in this combination to exploit an HSM. If a person, team, or state had sufficient resources and was looking to infiltrate an HSM-protected institution, it’s entirely possible that they would be able to discover this attack.
The unnamed company cooperated with the researchers and did deploy a patch to the vulnerability, but it’s unclear if any damage was already done. If someone had found the vulnerability before the researchers, were any organizations compromised without knowing? Without properly operating security software and equipment, it can be difficult to determine if data has been stolen.
Although the patch was implemented, this scandal highlights the unpredictable nature of the cybersecurity industry. Organizations may promote their products as secure, but as stated before, they are competing against motivated and ingenuitive individuals who explore countless possible avenues to obtain protected data. So how can an organization protect themselves if they can’t rely on their security technology? As with any industry, some vendors are superior to others, and it’s up to IT to determine the best solution for their situation. This involves thoroughly researching and vetting potential vendors. Research heavily and be prepared to question the validity of a vendor product’s claims. If your organization does not have the time and resources to research and scrutinize vendors, consider performing vulnerability checks. This involves testing all facets of a vendor’s product to discover if any vulnerabilities exist. There are outside firms that specialize in this form of testing, such as Digital Silence. They will set up shop on the organization’s campus and perform tests to see if they are able to hack into your network and deliver a detailed report on the strength of your network’s security.
The underground markets for stolen data continues to grow and has caused cybersecurity to become an immensely complex landscape to comprehend and manage. Hackers and data thieves work tirelessly to discover new vulnerabilities or security flaws to exploit hard-working individuals and organizations. The risk of attack is near constant, meaning the decisions you make to boost your network’s security are vitally important. Ensuring that you’re using the best products available that are tested to their limits to expose flaws is key. A small vulnerability can have wide ranging consequences.