HSM Vulnerabilities: Allowing Remote Access to Confidential Data

The Raising Question of Data Security

Data is “the new oil”.  As enterprises collect and collate massive amounts of data about their customer bases, they’re able to analyze this data to extract valuable intel about their clients.  While this data is valuable to the organizations, others want it as well.  As a result, organizations form partnerships to buy and sell data, and hackers do their best to break in and steal it.

The value of the data that organizations collect, store, transmit, and process makes data security a priority for any organization.  Beyond the personal costs of a data breach (the loss of the competitive advantage that the data provides), new regulations like GDPR and CCPA impose stringent standards for how organizations should collect, process, and protect their collected data and strict penalties for non-compliance.

Hardware Security Modules (HSMs) are a valuable tool for any organization wanting to properly protect certain sensitive information.  HSMs can hold encryption keys used to protect classified data and even perform sensitive data calculations.  Using one can be an important first step in an organization’s journey toward data security and regulatory compliance.  However, relying on an HSM to protect certain data means that the security of that data is only as good as the security of the HSM itself.  If the HSM is vulnerable, so is your organization’s sensitive data.

What is an HSM?

Hardware Security Modules are designed to provide built-in physical security protections for technology that needs to perform trusted operations in an untrusted environment.  An example of this is an Automated Teller Machine (ATM), which is designed to provide bank customers access to their money at a location other than the bank’s premises.  These machines are commonly installed on street corners, in gas stations, and other locations.

Despite being located in untrustworthy places, ATMs are trusted to perform extremely sensitive computations.  From an ATM, you can check a bank balance and deposit or withdraw money from an account. Even without access to a given account, someone with physical access to the HSM may be able to trick it into dispensing the money that it contains.

This is where a Hardware Security Module becomes invaluable.  The HSM holds all of the cryptographic secret keys and performs all of the sensitive operations that determine whether or not money should be dispensed from the machine.  Traditional computing systems can be defeated with physical access (due to side-channel and injection vulnerabilities), but HSMs are specifically designed to be immune to physical attack, enabling machines like ATMs to operate in insecure locations.

Why Is HSM Security Important?

HSMs are billed as a self-contained solution for protecting cryptographic secret keys, so people use them as such.  With defenses against both physical and technological attacks, HSMs are an ideal storage medium for highly sensitive data.

This makes the security of these devices an extremely high priority.  Businesses using them properly may shrug off a breach of other systems since an attacker may only get away with an encrypted copy of sensitive data.  However, if they manage to breach the defenses of an HSM, they may be able to steal the cryptographic keys used to protect this data.  Under many privacy regulations, the difference between a breach of encrypted data and a breach of unencrypted data (or encrypted data with the associated decryption key) is the difference between a non-event with no reporting requirements and a significant breach that may carry fines in the millions (under GDPR and similar legislation).

Impacts of HSM Vulnerabilities

If an exploitable vulnerability is discovered in a Hardware Security Module, the potential impacts are significant, as demonstrated by the uproar and level of interest in the recently disclosed vulnerabilities in HSMs created by a leading manufacturer.

A pair of security researchers from the cryptocurrency hardware wallet creator LedgerOps have announced the discovery of vulnerabilities in a leading HSM.  The presented attack allowed the researchers to gain complete remote control of the HSM without the need for valid credentials.  The compromise included the ability to extract all secrets from the HSM (cryptographic keys, administrator credentials, etc.) as well as upload a modified firmware to the device, ensuring that any backdoors inserted by the attacker cannot be removed by a software update and making it do whatever the attackers want.

The potential impacts of these vulnerabilities are significant.  HSMs are commonly used by banks, cloud service providers, governments, and any other organization that has the need to provide absolute protection for cryptographic keys.  The vulnerabilities discovered in this HSM would be capable of causing significant harm to data, financial, and national security.

Why an HSM is Not Enough

Hardware Security Modules are an effective method of protecting cryptographic keys.  However, even secure HSMs may not be enough to secure a computing system.  HSMs are very effective at protecting the data contained within them; however, they can do nothing for the data stored outside or data in transit to and from the HSM.

HSMs make a great cornerstone of a data security solution; however, a comprehensive security solution requires discovering and tracking data throughout its lifecycle.  Advances in machine learning and data mining enable people to derive sensitive information through correlating large amounts of unclassified data.  If an organization doesn’t properly track and control access to its data not stored in HSMs (with a modern data security solution), it is still entirely possible for a damaging data breach to occur.

LEAVE A REPLY

Please enter your comment!
Please enter your name here