Hacking

Hackers are poisoning the PGP SKS keyserver network poisoned

Threat actors targeted two high-profile PGP project contributors with the intent to poison certificates used by the SKS keyserver network.

Contributors to the PGP protocol GnuPG claim that threat actors are “poisoning” their certificates, this means that attackers spam their certificate with a large number of signatures. The intent is to make it impossible for the PGP software to verify its authenticity.

Two prominent contributors at the PGP project, the developers Robert “rjh” Hansen and Daniel Kahn “dkg” Gillmor, confirmed that they were targeted by hackers who spammed their public cryptographic identities. 

“In the last week of June 2019 unknown actors deployed a certificate spamming attack against two high-profile contributors in the OpenPGP community (Robert J. Hansen and Daniel Kahn Gillmor, better known in the community as “rjh” and “dkg”).” Hansen wrote in a blog post. “This attack exploited a defect in the OpenPGP protocol itself in order to “poison” rjh and dkg’s OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network.”

The attackers exploited a “defect” in the OpenPGP protocol to poison their certificates. Hansen explained that The standard keyserver software is called SKS, for “Synchronizing Key Server,” it was developed by a fellow named Yaron Minsky for his Ph.D thesis. It’s written in an unusual programming language called OCaml making it very difficult to maintain because it wasn’t designed for large-scale usage. Currently the software is unmaintained. 

“Due to the above, there is literally no one in the keyserver community who feels qualified to do a serious overhaul on the codebase.”explained Hansen.

Experts believe that threat actors will continue in poisoning certificates, the attack is very easy to carry out this implies that other hackers will attempt to exploit them.

Every time a user attempts to import the poisoned certificates would crash his software. 

“We’ve known for a decade this attack is possible. It’s now here and it’s devastating,” continues the post.

  • If you fetch a poisoned certificate from the keyserver network, you will break your GnuPG installation.
  • Poisoned certificates cannot be deleted from the keyserver network.
  • The number of deliberately poisoned certificates, currently at only a few, will only rise over time.
  • We do not know whether the attackers are intent on poisoning other certificates.
  • We do not even know the scope of the damage.

Unfortunately, the attack is hard to mitigate, in order to prevent the exposure to the attack is to stop retrieving certificates and data from the SKS (Synchronizing Key Server) keyserver network.

“The design goal of the keyserver network is “baked into” essentially every part of the infrastructure. This isn’t a case where there’s a bug that’s inhibiting the keyserver network from functioning correctly. “continues the developer. “Bugs are generally speaking fairly easy to fix once you know where the problem is. Changing design goals often requires an overhaul of such magnitude it may be better to just start over with a fresh sheet of paper. “

Gillmor explained that the problems are well known and were a long debated, there have been several proposals to mitigate the problems but none of them is easy to implement.

“The parts of the OpenPGP ecosystem that rely on the naive assumptions of the SKS keyserver can no longer be relied on, because people are deliberately abusing those keyservers,” Gillmor concludes.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SKS keyserver, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

BadBox rapidly grows, 190,000 Android devices infected

Experts uncovered a botnet of 190,000 Android devices infected by BadBox bot, primarily Yandex smart…

9 hours ago

Romanian national was sentenced to 20 years in prison for his role in NetWalker ransomware attacks

Romanian national was sentenced to 20 years in prison for his role in NetWalker ransomware…

20 hours ago

Sophos fixed critical vulnerabilities in its Firewall product

Sophos fixed three Sophos Firewall flaws that could lead to SQL injection, privileged SSH access…

1 day ago

U.S. CISA adds BeyondTrust software flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds BeyondTrust Privileged Remote Access (PRA) and Remote…

2 days ago

Raccoon Infostealer operator sentenced to 60 months in prison

Raccoon Infostealer operator Mark Sokolovsky was sentenced to 60 months in US prison and ordered…

2 days ago

Mirai botnet targets SSR devices, Juniper Networks warns<gwmw style="display:none;"></gwmw>

Juniper Networks warns that a Mirai botnet is targeting SSR devices with default passwords after…

3 days ago

This website uses cookies.