Hacking

Hackers are poisoning the PGP SKS keyserver network poisoned

Threat actors targeted two high-profile PGP project contributors with the intent to poison certificates used by the SKS keyserver network.

Contributors to the PGP protocol GnuPG claim that threat actors are “poisoning” their certificates, this means that attackers spam their certificate with a large number of signatures. The intent is to make it impossible for the PGP software to verify its authenticity.

Two prominent contributors at the PGP project, the developers Robert “rjh” Hansen and Daniel Kahn “dkg” Gillmor, confirmed that they were targeted by hackers who spammed their public cryptographic identities. 

“In the last week of June 2019 unknown actors deployed a certificate spamming attack against two high-profile contributors in the OpenPGP community (Robert J. Hansen and Daniel Kahn Gillmor, better known in the community as “rjh” and “dkg”).” Hansen wrote in a blog post. “This attack exploited a defect in the OpenPGP protocol itself in order to “poison” rjh and dkg’s OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network.”

The attackers exploited a “defect” in the OpenPGP protocol to poison their certificates. Hansen explained that The standard keyserver software is called SKS, for “Synchronizing Key Server,” it was developed by a fellow named Yaron Minsky for his Ph.D thesis. It’s written in an unusual programming language called OCaml making it very difficult to maintain because it wasn’t designed for large-scale usage. Currently the software is unmaintained. 

“Due to the above, there is literally no one in the keyserver community who feels qualified to do a serious overhaul on the codebase.”explained Hansen.

Experts believe that threat actors will continue in poisoning certificates, the attack is very easy to carry out this implies that other hackers will attempt to exploit them.

Every time a user attempts to import the poisoned certificates would crash his software. 

“We’ve known for a decade this attack is possible. It’s now here and it’s devastating,” continues the post.

  • If you fetch a poisoned certificate from the keyserver network, you will break your GnuPG installation.
  • Poisoned certificates cannot be deleted from the keyserver network.
  • The number of deliberately poisoned certificates, currently at only a few, will only rise over time.
  • We do not know whether the attackers are intent on poisoning other certificates.
  • We do not even know the scope of the damage.

Unfortunately, the attack is hard to mitigate, in order to prevent the exposure to the attack is to stop retrieving certificates and data from the SKS (Synchronizing Key Server) keyserver network.

“The design goal of the keyserver network is “baked into” essentially every part of the infrastructure. This isn’t a case where there’s a bug that’s inhibiting the keyserver network from functioning correctly. “continues the developer. “Bugs are generally speaking fairly easy to fix once you know where the problem is. Changing design goals often requires an overhaul of such magnitude it may be better to just start over with a fresh sheet of paper. “

Gillmor explained that the problems are well known and were a long debated, there have been several proposals to mitigate the problems but none of them is easy to implement.

“The parts of the OpenPGP ecosystem that rely on the naive assumptions of the SKS keyserver can no longer be relied on, because people are deliberately abusing those keyservers,” Gillmor concludes.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SKS keyserver, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

E-skimming campaign uses Unicode obfuscation to hide the Mongolian Skimmer

Jscrambler researchers found a skimming campaign using unique JavaScript obfuscation with accented characters to hide…

5 mins ago

U.S. CISA adds Ivanti CSA and Fortinet bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti CSA and Fortinet bugs to its…

4 hours ago

Mozilla issued an urgent Firefox update to fix an actively exploited flaw

Mozilla released an urgent Firefox update to fix a critical use-after-free vulnerability actively exploited in…

7 hours ago

Palo Alto fixed critical flaws in PAN-OS firewalls that allow for full compromise of the devices

Palo Alto fixed critical flaws in PAN-OS firewalls, warning that attackers could chain these vulnerabilities…

9 hours ago

Cybercriminals Are Targeting AI Conversational Platforms

Resecurity reports a rise in attacks on AI Conversational platforms, targeting chatbots that use NLP…

21 hours ago

Awaken Likho APT group targets Russian government with a new implant

A threat actor tracked as Awaken Likho is targeting Russian government agencies and industrial entities,…

1 day ago

This website uses cookies.