How did this happen?Ironically, this was all thanks to the fact that Philip’s bank had installed a middle box in front of their web site to protect it from hackers. Rather than relying on one of the tried and tested TLS libraries, the security vendor created their own implementation or modified an existing one. Perhaps they thought this could shave a few bytes of required memory or handle a few more connections per second, but what they had not counted on is that it is notoriously difficult to make a proper and complete TLS stack. In some cases, even a slight deviation from the intended implementation can completely undermine the cryptography. In this case, the problems stemmed from a particularly confusing point of the TLS specification, section 188.8.131.52 regarding countermeasures to the attack on RSA described by Daniel Bleichenbacher. All the way back in 1998, Bleichenbacher had demonstrated that by revealing specific decryption errors, SSLv3 was leaking information an attacker could exploit. An attacker in possession of some secret encrypted information (like SSL key material) could ask the server if it can decrypt a series of carefully chosen encrypted messages. Each time the decryption succeeds, the attacker is able to narrow down the range of possibilities for the unknown encrypted value. In cryptography, this is known as a side-channel attack, and more specifically, it is an adaptive chosen-ciphertext attack leveraging a padding oracle. This is a problem that could have been nipped in the bud if only the TLS designers had, as Bleichenbacher recommended, discontinued use of a broken cryptography standard (PKCS#1 v1.5).
What is ROBOT?ROBOT is the Return of Bleichenbacher’s Oracle Threat, and it refers to a growing list of Bleichenbacher oracles Hanno Böck, Juraj Somorovsky, and I were able to identify on the Internet with only minor variations to what Bleichenbacher described in 1998.
One of the most interesting features of this vulnerability is that it disproportionately affects bigger sites with larger security budgets. We found that just 2.8 percent of the top 1 million most popular sites on the Internet were affected by ROBOT, but when looking at the top 100, this number shoots up to a 27 percent affected rate.After our disclosure, other numbers came out, including Dirk Wetter’s scan implicating almost 15 percent of the top 10,000 sites. While at first this relationship may seem counterintuitive, it is in fact perfectly logical in light of the affected product list. Out of the 27,965 affected hosts, we found on the top 1 million sites, almost 97 percent of them exhibited behavior we associated with products from F5 and Citrix. These products do not come cheap, so naturally, they are more commonly found on popular web sites with more money to spend on security. As if to add insult to injury, these larger sites are also more vulnerable due to their scale. Sites with global reach like Facebook must design their systems to quickly handle high volumes of user requests. This is also incidentally exactly what would help an attacker exploit ROBOT. Tripwire IP360 released initial detection for ROBOT in ASPL-753 following F5’s security advisory in November followed by general ROBOT oracle detection in coordination with the public ROBOT attack disclosure. You can read more about ROBOT on the official https://robotattack.org disclosure page as well as in our paper which is available from the International Association for Cryptologic Research’s Cryptology ePrint Archive. The bottom line of all this research, however, is that secure servers in 2018 and beyond should not be using a technology that was already known to be insecure in 1998. Whether or not your systems were impacted by ROBOT, now is the time to close the chapter on static RSA key exchanges in favor of modern ciphers offering perfect forward secrecy.