Three cryptographic researchers have discovered a new vulnerability that could be used to compromise websites’ encryption keys, a hack that could be used in theory to compromise users’ crypto exchange login credentials. This “DUHK”vulnerability comes after two other major crypto-related exploits were uncovered earlier in October.
DUHK Puts Crypto Exchange Login Creds At Risk
The exploit itself has been dubbed “DUHK,” which stands for “Don’t use hard-coded keys” — an apt reference to the particular hardware vulnerability that DUHK is used to reverse engineer.
The source of the vulnerability that’s made this hack possible is what’s known as ANSI X9.31 RNG, a pseudorandom number generator (PRNG) algorithm that’s been used in countless products over the past 30 years. As of late, it has been used to secure browsing sessions on the web and Virtual Private Networks (VPNs).
In January 2016, the Federal Information Processing Standard (FIPS)—America’s top computer security standard—deemed the ANSI X9.31 RNG to be inferior and removed it from their standard.
This placed countless products from companies like TechGuard and Cisco in jeopardy, as they and other companies in the industry routinely relied on ANSI X9.31 RNG.
The problem with this particular PRNG is that it had been encoded in the source code of numerous vendors’ products, a practice known as “hard-coding” — a la the phrase, “Don’t use hard-coded keys.”
Cryptography experts Nadia Heninger, Shaanan Cohney, and Matthew Green realized in the course of their research that these hard-coded keys could be reverse engineered.
DUHK, then, is a man-in-the-middle, state recovery attack—all that means is that hackers can use DUHK to manipulate data outputs using a reverse engineered seed value to unlock encryption keys, keys that can then be used to gain login credentials and even bank account details.
Obviously, then, this exploit is not one against cryptocurrencies per se, it’s against cryptographic implementation itself, which—in theory and indirectly, but no less seriously—puts users’ crypto exchange login credentials at risk. That is, of course, if these users interact with their exchange through an ANSI X9.31 RNG-linked device.
The trio of researchers created a tentative list of products they believe to be susceptible to the exploit, seen below:
The researchers recreated the attack themselves, describing it like so:
“In order to demonstrate the practicality of this attack, we [developed] a full passive decryption attack against FortiGate VPN gateway products using FortiOS version 4.”
“Our scans found at least 23,000 devices with a publicly visible IPv4 address running a vulnerable version of FortiOS.”
DUHK Comes At The End Of A Bad Security Month
Users have plenty of reasons to worry about regarding their online security this October, as DUHK is just the third major exploit uncovered in the last four weeks.
In the middle of the month, imec-DistriNet researcher Mathy Vanhoef discovered the KRACK attack—a way to manipulate WPA2 protocols to intercept encrypted traffic.
And then there was the ROCA factorization attack, a truly insidious exploit that puts data on billions of devices in danger.
All three of these attacks put crypto users’ login credentials—and much more—at risk.
Images via The Hacker News, TheSun.co.uk