TLS Exploit 'ROBOT' Based on 19 Year Old Vulnerability Affects More Than Just Websites


Back in 1998 a vulnerability was identified in the Secure Sockets Layer (SSL) 3.0 by Daniel Bleichenbacher.  He discovered that PKCS #1 v1.5 padding errors may leak information to an attacker. Attackers would be able to distinguish between valid and invalid messages by servers returning unique errors dependant on the type of failure.  Through many session-establishment attempts an attacker would be able to determine the pre-master secret key used by TLS.  While this does take many session-establishment attempts, it is significantly more efficient than a brute force attack.  The fundamental risk is that attackers would record TLS session data, and use this attack to recover the session key used.

That original vulnerability has reared its head again, 19 years later.  Code-named Return of Bleichenbacher’s Oracle Threat or ROBOT.  Researchers have found that countermeasures implemented in many systems are not sufficient and are vulnerable to Bleichenbacher-style attacks.

Mobile Applications Affected?

This ROBOT attack is getting a lot of attention in recent days due to the prevalence of SSL/TLS for encrypting web browsing traffic.  Researchers observed this vulnerability in 27 of the top 100 domains ranked by Alexa. While web traffic is getting a lot of attention, it is important to note that this vulnerability is not limited to just websites.  Any system using SSL that has not implemented the correct countermeasures is vulnerable.  This includes many back-end web service applications and servers that your mobile applications may communicate with.  Given the frequency of mobile devices to be on 3rd party wifi networks, this adds an additional level of risk and probability for encrypted communications to be recorded and attacked.

What Should I Do?

From an application development perspective, a recommended best practice is to avoid RSA basedKey Exchange ciphers.  Modern ciphers using Elliptic-Curve Diffie-Hellman key exchange are not vulnerable and considered to be a safer option. While many system support modern ciphers, there is a secondary risks to be aware of in downgrade attacks.  Systems vulnerable to downgrade attacks can have attackers using man-in-the-middle techniques downgrade the session from more secure ciphers to older ciphers that are still available for backwards compatibility.

While this may not be fully in your control, be sure that the systems used to communicate with are patched and not vulnerable to these attacks.  Many vendors have been aggressively patching their sites. Before deploying an application, use a security tool such as Mi3 RECON that can identify what endpoints the application connects to and if that endpoint is vulnerable.  

What To Do Next?

Contact us to see a demonstration of the RECON Platform

Watch an overview of the Mi3 Security Portfolio