Digital Certificate Theft Exposes Holes In Modern Encryption

Digital Certificate Theft Exposes Holes In Modern Encryption

Recently, cybersecurity researchers reported on the discovery of a new hacking campaign misusing stolen digital certificates to mask malware.

According to researchers at ESET, the certificates were stolen from a variety of Taiwanese tech-companies, including the network equipment manufacturer D-Link, to sign their malware and to make them look like legitimate applications. The malware used in these campaigns were identified as a remotely controlled backdoor designed to steal confidential documents dubbed “Plead” and a related password stealer designed to collect saved passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook, and Mozilla Firefox.

The actual malware attacks aside, the technique used to execute the campaign is intriguing.

The tactic of using legit digital certificates to hide malicious cyber activity is one that has been growing in popularity over the past several years. The fact that this method is available highlights one of the biggest flaws in the encryption system that currently keeps most of the worlds digital communications safe.  

In our modern world, the stability of the digital sphere rests on something called Public Key Infrastructure (PKI). Public Key cryptography introduced to the world of information technology “asymmetric” encryption, a way in which a message could be encrypted, but only unlocked by one particular user.

When one digital user reaches out to another, for example, when logging into an email account, a negotiation called a “digital handshake” occurs that essentially sets up a mutual agreement to a certain code of communication between them. This ensures no third party is able to understand any piece of data if intercepted.       

So PKI is a great idea for encrypting messages between parties. There is just one problem with all of this: how does a user know for sure who’s “hand” they are “shaking” at the start of their communication?    

The industry solved this authentication problem in the form of digital certificates, electronic documents whose contents can prove that the senders are actually who they claim to be. The submission of certificates at the initiation of a session allows the parties to know who it is they are about to communicate with.

Digital certificates themselves are backed up by Certificate Authorities (CAs), trusted third parties that “sign” digital certificates and give them their legitimacy.

It soon became clear, however, that CAs presented a weak link in the chain of security. Not because CAs couldn’t be trusted, but because they became prime targets for hackers. The recent ESET report is just the latest in a series of such attacks going back years.

One of the more famous instances was in 2010, during the Stuxnet attack against the command and control systems of Iranian nuclear centrifuges. Widely accepted to have been a joint operation between Israeli, U.S., and British intelligence agencies, the virus was able to bypass Iranian security protocols by presenting stolen legitimate certificates to the Iranian systems.

Since the current system is built on trusting digital certificates, illicitly obtaining a legitimate certificate almost guarantees a hacker smooth access to a victim’s computer.

This glaring problem in encryption is what has kicked off new efforts within the industry to replace the current CA system altogether.

Unfortunately, it may take a few high profile hacks that capitalize on the certificate vulnerability to trigger a paradigm shift in the tech world.