HSMs (Hardware Security Modules) bring cryptographic mechanisms to environments where the highest level of security is required. As an example, HSMs are widely used by cryptocurrency exchanges to secure crypto assets, by banks to protect cryptographic keys and customer PINs, and by telecommunications operators to manage SIM secrets. Basically, HSMs generate, store and protect cryptographic keys and rely on software and hardware mechanisms to prevent secrets from being stolen.
This highly technical presentation targets an HSM manufactured by a vendor whose solutions are usually found in major banks and large cloud service providers. It will demonstrate several attack paths, some of them allowing unauthenticated attackers to take full control of the HSM. The presented attacks allow retrieving all HSM secrets remotely, including cryptographic keys and administrator credentials. Finally, we exploit a cryptographic bug in the firmware signature verification to upload a modified firmware to the HSM. This firmware includes a persistent backdoor that survives a firmware update.
Every vulnerability found has been responsibly disclosed to the manufacturer, who published firmware updates with security fixes. We eventually show how it's possible to drastically reduce the attack surface by developing a custom module which prevents almost all vulnerabilities found from being exploited.
Gabriel Campana is a senior security researcher with over 10 years experience in the IT security field. His interests are mainly focused on vulnerability research, exploitation methods and Linux kernel security. Lately he has been working on building hypervisors and breaking hardware wallets.
Jean-Baptiste Bédrune has 12 years of experience in the security industry and his main interests are reverse engineering and applied cryptography. He previously led the research in mobile, cryptography and software protection at Quarkslab, and is now software security researcher at Ledger, mainly assessing the security of embedded systems.