topic HSM Testing and Defect Discovery in Tech Talk

HSM Testing and Defect Discovery

AppDefects — Mon, 09 Oct 2023 09:13:52 GMT

At this years Black Hat USA we'll see a presentation from a couple of researchers that discovered remote unauthenticated attacks giving full control of a Hardware Security Module (HSM) and complete access to keys and secrets stored on it. That's pretty serious stuff! Cryptosense validated the vulnerability here.

Researchers used the SDK provided with the HSM to upload a custom firmware module to the unit. This gave them access to a shell inside the HSM that they could use to run a debugger and analyze the inner workings of the unit. From there, they ran a fuzzer to send random queries to the HSMs PKCS #11 API looking for parameters that would throw the HSM into an unstable state. The tests uncovered several buffer overflow error bugs that they could trigger by sending the HSM certain commands.

Re: HSM (insecurity)

MikeGlassman — Tue, 11 Jun 2019 13:23:21 GMT

This is all good and well, but the topic should be changed to:

"HSM (insecurity) flaw in unnamed HSM hardware"

People might speed read and think every HSM has or might have the same flaw.

Re: HSM (insecurity)

RobertM — Tue, 11 Jun 2019 16:10:19 GMT

It's probably the Gemalto Ledger Vault HSM. Not the Safenet Line of products:

https://safenet.gemalto.com/technical-support/security-updates/

Re: HSM (insecurity)

AppDefects — Wed, 12 Jun 2019 15:02:21 GMT

You nailed it @RobertM with that link. The specific issue is with Gemalto ProtectServer HSMs running firmware versions from 3.20.00 to 3.20.10 and ProtectServer-2 HSMs running firmware between 5.00.02 and 5.03.00.

Re: HSM (insecurity)

AppDefects — Wed, 12 Jun 2019 15:04:23 GMT

@MikeGlassman wrote:

People might speed read and think every HSM has or might have the same flaw.

You're right the sky is not falling and the design "flaw" is not systemic. We can still have faith in HSMs.