ROBOT Exploit is back – Flawed RSA Implementation Still an Issue
Straight outta 1998 comes a new security issue. Dubbed ROBOT, this crypto vulnerability exploits RSA encryption keys. The exploit allow attackers to decrypt encrypted text without the private keys. Daniel Bleichenbacher discovered this vulnerability 19 years ago. However big sites like PayPal and Facebook are still vulnerable as of this writing.
The ROBOT Exploit 2017
Security researchers Hanno Böck says: For hosts that are vulnerable and only support RSA encryption key exchanges it’s pretty bad. It means an attacker can passively record traffic and later decrypt it. Facebook and PayPal are hardly the only sites that are at risk from the ROBOT Exploit. Twenty-seven of the top 100 sites on the web seem to share this vulnerability.
While this exploit is not exactly like the one identified 19 years ago, the issue is the same and the attacks would only have to be slightly modified. Basically the attacker would use the bug to record traffic streams for later decryption. A man in the middle attack is possible as well but would be much more difficult to pull off.
A PDF describing the exploit in detail has been published via the Cryptology ePrint Archive. RSA encryption is risky at best – Diffie Hellman key exchange is far superior. GitHub is hosting a Python that can help you test your servers.
If you are not a techie and want to know how this effects you, most likely it wont. Unlike Heartbleed this vulnerability takes allot of work to exploit. If you are the paranoid type, don’t send your credit card number to a site unless/until you are positive they are not affected.
*** Editors Note: Facebook has now been patched.