This PGP bug could allow hackers to control your email servers
Experts in system audits mention that two major PGP project contributors have been victims of multiple attacks by unidentified hackers that have managed to infect the certificates used by the SKS key server network.
PGP is a variant of encryption software used to
ensure email communication between intelligence agencies. Robert Hansen and
Saniel Kahn, two of OpenPGP’s lead developers, fell victim to a recent
cyberattack sending spam to their public cryptographic identities.
The developers claim that a threat actor
infected their certificates. This means that the legitimate PGP cryptographic
identity cannot be authenticated correctly. “The hacker
exploited a flaw in the OpenPGP protocol to poison our certificates. Anyone
trying to import the affected certificates could compromise their IT
infrastructure and that of their customers,” the system audits experts
said.
“The poisoned certificates are already on
the SKS key server network”, the developers mention. In addition,
specialists believe that the low complexity of the attack could help its mass
exploitation.
Experts in system audits consider it unlikely
that this risk can be mitigated in the short term. The only alternative to
mitigate risk for now is to stop retrieving certificates and other network data
from the SKS key server.
The key server is a central component of PGP
and user authentication of this protocol. Server design elements have worked correctly
since its inception in the 1990s, although there are design flaws and potential
attack vectors known for years.
“We knew about the possibility of this
attack for at least ten years, today it has come to fruition and the outlook
looks unoptimistic,” the developers say. Due to the read-only design of
the key server certificate spam is only one of the multiple possible attack
vectors against this project.
According to the experts of the International Institute
of Cyber Security (IICS) there are severe technical problems that make it
impossible for the key server to be protected against this attack; in other
words, this code is so complex that it is not possible to fix these
vulnerabilities with update patches, but a full system correction is required.
(Visited 2 1 times)
Gloss