RSA Security breach explained: why US defense programs could be compromised

Jun 01 2011 - Leave a Comment

As almost everybody know by now, on Mar. 17, 2011, RSA (the Security Division of EMC Corporation and one of the most important IT Security vendors of the world) publicly announced that some information that could be used to reduce the effectiveness of one of their two-factor authentication implementations was compromised. In other words: their Database, mapping SecurID token serial numbers, to the token “seeds” was stolen.

What are we talking about?

To make it simple, SecurID devices are small tamper-resistant tokens (resembling calculators), which generate a numeric code at fixed intervals (usually 30 or 60 seconds before the displayed code is replaced by the next one). Even if they are usually pieces of hardware, they exist also as a software application that can be installed on a pc or smartphone to perform the same function. Those randomic sequences of numbers generated by SecurID tokens are authentication codes, technically called OTPs (One Time Passwords). The term One-Time means that they can be used for a single authentication process and they expire even if they are never used. Such tokens provide a OTP that can be used for both network or application/web authentication. Many use them to access their homebanking while companies use them to authenticate employees that need to (remotely or locally) access the internal network and resources.

Image: Wikipedia

These tokens generate the 6 or 8-digit OTP using an AES (Advanced Encryption Standard) algorithm to hash the token serial number, the internal seed and the Current Time (BTW: the server makes the same computation performed by the token devices and generates a OTP that is compared to that provided by the user).

Paolo Passeri studied the subject and in an interesting blog post dated Apr. 10 and provided some more information about the inputs that are used to generate  the OTP:

  • a 128-bit token-specific true-random seed,
  • a 64-bit standard ISO representation of Current Time (yr/mo/day/hour/min/second),
  • a 32-bit token-specific salt (the serial number of the token), and
  • another 32 bits of padding, which can be adapted for new functions or additional defensive layers in the future.

Since the AES-Hash operation is performed on 128 bit blocks, the latter two inputs are not a specific security feature but they are needed to pad the standard Current Time representation to fulfil the “rule” of 128 bit multiples.

As you can understand, both the seed and the serial number are unique for each token and, theoretically, the physical possession of the device ensures the security of the authentication mechanism. The only circumstance under which an attacker could be able to clone the token (and generate authentication codes on behalf of the legitimate user) was if seeds and token serial numbers had been stolen. That’s exactly what happened: an Advanced Persistent Threat (APT) was able (injecting a malware and using other vulnerabilities) to steal the database mapping seeds to serial numbers.

Even if the SecurID generates new strings of digits on a 30-60 second basis, some implementations require the user to enter the OTP along with a PIN (Personal Identification Number), a fixed code like the one used at ATMs. Even if the PIN represents an additional security layer that, for sure, was not stored in the RSA DB, such short codes are easier to hack and can be retrieved using malware, keyloggers and many other methods.

One last thing: the OTP can’t be modified/changed/altered and the token, and the SecurID, being tamper-proof, can’t be fixed, opened, reprogrammed. Therefore, if compromised, the SecurID must be replaced.

Targeting defense contractors

As analysts predicted, the RSA hack was not simply intended to discredit the EMC Security division. The actual targets were the corporate clients which use the SecurID token for user authentication and, among them, defense contractors.

Indeed, the first defense contractor to be known to have suffered a security violation was Lockheed Martin that on May 22 disabled all remote access to its internal network (“at least for a week”) and planned the replacement of all its RSA SecurID tokens after detecting an intrusion in the internal network. Needless to say Lockheed is one of  world’s largest defense contractors, “an American global aerospace, defense, security and advanced technology company” supplying hi-tech military hardware to US and worldwide military (F-16, C-130, F-22, F-35 to name but few interesting Lockheed “products”).

On May 31 Wired reported that another defence contractor, L-3, was targeted using SecurID stolen data even if it is not clear whether the hackers were successful in the penetration or not.

Both attacks show a certain interest for data managed by military contractors which manufacture some of the most sophisticated and sensitive US (and foreign) military equipment; weapon systems currently used in both Iraq, Afghanistan and Libya. However, as Paolo Passeri commented:

I wonder if military contractors are the only targets or if they have been the only ones capable to detect the attempts because of their strict security protocols and policies.

Certainly, defense contractors’ networks contain many classified data about current and future US projects. However, such data is usually secured in closed networks that are not interconnected with corporate LANs or that require additional authentication procedures. I have already explained, when I commented the hack into the F-35 Lightning II JSF (Joint Strike Fighter) project that network intrusions or data leakage not always imply a significant loss. It all depends on the information that is actually stolen.

Image: Lockheed Martin

For sure, Advanced Persistent Threats as well as RSA SecurID weakness, are something that, defense contractors and Government agencies, facing a huge and growing Cyber risk, must be able to deal with.  First of all, companies should follow the example of  Raytheon (another Defense Contractor) that has declared to have taken immediate companywide actions, as soon as the RSA incident information was made public, to prevent a widespread disruption of their network but, to enhance the effectiveness of their security countermeasure, I think, sooner or later, all corporates/agencies will have to consider the opportunity to use more costly biometric devices (usually seen in movies like Star Trek, Minority Report, X-Men, Planet of the Apes  and few others) that perform user authentication by means of voice analysis, face recognition, iris scan, keystroke dynamics identification, etc.