Categories: SecurityWorkspace

Private Keys Can Be Pilfered With Heartbleed Exploits

A challenge to exploit the infamous Heartbleed flaw to get encryption private keys has been accepted and completed by a number of researchers, highlighting the severity of the vulnerability.

The more skeptical corners of the security community believed Heartbleed, which was revealed to affect scores of websites last week, could not be exploited in normal conditions to get at private keys used in web connections, but were proven wrong.

The vulnerability lay in an extension of OpenSSL encryption, known as Heartbeat. In a normal Heartbeat transaction, a user machine would send packets of data to a server to keep a supposedly secure HTTPS connection open. If the data sent back by the server was the same as that sent, the connection would be kept alive.

But a trick meant that an attacker could send a malformed slice of data, containing a small payload disguised as a normal, larger one. The server would then extract the message and to ensure it was sending back the same amount of data as it thought it had received, would take chunks of memory from the server and give it back to the attacker.

That meant the hacker could get at 64KB of data back every time they sent a malicious request.

Private keys nabbed

Yet CloudFlare, a content delivery network provider, wasn’t too sure hackers could get at private keys held of vulnerable servers and so set up a challenge to acquire them from a server it had especially set up.

It was soon proven private keys could be acquired. Fedor Indutny, a Russia-based software engineer, was said to be the first to complete the challenge, followed by three others.

“This result reminds us not to underestimate the power of the crowd and emphasizes the danger posed by this vulnerability,” CloudFlare said in a blog post.

The effects of Heartbleed have been felt across the technology industry, from big name Internet providers like Yahoo, to network vendors Cisco and Juniper, to Android mobile users.

NSA ‘knew of Heartbleed’

It’s also been claimed the US National Security Agency (NSA) knew about the Heartbleed vulnerability for two years. The flaw was introduced into the OpenSSL code two years ago. Citing people familiar with the matter, Bloomberg suggested the NSA quickly found out about the vulnerability and exploited it to steal passwords and spy on targets.

But the NSA denied knowing about it until last week. “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,” a spokesperson said.

Love security? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

AT&T Admits Data Breach Impacted “Nearly All” Customers

American telecommunications giant AT&T admits that “nearly all” customer accounts were compromised in 2022 breach

12 hours ago

Elon Musk’s X Breached DSA Rules, EU Finds

X's Blue checks 'used to mean trustworthy sources of information. Now our preliminary view is…

16 hours ago

Japan’s SoftBank Acquires AI Chip Start-up Graphcore

SoftBank Group has purchased another British chip firm, with the acquisition of Bristol-based Graphcore Ltd…

17 hours ago

Samsung AI-Upgraded Bixby Voice Assistant Coming This Year

Samsung reportedly confirms it will launch the upgraded voice assistant Bixby this year, that will…

1 day ago

Next Neuralink Brain Implant Coming Soon, Says Musk

Despite an issue with first Neuralink implant in a patient, Elon Musk says second brain…

1 day ago

EU Accepts Apple’s Legal Commitments To Open NFC Access

Legal commitment over Apple's NFC-based mobile payments system, which is to be opened to rival…

1 day ago