Researchers Crack Digital PDF Signatures

A team of German researchers use three attacks to falsify documents while tricking authentication services into thinking they’re still legitimate

Academics at the Ruhr-University Bochum in Germany have cracked the digital signatures used in Adobe’s PDF format, saying their exploits allowed them to alter documents while the signatures appeared to remain valid.

The academics said they were able to use three exploit variants that enabled them to modify documents in such a way that most desktop PDF readers and online verification tools were fooled.

They said 21 of the 22 desktop PDF readers were vulnerable, and five of the seven online PDF signing services were affected.

The vulnerable applications include Adobe’s Acrobat Reader, Foxit Reader and LibreOffice, while online services DocuSign and Evotrust were amongst those that were affected.

Document security

PDFs are increasingly used by businesses and governments in place of paper documents, and digital signatures – which verify a document’s provenance and that it has remained unaltered – play an important role in ensuring the security of those documents.

Start-up DocuSign, which went public in April of last year, is one of the better-known companies capitalising on the increasing demand for secure digital signatures.

In 2016 the company standardised electronic signatures across the EU, taking advantage of new EU regulations on digital signatures that came into force that year.

The three attack techniques are called Universal Signature Forgery (USF), Incremental Saving Attack (ISA) and Signature Wrapping Attack (SWA), with the first involving the manipulation of the signature’s metadata.

The second attack uses a legitimate feature of the PDF specification, which allows updates to a PDF file, to essentially hide the existing document and create a new one, while the Signature Wrapping Attack involves tricking the signature-verification logic into processing falsified data.

“With our attacks, we can use an existing signed document… and change the content of the document arbitrarily without invalidating the signature,” the researchers wrote in an advisory published on a website dedicated to the PDF vulnerabilities.

They said that, for instance, an Amazon Germany invoice could be falsified to indicate a $1 trillion (£750bn) refund without compromising the invoice’s signature.

Patches available

The researchers said they began examining PDF signatures early last year and in October began contacting the vulnerable vendors, in cooperation with Germany’s Computer Emergency Response Team, BSI-CERT.

The affected vendors have now patched the issues and released updates, so that the latest versions are not vulnerable to the signature hacks, the researchers said.

The vulnerabilities affected Mac, Windows and Linux platforms, they said.

Researchers Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe and Jörg Schwenk said they were not aware of current exploits using their attacks.