InvestorsHub Logo
Followers 5
Posts 2782
Boards Moderated 0
Alias Born 09/06/2006

Re: None

Sunday, 06/09/2019 9:51:00 PM

Sunday, June 09, 2019 9:51:00 PM

Post# of 249146
Major HSM vulnerabilities impact banks, cloud providers, governments

https://www.zdnet.com/article/major-hsm-vulnerabilities-impact-banks-cloud-providers-governments/

Researchers disclose major vulnerabilities in HSMs (Hardware Security Modules).

Two security researchers have recently revealed vulnerabilities that can be exploited remotely to retrieve sensitive data stored inside special computer components known as HSMs (Hardware Security Modules).

HSMs are hardware-isolated devices that use advanced cryptography to store, manipulate, and work with sensitive information such as digital keys, passwords, PINs, and various other sensitive information.

In the real world, they can take the form of add-in computer cards, network-connectable router-like devices, or USB-connected thumb drive-like gadgets.

They are usually used in financial institutions, government agencies, data centers, cloud providers, and telecommunications operators. While they've been a niche hardware component for almost two decades, they are now more common than ever, as many of today's "hardware wallets" are, basically, fancily-designed HSMs.

Remote attack discovered in one HSM brand

At a security conference in France this past week, two security researchers from hardware wallet maker Ledger have disclosed details about several vulnerabilities in the HSM of a major vendor.

The duo's research paper is currently available only in French, but the two are also scheduled to present their findings at the Black Hat security conference that will be held in the US in August.

According to a summary of this upcoming presentation, the vulnerabilities they discovered allow a remote unauthenticated attacker to take full control of the vendor's HSM.

"The presented attacks allow retrieving all HSM secrets remotely, including cryptographic keys and administrator credentials," researchers said.

Furthermore, the two also said they can "exploit a cryptographic bug in the firmware signature verification to upload a modified firmware to the HSM."

"This firmware includes a persistent backdoor that survives a firmware update," they added.

Vendor unnamed -- for now

The duo, made up by Gabriel Campana and Jean-Baptiste Bédrune, said they reported the findings to the HSM maker, which "published firmware updates with security fixes."

The two did not name the vendor, but the team behind the Cryptosense security audit software pointed out that the vendor may be Gemalto, which issued a security update last month for its Sentinel LDK, an API for managing hardware keys on HSM components.

--The rest of the article is continued at the link.
==================================================================
TPMs with Wave VSC 2.0/Wave ERAS could manage the keys and strong authentication rather than these HSMs!! TPMs and Wave solutions could be the new critical piece for the organizations mentioned above!!
=================================================================
https://www.wavesys.com/

https://www.wavesys.com/contact-information














Join the InvestorsHub Community

Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.