An episode of Mr. Robot demonstrates how hackers can exploit poor information security practices to gain access to a Hardware Security Module (HSM) by stealing user credentials.
In the fifth episode of Mr. Robot’s third season (‘eps3.4_runtime-error.r00’), Angela (PR Manager for the fictional ‘E Corp’) makes an unauthorized backup of an HSM with the intention of stealing private code-signing keys.
The episode originally premiered on 8 November 2017. Even so, Ryan Kazanciyan, technical consultant for Mr. Robot and chief security architect for Tanium, says he began planning the episode with writer Kor Adana well before that time:
“I’ve been waiting eagerly for this episode to air — it’s my favorite of the season. As I looked through my notes, I was surprised to find that Kor and I first started working on scenes for ‘eps3.4_runtime-err0r.r00’ as far back as January. The attacks against E Corp’s HSMs are among the most complex hacks we’ve depicted on the show — and filming the entire episode as a ‘oner’ added an additional wrinkle.”
For some context, an HSM is a physical device that stores an organization’s cryptographic keys and certificates along with other important assets. It’s easy for a company to load data onto an HSM, but it’s difficult for anyone to extract that data. Indeed, most HSMs come with the ability for authorized personnel to use a stored key without that asset leaving the device’s boundary. As such, HSMs can be one of the most well-protected devices on a corporate network. But it depends on whether a company has followed HSM security best practices.
As the episode shows, E Corp falls short in this regard.
Angela makes her way to the company’s CSAT server. She brings with her a portable HSM backup device provided by the Dark Army, a hacker-for-hire service. It’s her intention to clone one of E Corp’s HSMs onto the device. To complete the task, she needs a PIN Entry Device (PED) and a red USB key to authorize the cloning operation. She ultimately finds the former in one of the server rack’s drawers and the latter left behind in a bag. With these two elements, Angela runs the tools on the thumb drive to complete the backup. She then leaves with the HSM backup and USB dongle, devices which the Dark Army can use to sign malware as if it were legitimate E Corp software.
Chris Harris, Director of Sales Engineering at Gemalto, clarifies what exactly went wrong for E Corp in the episode:
“E Corp made two critical mistakes. They didn’t store their authentication tokens in a secure place, (a bag next to your desk is not secure, and leaving them in the PIN entry device is a cardinal sin) and they didn’t make use of the multiple-user authentication features that Gemalto’s SafeNet Luna HSMs offer. In a perfect world, Angela would have been stopped at the first hurdle by needing collaboration from a group of trusted individuals, all who store their authentication tokens in a secure place such as a locked drawer or safe.”
Good points all around.
Let’s be clear: it’s important for organizations to secure their keys. How they do so matters, however. Indeed, they might want to stay away from storage methods like AWS S3 buckets, as some companies misconfigure these assets and in so doing expose important secrets. Hackers can capitalize on exposed keys and certificates, for example, to sign malicious software. This gives their malware an edge over protection systems that are based on code signing.
Organizations should not leave things up to chance. Instead they should secure their code signing keys in an HSM hardware device. But they shouldn’t stop there. They should also make sure to secure their PED keys and make use of “MofN” (multiple user authorization) for those who can access them.
Gemalto’s SafeNet Luna HSMs support all of these security practices when it comes to companies safeguarding their keys and certificates.
Are you following HSM security best practices to avoid a hack? Learn more about Gemalto’s HSMs.