The ROBOT Attack stands for the ‘Return of Bleichenbacher’s Oracle Threat.’ It refers to the reappearance of a vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocols first identified in the distant 1998.
The ROBOT class of attacks is caused by a weakness in the RSA asymmetric cryptography algorithm. Certain implementations of cipher suites using the RSA algorithm allow an attacker to break the confidentiality of the encryption fully.
Here is what the Return of Bleichenbacher’s Oracle Threat (ROBOT) consists of and what steps you can take to prevent it from impacting your systems.
SSL ROBOT Security Assessment
CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
What Is the ROBOT Attack?
Back in 1998, Daniel Bleichenbacher identified a vulnerability in the use of RSA encryption. Error codes issued by SSL servers for PKCS #1 v1.5 padding errors made it possible for malicious users to abuse an adaptive chosen-ciphertext attack vulnerability. In this way, they could completely break the TLS confidentiality through error messages.
Three researchers rediscovered the vulnerability 19 years after the initial attack was found out. They warned websites and software vendors that were affected — and this is how the name ‘Return of Bleichenbacher’s Oracle Threat (ROBOT attack) came to be.
How Do ROBOT Attacks Work?
The ROBOT attack entails using a vulnerability in the RSA encryption to authorize operations with the private key of an SSL/TLS server. That’s how attackers can record traffic and decrypt it afterward to access sensitive information.
The RSA attack algorithm is named after Ron Rivest, Adi Shamir, and Leonard Adleman. It’s a public key cryptosystem from 1977 that was quite popular for securing data transmission. It employs two mathematically linked keys — a public and a private key. The vulnerability affects its encryption standard PKCS#1v1.5, allowing malicious users to get to know the private key and abuse it.
The initial attack found by Bleichenbacher employed an oracle with different TLS alerts. The ROBOT researchers modified it, differentiating between errors such as a connection reset, timeout, and duplicate TLS alert. Using a truncated message flow — ClientKeyExchange message without a ChangeCipherSpec and Finished message — discovered additional vulnerable hosts.
The problem with encryption vulnerabilities like ROBOT is that they challenge the very idea of encryption — the secure passing of sensitive information. An attacker can gain access to private data such as passwords and messages by tricking systems thought to be safe.
Discovery of Bleichenbachers Vulnerability
In 2017, three researchers — Hanno Böck, Juraj Somorovsky from Hackmanit GmbH, Ruhr-Universität Bochum, and Craig Young from Tripwire VERT— were identified that the RSA encryption vulnerability discovered by Bleichenbacher in 1998 still exists. The vulnerability was categorized as CVE-2017-6168.
More precisely, they tested slight variations of the vulnerability and found they can be employed against many HTTPS hosts across the web. ROBOT entails conducting RSA decryption and abusing the private key of a TLS server to sign malicious operations. That’s how an otherwise secure TLS session gets jeopardized.
Similar to the case with the Heartbleed bug, the researchers created a dedicated ROBOT attack website and logo for the vulnerability. They also published their work in a paper called “Return of Bleichenbacher’s Oracle Threat, or How We Signed a Message with Facebook’s Private Key,” presented at the 27th Usenix Security Symposium.
Impact Of ‘Return of Bleichenbacher’s Oracle Threat’
The ROBOT vulnerability is quite severe for hosts that use only RSA encryption key exchanges. In such cases, attackers can record SSL/TLS traffic and use it for malicious purposes by later decryption.
Hosts that support RSA encryption modes but use forward secrecy are not at such a high risk. Performing Server Impersonation or a Man-in-the-Middle attack may be plausible, but the attacks would have to be executed quickly.
The ROBOT vulnerability affected numerous popular vendors and vulnerable software solutions, including Cisco, Citrix (CVE-2017-17382 Security Advisory), F5, IBM GSKit, Palo Alto Networks, and more. In addition, highly used and top-rated websites like Facebook and PayPal were also susceptible to the attack and many other vulnerable applications. Among the 100 Alexa-ranked domains, 27 were susceptible to ROBOT. In addition, other items using SSL/TLS like VPNs, routers, switches, cameras, and wireless access points were also vulnerable.
Following Bleichenbacher’s original attack in 1998, security experts didn’t remove the vulnerable encryption but introduced countermeasures — and even more complicated countermeasures later on to address further issues. Nevertheless, these proved insufficient to altogether remove the vulnerability.
The 19-year-old vulnerability, the Bleichenbacher attack, was also used in the DROWN attack on SSL 2.0 in 2016.
After discovering the ROBOT vulnerability, popular vendors and websites had to take immediate actions to address the security risk. They issued patches and updates to mitigate the vulnerability.
However, some security researchers believe that PKCS#1v1.5 and the related RSA cipher modes are generally not bullet-proof. There are predictions of related vulnerabilities — like a ‘return of ROBOT,’ despite the measures taken from 2017 onwards.
How to Prevent the ROBOT Vulnerability in Your Systems
To prevent potential ROBOT attack scenarios, your first step is to ensure that your SSL/TLS server is up-to-date.
To ensure complete protection, it’s essential to avoid using RSA cipher suites that may be affected by the vulnerability. You can refer to our resource on Secure TLS Configuration for guidelines on disabling these cipher suites.
What’s the state of your digital security, and how protected is your web app or API? You can use Crashtest Security’s powerful Vulnerability Testing Software to check for ROBOT vulnerability and find out if any elements in your systems are susceptible to threats like it.