Big public clouds open to quiet traffic snooping

By on
Big public clouds open to quiet traffic snooping

"TeLeScope" attack bypasses TLS in real-time.

Attackers can abuse hypervisors used by the world's biggest public cloud providers to eavesdrop on encrypted communications in secret, according to a proof of concept presented by security researcher Radu Caragea.

Caragea, who works for antivirus vendor Bitdefender, showed it was possible to steal Transport Layer Security (TLS) encryption keys via the hypervisor by probing server memory.

Called TeLeScope, the attack targets hypervisors used by large public companies such as Amazon Web Services, Google, and Microsoft.

The attack could give malicious cloud providers and government intelligence agencies access to hypervisors to snoop on encrypted communications in real-time, unnoticed. It requires access to the hypervisors.

Caragea said a disgruntled systems administrator, for instance, with hypervisor-level access could "monitor, exfiltrate and monetise all information flowing to and from the customer."

This could include emails, banking transactions, chats, personal photos and other personally sensitive data, the security researcher said.

Keys can be extracted instantly from a known template virtual machine since the memory layout is predictable, Caragea's research showed. Even when the virtual machine layout is unknown, the image only needs to be paused for around 0.1 millisecond to obtain a differential memory dump from which keys can be extracted in linear time.

Such a short pause time is barely noticeable unless the tenant or VM user is actively looking, making the attack very hard to discover.

"There is no telling whether your communication has been compromised and for how long it has been happening because this approach does not leave any anomalous forensic evidence behind," Caragea said.

"Banks, companies dealing with either intellectual property or personal information as well as government institutions are the sectors that could be highly affected by this flaw."

The only way to mitigate against the flaw at the moment is to prevent access to hypervisors, Bitdefender said. Fixing the TeLeScope attack would require rewrites of existing cryptography libraries.

The attack was discovered by Bitdefender when the security vendor tried to come up with a way to monitor malicious outbound activity on its honeypot network, without tampering with the virtual machine and tipping off attackers that they're being observed.

Full text of Caragea's research is available as a PDF document.

Copyright © iTnews.com.au . All rights reserved.
Tags:
bitdefender hypervisors nsa security snowden virtualisation

Most Read Articles

Devastating flaw puts almost every wi-fi network at risk

Devastating flaw puts almost every wi-fi network at risk
Hacked Aussie Defence firm lost fighter jet, bomb, ship plans

Hacked Aussie Defence firm lost fighter jet, bomb, ship plans
NBN Co works to recover cost of network damage

NBN Co works to recover cost of network damage
Subaru key fob vulnerability lets hackers unlock cars

Subaru key fob vulnerability lets hackers unlock cars
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators
The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators
Solving IT complexity
Solving IT complexity
Optimising Enterprise Data Centres for the Cloud
Optimising Enterprise Data Centres for the Cloud
Growing companies have a growing interest in technology
Growing companies have a growing interest in technology
RSA NetWitness® Endpoint. Respond 3X Faster to Threats
RSA NetWitness® Endpoint. Respond 3X Faster to Threats

Events

Most popular tech stories

Log In

Username:
Password:
|  Forgot your password?