Big public clouds open to quiet traffic snooping

By on
Big public clouds open to quiet traffic snooping

"TeLeScope" attack bypasses TLS in real-time.

Attackers can abuse hypervisors used by the world's biggest public cloud providers to eavesdrop on encrypted communications in secret, according to a proof of concept presented by security researcher Radu Caragea.

Caragea, who works for antivirus vendor Bitdefender, showed it was possible to steal Transport Layer Security (TLS) encryption keys via the hypervisor by probing server memory.

Called TeLeScope, the attack targets hypervisors used by large public companies such as Amazon Web Services, Google, and Microsoft.

The attack could give malicious cloud providers and government intelligence agencies access to hypervisors to snoop on encrypted communications in real-time, unnoticed. It requires access to the hypervisors.

Caragea said a disgruntled systems administrator, for instance, with hypervisor-level access could "monitor, exfiltrate and monetise all information flowing to and from the customer."

This could include emails, banking transactions, chats, personal photos and other personally sensitive data, the security researcher said.

Keys can be extracted instantly from a known template virtual machine since the memory layout is predictable, Caragea's research showed. Even when the virtual machine layout is unknown, the image only needs to be paused for around 0.1 millisecond to obtain a differential memory dump from which keys can be extracted in linear time.

Such a short pause time is barely noticeable unless the tenant or VM user is actively looking, making the attack very hard to discover.

"There is no telling whether your communication has been compromised and for how long it has been happening because this approach does not leave any anomalous forensic evidence behind," Caragea said.

"Banks, companies dealing with either intellectual property or personal information as well as government institutions are the sectors that could be highly affected by this flaw."

The only way to mitigate against the flaw at the moment is to prevent access to hypervisors, Bitdefender said. Fixing the TeLeScope attack would require rewrites of existing cryptography libraries.

The attack was discovered by Bitdefender when the security vendor tried to come up with a way to monitor malicious outbound activity on its honeypot network, without tampering with the virtual machine and tipping off attackers that they're being observed.

Full text of Caragea's research is available as a PDF document.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bitdefender hypervisors nsa security snowden virtualisation

Most Read Articles

'Zerologon' Windows domain admin bypass exploit released

'Zerologon' Windows domain admin bypass exploit released
Optus will now offer 100Mbps and uncapped 5G home internet products

Optus will now offer 100Mbps and uncapped 5G home internet products
Service NSW's in-app contact tracing tool goes live statewide

Service NSW's in-app contact tracing tool goes live statewide
Macquarie University brings Accenture onboard for HR transformation

Macquarie University brings Accenture onboard for HR transformation
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

A Migration Guide For Businesses Switching Mobile Device Management Solutions
A Migration Guide For Businesses Switching Mobile Device Management Solutions
Plan your post-COVID security strategy
Plan your post-COVID security strategy
The Executive's Guide To The Future Of Work
The Executive's Guide To The Future Of Work
Government Digital Transformation Requires Customer Obsession
Government Digital Transformation Requires Customer Obsession
Master the fundamentals of AWS cost efficiency
Master the fundamentals of AWS cost efficiency

Events

Log In

Username / Email:
Password:
  |  Forgot your password?