Big public clouds open to quiet traffic snooping

By on
Big public clouds open to quiet traffic snooping

"TeLeScope" attack bypasses TLS in real-time.

Attackers can abuse hypervisors used by the world's biggest public cloud providers to eavesdrop on encrypted communications in secret, according to a proof of concept presented by security researcher Radu Caragea.

Caragea, who works for antivirus vendor Bitdefender, showed it was possible to steal Transport Layer Security (TLS) encryption keys via the hypervisor by probing server memory.

Called TeLeScope, the attack targets hypervisors used by large public companies such as Amazon Web Services, Google, and Microsoft.

The attack could give malicious cloud providers and government intelligence agencies access to hypervisors to snoop on encrypted communications in real-time, unnoticed. It requires access to the hypervisors.

Caragea said a disgruntled systems administrator, for instance, with hypervisor-level access could "monitor, exfiltrate and monetise all information flowing to and from the customer."

This could include emails, banking transactions, chats, personal photos and other personally sensitive data, the security researcher said.

Keys can be extracted instantly from a known template virtual machine since the memory layout is predictable, Caragea's research showed. Even when the virtual machine layout is unknown, the image only needs to be paused for around 0.1 millisecond to obtain a differential memory dump from which keys can be extracted in linear time.

Such a short pause time is barely noticeable unless the tenant or VM user is actively looking, making the attack very hard to discover.

"There is no telling whether your communication has been compromised and for how long it has been happening because this approach does not leave any anomalous forensic evidence behind," Caragea said.

"Banks, companies dealing with either intellectual property or personal information as well as government institutions are the sectors that could be highly affected by this flaw."

The only way to mitigate against the flaw at the moment is to prevent access to hypervisors, Bitdefender said. Fixing the TeLeScope attack would require rewrites of existing cryptography libraries.

The attack was discovered by Bitdefender when the security vendor tried to come up with a way to monitor malicious outbound activity on its honeypot network, without tampering with the virtual machine and tipping off attackers that they're being observed.

Full text of Caragea's research is available as a PDF document.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bitdefender hypervisors nsa security snowden virtualisation
In Partnership With

Most Read Articles

Google ordered to reveal identity of anonymous reviewer

Google ordered to reveal identity of anonymous reviewer
NBN Co sees 250Mbps take-up rise after price cut

NBN Co sees 250Mbps take-up rise after price cut
ANZ and CBA push for consolidation of EFTPOS, BPAY and NPP

ANZ and CBA push for consolidation of EFTPOS, BPAY and NPP
Aussie Broadband lets customers 'kick' own connection

Aussie Broadband lets customers 'kick' own connection
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Driving business innovation through private cloud solutions
Driving business innovation through private cloud solutions
Future proofing your datacentre with hyperconverged infrastructure
Future proofing your datacentre with hyperconverged infrastructure
The Network for the Digital Business Starts with the Secure Access Service Edge (SASE)
The Network for the Digital Business Starts with the Secure Access Service Edge (SASE)
Are you getting profitable outcomes from your IT?
Are you getting profitable outcomes from your IT?
Your Microsoft Security journey starts here
Your Microsoft Security journey starts here

Events

Log In

Username / Email:
Password:
  |  Forgot your password?