Everybody be Cool, This is a Robbery!

Conference:  BlackHat USA 2019



The presentation discusses the vulnerabilities found in a Hardware Security Module (HSM) and the development of exploits to gain arbitrary code execution and access sensitive data.
  • The HSM's kernel module that transfers messages is not robust and crashes easily, requiring message filtering and configuration modification
  • 15 memory corruption bugs were found, including a type confusion bug in the crypto key function
  • Exploits were developed to leak sensitive data and gain arbitrary code execution
  • The team patched the HSM's code to disable pin verification and install a custom module to dump memory and decryption keys
  • The presentation calls for secure software running on HSMs
The team developed exploits to leak sensitive data, including the password of the administrator, and gain arbitrary code execution. They also patched the HSM's code to disable pin verification and install a custom module to dump memory and decryption keys. This allowed an attacker to log in as admin without knowing any credentials and access sensitive data. The presentation highlights the need for secure software running on HSMs.


HSMs (Hardware Security Modules) bring cryptographic mechanisms to environments where the highest level of security is required. As an example, HSMs are widely used by cryptocurrency exchanges to secure crypto assets, by banks to protect cryptographic keys and customer PINs, and by telecommunications operators to manage SIM secrets. Basically, HSMs generate, store and protect cryptographic keys and rely on software and hardware mechanisms to prevent secrets from being stolen.This highly technical presentation targets an HSM manufactured by a vendor whose solutions are usually found in major banks and large cloud service providers. It will demonstrate several attack paths, some of them allowing unauthenticated attackers to take full control of the HSM. The presented attacks allow retrieving all HSM secrets remotely, including cryptographic keys and administrator credentials. Finally, we exploit a cryptographic bug in the firmware signature verification to upload a modified firmware to the HSM. This firmware includes a persistent backdoor that survives a firmware update.Every vulnerability found has been responsibly disclosed to the manufacturer, who published firmware updates with security fixes. We eventually show how it's possible to drastically reduce the attack surface by developing a custom module which prevents almost all vulnerabilities found from being exploited.