Return of Bleichenbacher's Oracle Threat (ROBOT)

The presentation discusses the Return of Bleichenbacher's Oracle Threat (ROBOT), a 19-year-old vulnerability in TLS encryption that allows attackers to sign messages with private keys and decrypt traffic. The talk explores how the vulnerability was found, how it was exploited on popular sites, and why countermeasures introduced in TLS 1.0 failed to prevent it. The presentation also argues for the deprecation of RSA PKCS #1 v1.5 encryption and highlights related problems still present in popular TLS libraries.

• TLS handshake is used to agree upon a shared secret between client and server
• RSA encryption-based key exchanges are vulnerable to chosen ciphertext attacks
• Padding is used to format messages for secure encryption through RSA
• PKCS #1 v1.5 is the padding used for TLS prior to 1.3
• Countermeasures introduced in TLS 1.0 failed to prevent the ROBOT vulnerability
• RSA PKCS #1 v1.5 encryption should be deprecated
• Related problems are still present and unfixed in many popular TLS libraries

The presentation provides examples of vulnerable products, including those from Facebook, Citrix, Cisco, and Microsoft. The speaker also discusses the challenge of finding vendors and contacting web page owners to inform them of the vulnerability. The presentation highlights the severity of the vulnerability in Cisco AC devices, which were out of support and therefore not being updated to fix the vulnerability. Despite being informed of the vulnerability, Cisco did not respond to the speaker's email and did not fix the issue.

With a 19 year old vulnerability, we were able to sign a message with the private key of Facebook. We'll show how we found one of the oldest TLS vulnerabilities in products of 10 different vendors and how we practically exploited it on famous sites. We'll also discuss how the countermeasures introduced back in TLS 1.0 and expanded over the years failed to prevent this and why RSA PKCS #1 v1.5 encryption should be deprecated. Finally, we'll present what related problems are still present and unfixed in many popular TLS libraries.