Light Dark
October 30, 2017 By Shane Schick 2 min read

The use of a random number generator with hardcoded keys could launch a crypto attack, exposing private data through intranets, virtual private network (VPNs) and more, according to new security research.

A white paper from researchers at John Hopkins University and the University of Pennsylvania was the first to draw attention to the crypto attack method, which has been dubbed Don’t Use Hardcoded Keys (DUHK). By reverse engineering a set of firmware running on Fortinet devices, the researchers were able to compromise the encryption parameters in less than five minutes.

Exploiting Random Number Generation Algorithms

The vulnerability stems from a problem with the ANSI X9.31 Random Number Generation, an algorithm that can safeguard data in browsing sessions and other online use cases by creating encryption keys.

As Bitsonline explained, a U.S. government security standards body called Federal Information Processing Standards (FIPS) stopped supporting ANSI X9.31 almost two years ago, but it has been in devices from a number of security companies for a long time. The hardcoded seed key, used at device setup or when launching the algorithm, is essentially making such devices susceptible to the crypto attack.

If cybercriminals were to make use of DUHK, their victims would most likely remain in the dark since the crypto attack is passive in nature, Bleeping Computer warned.

This attack could affect more than 23,000 FortiGate 4x devices using older versions of FortiOS, the white paper said. In addition to Fortinet devices, it also affects products from Cisco, Neopost and more than a dozen others. The easiest way to know if your organization is safe is to determine whether your firewall or VPN achieved FIPS certification after January 2016.

Is ANSI X9.31 a Sitting DUHK?

Not everyone sees DUHK as a major threat. As Threatpost pointed out, potential problems with ANSI X9.31 have been known among security experts for close to 20 years. Using it to launch a crypto attack would also require a number of other mistakes to have been made in deploying a security appliance.

This is less about putting organizations on guard against a likely threat and more of a critique about how standards bodies such as FIPS run their certification processes — and how well those processes are keeping up to date with the constant rate of change in information technology.

 |  |  |  |  |  | 
Shane Schick
Writer & Editor

More from

November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

November 14, 2024

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

November 13, 2024

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature