Major Vulnerabilities in HSMs Impacting Banks, Cloud Providers, Government

Researchers from Ledger discovered vulnerabilities that can be exploited remotely to retrieve sensitive data in Hardware Security Modules (HSMs). HSMs are hardware-isolated devices that use advanced cryptography to store, manipulate, and work with sensitive data—including digital keys, passwords, and PINs—and can take the form of add-in computer cards, network-connectable router-like devices, and USB thumb drive-like gadgets. Another vulnerability can be exploited in the firmware signature verification to upload a modified firmware to the HSM, creating a persistent backdoor that survives a firmware update, giving a threat actor continued access. These devices are used by financial institutions, cloud providers, government agencies, data centers, and telecommunications operators. The vulnerabilities were reported to the unnamed vendor which published firmware updates with security fixes. The NJCCIC recommends patching systems as firmware updates become available. More technical information about the HSM vulnerabilities can be found in the ZDNet’s article and Jean-Baptiste Bédrune and Gabriel Campana’s research paper, currently available only in French.