Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Vulnerable Invisible Salamanders and You: A Tale of Encryption Weakness

A Black Hat presentation will discuss how vulnerabilities found in Facebook Messenger encryption could mean trouble for your secure messages.

{image 1} 

When a researcher begins looking for a vulnerability, going for the invisible is good -- and if you can find something visible in the biggest social media platform on earth, so much the better. That's what Paul Grubbs, a Ph.D. candidate in computer science, did when he began exploring abuse of the reporting protocol used for Facebook "secret conversations."

Grubbs says that, internally, Facebook calls the messages within Messenger "salamanders." The secret messages were those related to Facebook's abuse reporting system, which could become lost within the Messenger stream. The vulnerability he found revolved around these salamanders that became invisible through a cryptographic flaw. And, as he and others discovered, invisible salamanders weren't limited to Facebook.

Grubbs points out that true cryptographic flaws are quite uncommon. Instead, according to a maxim in the cryptographic world, "Cryptography is never actually broken in practice, it's always bypassed," he says. "And I find that that's generally pretty true. Genuine cryptographic flaws are comparatively rare."

In the case of the invisible salamander vulnerability, the encryption algorithm itself is vulnerable, and Grubbs says that the mathematics required to exploit the vulnerability are relatively simple. How simple?

"I will say that somebody with most of an undergraduate degree in mathematics can do these attacks and understand them," Grubbs says.

While it's important to understand the principles behind modern encryption methods, Grubbs says, it's more important for security professionals to be wary of treating the encryption piece of the cybersecurity architecture as a perfect black box.

"In some settings that black box kind of doesn't act, well, like a black box," he says. "Sometimes it leads to vulnerabilities, but it always leads to something unexpected, which in security is definitely something you want to avoid."

One such "unexpected" result comes in authenticated encryption schemes -- the kind found sitting at the heart of most secure transport protocols. Grubbs says we often think of these as being like physical lockboxes, where we put messages in and lock them up. If an adversary finds the lockbox, they lack the key to let them look inside. Simple enough.

But Grubbs says that modern schemes are more like boxes that can be unlocked to reveal several different messages, depending on which key you use to unlock them. And this advanced application makes it more likely that a flaw in the encryption algorithm can be exploited.

The cryptographic vulnerability Grubbs found is a "latent vulnerability," he says, with an issue intrinsic to the algorithm. "It's an implementation that isn't necessarily vulnerable as it's being used now," he says. "But if somebody were to use it in a different way or apply it to a new system or a new protocol, then it would become vulnerable."

"[Today] the symmetric, authenticated encryption schemes that people are likely to use, that are likely to be available in libraries, aren't suitable for many threat models," Grubbs says. "And people need to be aware that there are severe attacks that can result from misusing authenticated encryption schemes that are widely available."

Grubbs will provide more details of his research and the vulnerabilities discovered in his Black Hat Briefing, "Hunting Invisible Salamanders: Cryptographic (in)Security with Attacker-Controlled Keys," on Thursday, August 6, at 12:30 p.m. PDT.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Read more about:

Black Hat News

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights