The type of hacking attempts that take place in modern times overthrow every security claim and gain access to even the most impenetrable systems such as encrypted keys.
DUHK, a short iteration of “Don’t Use Hard-coded Keys,” is the newest concept of cyber attack that has sprouted online. And just recently, cryptographers have managed to recover secret digital keys using this vulnerability.
Taking advantage of the vulnerability, hackers would be able to gain access to internet communications in a subtle manner and intercept the traffic without the knowledge of the user or the website hosting the service.
Cryptographic vulnerabilities have become quite common and instead of giving hackers the opportunity to exploit something found in the system, researchers in the field have taken the task into their own hands.
Recently, similar attacks named ROCA and KRACK were also discovered and later fixed by sending proper notifications to fix the loophole.
This time, the researchers have come up with solid evidence to prove that an attacker could gain access within a secure VPN connection and monitor everything the target user does—the attacker can view the passwords they use, as well as browsing session records and online transactions.
Such a vulnerability could potentially be exploited by law enforcement agents if they choose to read the browsing session of a particular criminal suspect in order to gather evidence to convict them of specific charges.
DUHK Attack Method Emerging
Last month, researchers discovered KRACK, an attack based on Wi-Fi networks.
A similar attack was also discovered soon after, called the ROCA factorization attack.
The DUHK attack method, on the other hand, allows a third party to gain access into VPNs (Virtual Private Networks) and other private internet setups.
It has been found within the systems of major technology companies.
In a blog post explaining their findings, researchers managed to break the encryption code to gain access to services provided by Fortinet, Cisco and TechGuard.
All of these are major brands in the security sector but they were using ANSI X9.31 RNG, which is not the best way to go about operations.
The program a pseudorandom number-generated algorithm which has proven to be outdated.
This particular setup uses a hard-coded seed key which is what the researchers hacked into so they could read every bit of information that was passed through the network.
The disadvantage of using PRNGs relies on the setup, which doesn’t generate random numbers every time but rather uses the same sequence or bits.
This allows a third party to discover the code, as it also uses the same relative values every time.
Products sold making use of this setup are also vulnerable to attacks because vendors ship products by hard-coding the source code into the items.
Any person who is an expert in reverse engineering could read the entire code and use it against the product manufacturer.
How the DUHK Attack Works
The sample DUHK attack was exposed by security experts Matthew Green, Nadia Heninger and Shaanan Cohney.
The trio suggests that the DUHK attack method allows middle-man attackers to initiate an attack out of nowhere and, if they know the seed value, they can find the current state value by making use of the data generated through outputs.
When a hacker manages to gain access to both the seed value and the state value, they can eventually gain access to the encryption code and later decode the entire process to read through internet communication records easily.
By exploiting the vulnerability, any person can gain access to sensitive information including credit card details, business data, login credentials and so on, which can directly or indirectly be used against the original owner.
The usage of the ANSI X9.31 algorithm is widespread because it was among the certified algorithms used by the United States government up until 2016.
Experts warned as early as 1998 that if anyone could gain access to the seed value, they can eventually break into this particular algorithm.
They also warned against using it in the majority of devices.
However, vendors and manufacturers who hardly listen to such threats continue to use it with most of their products.
But the DUHK attack discovery could officially put an end to using the particular algorithm as hard-coded seed keys allow attackers to decrypt encrypted communications and read the information being passed over.
The researchers who found the vulnerability hail from the University of Pennsylvania and Johns Hopkins University.
The team further advised that manufacturers should avoid leaving hard-coded seed keys in their products which creates a backdoor for hackers.