A few weeks ago you might have seen headlines circulating about a raccoon attack. While wild animals have been popping up in all places – both expected and unexpected – due to Coronavirus shelter-in-place orders around the globe, this particular story involves a potential issue with TLS. Here’s the lowdown on what you need to know and why, so you can keep your business safe.
What is the Raccoon Attack?
According to HackerNews, Raccoon Attack allows hackers to break TLS encryption “under certain conditions” and “read sensitive information. Researchers have determined that type of attack is very difficult to execute as it relies on very precise timing measurements and on a specific configuration to be exploited.”
This is not the first kind of attack to exploit time measurements to break into cryptosystems. In fact, in July of 2020 researchers from DistriNet Research Group and New York University Abu Dhabi discovered a new method of timing attack that they called Timeless Timing Attacks.
The Raccoon Attack was discovered by a group of researchers who have subsequently published their findings in a technical paper and corresponding website.
What is Diffie-Hellman and why is it important?
Published in 1976, Diffie-Hellman (or DH) was the first widely used method of safely deploying and exchanging keys over an insecure channel. The algorithm allows two people who have never met to safely create a shared key. It was mostly used for TLS protocols but today the RSA algorithm is the standard as it is capable of signing public certificates whereas DH key exchange is not.
Raccoon targets the DH key exchange that happens during the TLS handshake. Specifically, it takes note of the time it takes the server to respond to the client and uses that information to decipher the secret key and therefore decrypt the content originally shared.
It might sound simple enough, but there’s a fairly long list of conditions under which a Raccoon Attack can occur:
- The hacker needs to be close to the target due to the precise timing measurements
- The victim needs to be using Diffie-Hellman as the cryptographic algorithm
- The server has to be reusing ephemeral keys (DHE mode)
- Only TLS 1.2 and below are affected
- The attacker also needs to observe the original connection
- If successful the hacker will not receive the private key, so will need to perform this for each connection they want to attack
As you can see, this kind of attack is relatively difficult to execute. Nevertheless, it is a vulnerability that clearly needed to be addressed. Which brings us to the question every IT leader and admin wants to know.
Should you be worried about this attack?
In short, no. As the team who discovered the attack put it, “Raccoon is a complex timing attack and it is very hard to exploit. It requires a lot of stars to align to decrypt a real-world TLS session.”
And from the client side there is not much you can do about it apart from not support DH (E) cipher suites. Modern browsers do not support this anymore, with Firefox being the last to support it in Firefox 78 released in June 2020.
Since the reuse of the ephemeral key is critical in Raccoon Attack, several clients chose to change the way it’s handled. From HackerNews: “F5, Microsoft, Mozilla, and OpenSSL have all released patches to thwart the attack by addressing the concern with ephemeral key reuse. For its part, Mozilla has turned off DH and DHE cipher suites in its Firefox browser, and Microsoft's advisory recommends customers to disable TLS_DHE.”
While Raccoon Attack may not pose an imminent threat to you, this is not to say you shouldn’t care. When it comes to any kind of cyber attack, awareness is critical. We are living in unprecedented times – no matter how overused the phrase – and businesses of all sizes in all industries must remain hyper-aware. Just like a hungry raccoon scouring dark suburban streets for any unsecured trash can, malicious actors are looking for any opportunity “in.”
