May 27, 2022

Attackers exploit fundamental flaw in the web’s security to steal $2 million in cryptocurrency

By Henry Birge-Lee, Liang Wang, Grace Cimaszewski, Jennifer Rexford and Prateek Mittal

On Thursday, Feb. 3, 2022, attackers stole approximately $2 million worth of cryptocurrency from users of the Korean crypto exchange KLAYswap. This theft, which was detailed in a Korean-language blog post by the security firm S2W, exploited systemic vulnerabilities in the Internet’s routing ecosystem and in the Public Key Infrastructure (PKI), leaving the Internet’s most sensitive financial, medical and other websites vulnerable to attack.

Remarkably, years earlier, researchers at Princeton University predicted such attacks in the wild and successfully developed initial countermeasures against it, which we will describe here. But unless these flaws are addressed holistically, a vast number of applications can be compromised by the exact same type of attack.

Unlike many attacks that are caused by zero-day vulnerabilities (which are often patched rapidly) or a blatant disregard for security precautions, the KLAYswap attack was not related to any software or security configuration used by KLAYswap. Rather, it was a well-crafted example of a cross-layer attack exploiting weaknesses across the routing system, public key infrastructure, and web development practices. We’ll discuss defenses more in a subsequent blog post, but protecting against this attack demands security improvements across all layers of the web ecosystem.

The vulnerabilities exploited in this attack have not been mitigated. They are just as viable today as they were when this attack was launched. That is because the hack exploited structural vulnerabilities in the trust the PKI places in the Internet’s routing infrastructure

Postmortem

The February 3 attack happened precisely at 1:04:18 a.m. GMT (10:04 a.m. Korean Time), when KLAYswap was compromised using a fundamental vulnerability in the trust placed in various layers of the web’s architecture. 

KLAYswap is an online cryptocurrency exchange that offers users a web interface for trading cryptocurrency. As part of their platform, KLAYswap relied on a javascript library written by Korean tech company Kakao Corp. When users were on the cryptocurrency exchange, their browsers would load Kakao’s javascript library directly from Kakao’s servers at the following URL (see diagram):

https://developers[.]kakao.com/sdk/js/kakao.min.js

It was actually this URL that was the attacker’s target, not any of the resources operated by KLAYswap itself. Attackers exploited a technique known as a Border Gateway Protocol (BGP) hijack to launch this attack. A BGP hijack happens when a malicious network essentially lies to neighboring networks about what Internet addresses (or IP addresses) it can reach. If the neighboring networks believe this lie, they will route the victim’s traffic to the malicious network for delivery instead of the networks connecting to the legitimate owner of those IP addresses, allowing it to be hijacked. 

Specifically, the domain name in the URL above: developers.kakao.com resolves to two IP addresses: 121.53.104.157 and 211.249.221.246. Packets going to these IP addresses are supposed to be routed to Kakao. During the attack, the adversary’s malicious network announced two IP prefixes (i.e., blocks of IP addresses that are used when routing traffic) that caused traffic to these addresses to be routed to the adversary

When KLAYswap customers requested kakao.min.js from the adversary, the adversary served them a malicious javascript file that caused users’ cryptocurrency transactions to transfer funds to the adversary instead of the intended destination. After running the attack for several hours, the adversary withdrew its route and cashed out by converting its coins to untraceable currencies. By the time the dust settled, the adversary had stolen approximately $2 million worth of various currencies from users of KLAYswap and walked away with approximately $1 million dollars worth of various cryptocurrencies. (Some losses were due to fees and exchange rates associated with exfiltrating the currencies from the KLAYswap ecosystem.) 

But what about cryptography?

The second and most dangerous element of the attack was its neutralization of the Internet’s encryption defenses. While there is a moderate level of complexity associated with BGP hijacks, they do happen relatively often (some of the most egregious examples involve China Telecom routing about 15 percent of Internet traffic through its network for 18 minutes and Pakistan Telecom accidently taking down Youtube in a botched attempt at local censorship). 

What is unprecedented in this attack (to our knowledge) is the complete bypassing of the cryptographic protections offered by the TLS protocol. TLS is the workhorse of encryption of the World Wide Web and is part of the reason the web is trusted with more and more secure applications like financial services and medical systems. Among other security properties, TLS is designed to protect the confidentiality and integrity of user data. TLS allows a web service and a client (like a user of KLAYswap) to securely exchange data even over a potentially untrusted network (like the adversary’s network in the event of this attack) and also ensure (in theory) they are talking to the legitimate endpoint. 

Yet, ironically, KLAYswap and Kakao were properly using TLS, and it was not a vulnerability in the TLS protocol that was exploited during the attack. Instead, the attack exploited the false trust that TLS places in the routing infrastructure. TLS relies on the Public Key Infrastructure (PKI) to confirm the identity of the web servers. The PKI is tasked with distributing digitally signed certificates that verify the server’s identity (in this case the domain name like developers.kakao.com) and the server’s cryptographic key. If a server presents a valid certificate, even if there is another network in the middle, a client can encrypt data that only the real server can read.

Using its BGP hijack, the adversary first targeted the PKI and launched a man-in-the-middle attack on the certificate distribution process.  Only after it had acquired a valid digital certificate for the target domain did it aim its attack towards real users by serving its malicious javascript file over an encrypted connection.

Certificate Authorities (or CAs, the entities that sign digital certificates in the PKI) have a similar identity problem to the one in TLS connections. CAs are approached by customers with requests to sign certificates. The CA needs to make sure the customer requesting a certificate actually controls the associated domain name. To verify identity (and thus bootstrap trust for the entire TLS ecosystem), CAs perform domain control validation requiring users to prove control of the domain listed in their certificate requests. Since the server might be getting a TLS certificate for the first time, domain control validation is often performed over no-security-attached HTTP. 

But now we are back to square one: the adversary simply needs to perform a BGP hijack to attract the domain control validation traffic from the CA, pretend to be the victim website, and serve the content the CA requested. After receiving a signed certificate for the victim’s domain, the adversary can serve real users over the supposedly “secure” TLS connection. This is indeed what happened in the KLAYswap attack and makes the attack particularly scary for other secure applications across the Internet. The attackers hijacked developers.kakao.com, approached the certificate authority ZeroSSL, requested a certificate for developers.kakao.com, and served this certificate to KLAYswap users that were downloading the javascript library over presumably “secure” TLS.

While Princeton researchers anticipated this attack and effectively deployed the first countermeasures against it, fully securing the web from it is still an ongoing effort.

Ever since our live demo of this type of attack at HotPETS’17 and our USENIX Security ‘18 paper “Bamboozling Certificate Authorities with BGP” that developed a taxonomy of BGP attacks on the PKI, we have actively been working on developing defenses against it. The defense that has had the biggest impact (that our group developed in our 2018 USENIX Security paper) is known as multiple vantage point domain control verification. 

In multiple vantage point verification, a CA performs domain control validation from many vantage points spread throughout the Internet instead of a single vantage point that can easily be affected by a BGP attack. As we measured in our 2021 USENIX Security paper, this is effective because many BGP attacks are localized to only a part of the Internet, so it becomes significantly less likely that an adversary will hijack all of a CAs diverse vantage points (compared to traditional domain control validation). We have worked with Let’s Encrypt, the world’s largest web PKI CA, to fully deploy multiple vantage point validation, and every certificate they sign is validated using this technology (over a billion since the deployment in Feb 2020). Cloudflare also has developed a deployment as well, which is available for other interested CAs.

But multiple vantage point validation at just a single CA is still not enough. The Internet is only as strong as its weakest link. Currently, Let’s Encrypt is the only certificate authority using multiple vantage point validation and an adversary can, for many domains, pick which CA to use in an attack. To prevent this, we advocate for universal adoption through the CA/Browser Forum (the governing body for CAs). 

Additionally, some BGP attacks can still fool all of a CA’s vantage points. To reduce the impact of BGP attacks, we need security improvements in the routing infrastructure as well. In the short term, deployed routing technologies like the Resource Public Key Infrastructure (RPKI) could significantly limit the spread of BGP attacks and make them much less likely to be successful. Today only about 35 percent of the global routing table is covered by RPKI, but this is rapidly growing as more networks adopt this new technology. In the long run, we need a much more secure underlying routing layer for the Internet. Examples of this are BGPsec, where routers cryptographically sign and verify BGP update messages (although current router hardware cannot perform the cryptographic operations quickly enough) and clean-slate initiatives like SCION that change the format of IP packets to offer significantly more secure packet forwarding and routing decisions.

Overall, seeing an adversary execute this attack in the real world puts immense importance on securing the PKI from routing attacks. Moving forward with RPKI and multiple vantage point domain validation is a must if we want to continue trusting the web with secure applications. In the meantime, thousands of secure applications that trust TLS to protect against network attacks are vulnerable the same way KLAYswap was.

Comments

  1. Phill Hallam-Baker says:

    No, this is not a ‘fundamental flaw in Web security’. It is the result of a group of Cryptobros who didn’t have a clue trying to use a system that is utterly unsuited for what they are trying to use it for.

    I have been working on Web Security and payment systems for 30 years. I was part of the original CERN team that developed the Web and Principal Scientist at VeriSign when we created the Web PKI.

    For the past five years, all these crypto-currency goons have been running round telling us that we are all stupid, that they will replace the global payment system, that no government can stop them and that their currency systems are invincible.

    So please explain how did we ‘Web/1.0’ people whose advice was rejected cause this screw up?

    Anyone who is building a system to move $2 million around needs to take responsibility for the security of their product. If your payment scheme security depends on client side javascript, you are incompetent. There is no way to make that system safe. It did not require a BGP attack to burn it to the ground, the hackers were just showing off.

    The security goal of the WebPKI CA system, which I wrote by the way, was to make online shopping as secure as bricks and mortar shopping. Nothing more.

    The system we built in the 90s would have protected against this attack. Only the Google Chrome team don’t believe authentication is important and so they deliberately trashed the validation controls that were designed for accountability and removed the EV security signal.

    • Anonymous says:

      Can you clarify how EV would have helped here?

      • Anonymous says:

        An EV cert requires more than just a response from a server answering from the domain name on the requested certificate. An EV means “Extra Validation” steps, such as checking with the existing CA, phone calls to the Kakao company’s registered phone number, written approvals, and traceable payments. The forged certificate request for developers.kakao.com would not have been approved by a representative of Kakao, and no reputable CA would have signed it.

    • Henry Birge-Lee says:

      Thank you for your comment and for your contributions to the development of the web PKI. We do feel this is a fundamental flaw in the trust the certificate authorities place in the routing infrastructure. Domain validated certificates inherently rely on demonstrating control of web services that are validated through the network. BGP attacks that manipulate network routing can directly interfere with this validation process.

      With that in mind, this particular attack could have been prevented by improved web development practices and overall security improvements to the KLAYswap system, as you discussed. Had KLAYswap not loaded any external javascript, developers.kakao.com would not have been a viable attack target for compromising KLAYswap. That said, even if no external javascript code was loaded, the adversary could have changed its target to KLAYswap’s own domain and used that to serve malicious content. In addition, even if cryptocurrency services reduce their reliance on the PKI, many other applications use the PKI to secure critical systems and are also vulnerable to this attack.

      As indicated in your comment, we also agree that improvements are needed across many different layers including the PKI and routing infrastructure. More rigorous validation processes like multiple vantage point validation and improved routing security can substantially reduce the damage and viability of attacks like this. We plan to cover some of these topics in a followup blog post that we are currently working on.

  2. This is interesting. The fact that they were able to use BGP to access a domain-validated certificate is pretty disconcerting.

    I think it’s a fair point that the vendor should have had better controls. The javascript library is obviously front-end, and the near-universal rule is never trust anything from the client, right?

    The protections from TLS via PKI are, imho, “good enough.” In that for most use cases the protect the privacy of the client traffic. But for doing more sensitive operations, you always increase the surface area. There should be at least a 3-pronged validation approach to prevent this sort of compromise (similar to how Stripe requires verification from your server and directly from the client to process a request).