Cryptographic keys protecting SSH connections stolen in new attack

Representational image of internet connections against a cityscape.
Vad är Wifi 7? (Image credit: Shutterstock / metamorworks)

Hackers can eavesdrop on some endpoints’ SSH connections and use the information flowing there to deduce the hosts’ private RSA keys, which can then be used to impersonate the device - a textbook example of a man-in-the-middle attack - but not steal login credentials. 

These are the findings published in “Passive SSH Key Compromise via Lattices”, a new research paper published by Keegan Ryan, Kaiwen He, George Arnold Sullivan, and Nadia Heninger of the University of California, San Diego. For the uninitiated, Secure Shell (SSH) connections are remote encrypted connections established between the user’s endpoint and a server. 

As per the report, as the SSH connection is being established, there is a very, very slight chance of computational errors. These errors can be observed and used to calculate the SSH server’s private host RSA key. 


Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

"Crappy" middleboxes affected

While the above might sound groundbreaking, other researchers, as well as the media, don’t sound too impressed. In its writeup, The Register stressed that software libraries OpenSSL and LibreSSL (and thus OpenSSH), are not known to be vulnerable to the method described in the paper. “That means, in our view, the vast majority of devices, servers, and other equipment on the internet are not at risk, and what you're left with is some Internet-of-Things and similar embedded gear susceptible to attack. It also only affects RSA keys.”

Cybersecurity expert Thomas Ptacek wrote a summary on Ycombinator saying, among other things, that the only endpoints vulnerable to this method are “crappy middleboxes from Zyxel, Mocana, apparently a rare subset of Cisco devices, and whatever "SSH-2.0-SSHD" is (the authors don't know either).”

Cisco said its ASA and FTD software fixed the issue a year ago, and that it was working on mitigations for IOS and IOS XE software even before the paper was published. Zyxel, on the other hand, said the method can only be used on firmware that reached end-of-life.

For those interested in learning more, the full 15-page paper can be found on this link

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.