Bypass SSL Certificate Pinning using SSL Vulnerablilities

Question

I am wondering if it could be possible to sort of "bypass" the certificate pinning protection of Android or iOS using for example the POODLE SSL vulnerability. According to this blog entry it is possible to extract the SSL encryption key using Padding Oracle attacks.

When I got the key I can decrypt the SSL stream without violating the SSL pinning. I could send my own packets to the server because I can encrypt it with the correct encryption key, right?

The aim would be to change data on the fly in a pinned TLS connection where I got the key for without removing the pinning protection. Is this possible (theoretically)?

The app is designed to be flawed. It states that it has no HMAC or other integrity check and it uses the encryption key as the IV. TLS is smarter than that. — Neil Smithline, Oct 27 '15 at 00:36
Specifically SSLv3, which is the target of POODLE but not exactly TLS, is not so stupid as to make key and IV the same. — dave_thompson_085, Nov 26 '15 at 04:09
Please note the padding oracle attack only works against block ciphers in CBC mode. By simply chosing another mode (like GCM) you eliminate this threat completely. — kaidentity, Oct 21 '16 at 09:15

score 1 · Answer 1 · answered Dec 20 '16 at 18:11

Certificate pinning or public key pinning are rather some protections against malicious/compromised CAs. It can hardly defeat any attack that does not rely on this.

So, attacks like LogJam, DROWN, POODLE, BREACH, BEAST, HeartBleed etc. (just some examples of relevant attacks unrelated to each other) are not defeated by certificate pinning.

Well, pinning might theoretically mitigate some attack of this kind by accident (e.g. it would run some extra allocation that would accidentally prevent attacker gaining access to some interesting part of memory when using HeartBleed), but this is unlikely.

Note that not all attacks give you the same power. For example, POODLE, BREACH and BEAST could allow you reading of some portions of data, but they will never allow you changing the data without being detected. Also, some attacks are applicable only under some specific conditions.

And last but not least, vulnerabilities get fixed over time. Old protocols and ciphersuites get disabled, wrong implementations get fixed, some design issues are workarounded. On the other hand, some systems get updates lately (if they get any), so attacker could be lucky (to the extent the particular vulnerability allows) even with those old vulnerabilities.

score 0 · Answer 2 · answered Oct 26 '15 at 21:57

0

It is possible to attack certain connections via POODLE, although SSL pinning is still functioning correctly in your example. The browser will correctly adhere to the pinning even if the underlying crypto is insecure.

answered Oct 26 '15 at 21:57

Ammar Bandukwala

454
2
4

Can you think of another way to modify data in a SSL stream without getting the decryption key and without violating SSL pinning? I mean there are vulnerabilities like LOGJAM,... where I can decrypt the data and read it but I can't think of a way how I could modify it.... – user3348472 Oct 26 '15 at 22:04
I would recommend checking out this answer http://security.stackexchange.com/a/79102/89457 – Ammar Bandukwala Oct 26 '15 at 22:10
Sorry, but what does this has to do with the question? – user3348472 Oct 26 '15 at 22:21
I'm sorry, I misunderstood what you were asking at the time I posted that comment. – Ammar Bandukwala Oct 26 '15 at 22:43
@user3348472 Logjam or Freak allows MitM to decrypt and encrypt/forge (and thus modify), but only if the server uses weak parameters or a persistent and weak RSA key respectively and the client accepts them, both of which can be and should be false. – dave_thompson_085 Nov 26 '15 at 04:11

Bypass SSL Certificate Pinning using SSL Vulnerablilities

2 Answers2