TOR project uncovers flaw in mass-surveillance appliance

The TOR team have discovered a fake certificate in the wild. The certificate, issued by a US company called Cyberoam, was used in an attempt to trick a user in Jordan into believing that her/his connection to the TOR website, was private and secure, though in fact it was being spied upon by a Cyberoam device. Cyberoam makes "deep packet inspection" software, used in mass surveillance of Internet traffic, and as TOR's Runa Sandvik and OpenSSL's Ben Laurie investigated the matter, they discovered that all Cyberoam devices share a common vulnerability related to their handling of certificates. The company was notified of this on June 30, and told that the vulnerability would be made public today.

Last week, a user in Jordan reported seeing a fake certificate for The user did not report any errors when browsing to sites such as Gmail, Facebook, and Twitter, which suggests that this was a targeted attack. The certificate was issued by a US company called Cyberoam. We first believed that this incident was similar to that of Comodo and DigiNotar, and that Cyberoam had been tricked to issue a fake certificate for our website.

After a bit of research, we learned that Cyberoam make a range of devices used for Deep Packet Inspection (DPI). The user was not just seeing a fake certificate for, his connection was actually being intercepted by one of their devices. While investigating this further, Ben Laurie and I found a security vulnerability affecting all Cyberoam DPI devices.

Examination of a certificate chain generated by a Cyberoam DPI device shows that all such devices share the same CA certificate and hence the same private key. It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or to extract the key from the device and import it into other DPI devices, and use those for interception.

Security vulnerability found in Cyberoam DPI devices (CVE-2012-3372) (Thanks, Runa!)


  1. Cyberoam makes consumer and SMB Unified Threat Management (UTM) appliances which do SSL inspection by generating certificates for remote sites–as do other UTM appliances from vendors like Fortinet, Dell/SonicWALL, and Palo Alto Networks.  There’s no evidence of a “mass-survillance appliance” implicated here–the original report probably came from somebody working for an organization that is using a Cyberoam as their Internet firewall.

    My home Fortinet device does the same thing, though I reconfigured it to use a subordinate CA from my own CA instead of the default Fortinet CA which is used by all Fortinet devices.

    1. Either way – the fact that most of these devices ship with a default, globally identical, CA cert, is just wrong.  These are companies that specialize in network security, selling to customers who mostly don’t – this is the sort of thing they should have been getting right for a decade or more.

  2. So let me see if I understand this correctly: Cyberoam makes a DPI device, and claims they can even look into SSL connections, although the way they accomplish this is to just generate a fake certificate signed by their own device cert, and then setup an automatic man in the middle attack. The problem is that no browser actually recognizes the Cyberroam cert as trusted CA, so if you actually enable this feature, it just causes the browser to pop up a bunch of security warnings about an untrusted certificate, unless the user explicitly installs the Cyberroam CA in their browser. Presumably in a corporate environment this would be the designated desktop monkey going around and forcing every browser instance to accept the cert, so then OmegaEvilCorp LLC can then spy on employees SSL connections without a security warning tipping anyone off.

    Except here some genius at Jordan’s Ministry of Democracy Management and Interweb Obedience (or whatever) tried to use one of these devices against Tor users, but forgot the part where they have to install fake CA certs in every browser in the country. This tipped off Tor and caused them to look a bit deeper at what Cyberoam was doing. The icing on the cake is that the geniuses in India Cyberoam outsourced the development effort to used the same CA cert for every single device without an intermediate cert. This means that anyone who’s had the poisoned CA cert forced on them (such as employees of OmegaEvilCorp) could have their traffic intercepted and decrypted anywhere on the internet by anyone with access to a Cyberoam device, not just OmegaEvilCorp’s IT department. So not only is it evil, but it’s a pretty incompetent dangerous form of evil to boot. Lovely!

    I did like this footnote, though:

    [1] In the corporate setting, willing victims are often known as “employees”. Unwilling victims should not, of course, install the CA certificate, nor should they click through certificate warnings.

  3. Surely the whole “Invalid certificate” thing would raise a concern in most people’s browsing. I mean, yes it’s trying to trick you into accepting a fake cert, but not trying very hard.
    There are a number of SSL inspection devices that do the same thing.

    I don’t know how good the Cyberoam boxes are but there are plenty of similar things that are so black boxed you’ll never get the CA cert out of it without some seriously hard work and then what have you got? An untrusted cert which you could use to decrypt something if you manage to get yourself a “man in the middle” position on someone who was stupid enough to accept the cert or if you can steal an old capture file from someone who was snooped on and the metadata about who they are etc… 
    I agree it’s not the most secure solution, but it seems pretty unlikely to be exploited. If you’re dealing with an organisation who can get that sort of information then they’ve got better ways of finding your secrets (like rubber truncheons and sodium pentathol).

    1. Surely the whole “Invalid certificate” thing would raise a concern in most people’s browsing.

      You’d hope so, wouldn’t you?  And yet, repeated studies of actual human behaviour shows that a vanishingly small proportion of people pay any attention to them (or understand their implication).

      TOR users are probably one of the few user populations where more than a handful of users would think anything of the error.

      1. Of course, part of the reason for this is that the proportion of certificate errors that aren’t false positives is ridiculously small.

        A well-known report from Microsoft Research (PDF) went so far as to say that “as far as we can determine, there is no evidence of a single user being saved from harm by a certificate error, anywhere, ever.”

      2. Ah, but in this case the client’s browser won’t complain because this box acts as a proxy and presents a _valid_ certificate to the client.

        Cyberoam has lots of company in doing this. Besides the vendors Jim Lippard names, Check Point, Cisco, Juniper, Barracuda, and probably others also do SSL decryption/inspection.

        Also, characterizing Cyberoam as a US company both is and isn’t right. Cyberoam’s web site notes it has US offices, but that it’s a division of Elitecore Technologies Pvt. Ltd., which is an Indian company. Elitecore’s site, in turn, notes they have VC funding from the US-based Carlyle Group.

        1.  Valid, but not trusted by default – that’s how it was discovered.

          The things are designed to be deployed in a setting where the IT admins also control all the computers, so they can distribute or revoke trusted root certs as needed.  The Jordanians got busted because they used it outside that context.

  4. For this very reason we created We do not need external certificates to validate our security, yes, we have one but it is a small cog in a much bigger machine. Basically, a Jumpto user is given their own private and encrypted cloud. From there they can peek down into the rest of the Internet or execute cloud based applications that we have developed and are slowly releasing. Proxies of all flavors, including TOR are susceptible to intrusions, Jumpto is not.

  5. I completely agree with Fred Luchetti. I am a Jumpto user and enjoy complete secured browsing. I’ve tried the others which use antiquated technologies such as VPN’s.

Comments are closed.