3 min Security

Online data transfer not always secure with SSH protocol despite encryption

Online data transfer not always secure with SSH protocol despite encryption

A new type of attack is targeting the Secure Socket Shell (SSH). This network protocol is used for data transfers. The protocol is said to guarantee the security of the transfer, but that is now being questioned.

Researchers have found a new method of attack that tampers with the SSH protocol. SSH or Secure Socket Shell uses sequence numbers to indicate the integrity and sequence of data during online transmission. The protocol is intended to prevent third parties from viewing or manipulating the data during transmission.

New research from Germany’s Ruhr University, however, makes all the certainties of this protocol uncertain. Namely, the researchers discovered an attack technique that allows tampering with the sequence number. This attack was named Terrapin.

Used for data transfer within companies

Companies use the SSH protocol to send files using the corporate network. The protocol is not limited to this purpose and is also used to send files over the Internet. The reliability of the protocol is important because it needs to protect so much data.

Terrapin is one way to tamper with the protocol. It specifically attacks during the handshake, or the moment when the sender and receiver set up a connection and initial security factors are set up. By adjusting sequence numbers during this process, it is possible to steal data being transferred without the sender or receiver noticing. Using this method, the hacker performs an attack technique also known as a man-in-the-middle attack.

However, the attack would work better on one encryption mechanism than another. The encryption methods that fall back on ChaCha20-Poly1305- or CBC-mode ciphers with Encrypt-then-MAC don’t stand a chance. The former method uses modern principles and is popular because of the strong security it promises to provide.

Solution available

The researchers previously shared these findings with vulnerable platforms. But for companies, the work can only begin now. Now that the attack technique has been made public, it won’t be long before the first hackers start using it. Since a lot of files are sent back and forth within a business environment, on the one hand it is important to ensure that the SSH protocol to be used for this purpose is secure. On the other hand, the chances of exploitation are not too high since a man-in-the-middle attack requires a lot of activity from an attacker.

According to the researchers, it is better to disable the encryption procedures involved. Of course, installing a patch to fix the problem is also an effective method, but this is only a possibility if a patch has been made available.

To do so, do take into account the following warnings from the researchers: “If it is configured incorrectly or if your client does not support these algorithms, you may lose access to your server. Also, some (very) old versions of OpenSSH (6.2 and 6.3) are vulnerable to buffer overflow when using AES-GCM.”

To verify whether an SSH server or client is vulnerable to the Terrapin attack, the researchers further make a research tool available. Pre-installed binaries and their source code are available on GitHub.

‘Just the beginning’

Eliminating the problem depends on a lot of individual parties. Therefore, the researchers argue, not unfairly, that Terrapin is likely to persist for many years to come. Moreover, they predict that the Terrapin attack is the first attack from a new family of attack techniques. This family will focus specifically on encrypted network protocols.

Tip: Back-ups should be part of a modern layered security approach