Hypervisor wiretap feature can leak data from the cloud

Bitdefender has discovered that encrypted communications can be decrypted in real-time using a technique that has virtually zero footprint and is invisible to anyone except extremely careful security auditors.

TeLeScope technique

The technique, dubbed TeLeScope, has been developed for research purposes and proves that a third-party can eavesdrop on communications encrypted with the Transport Layer Security (TLS) protocol between an end-user and a virtualised instance of a server.

The attack makes it possible for a malicious cloud provider, or one pressured into giving access to three-letter agencies, to recover the TLS keys used to encrypt every communication session between virtualised servers and customers. CIOs who are outsourcing their virtualised infrastructure to a third-party vendor should assume that all of the information flowing between the business and its customers has been decrypted and read for an undetermined amount of time.

“There is no telling whether communications have been compromised and for how long this has been happening because this approach does not leave any anomalous forensic evidence behind,” states Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender. “Banks and companies that are dealing with either intellectual property or personal information, as well as government institutions, are the sectors that could be highly affected by this flaw.”

The TeLeScope technique is only effective against virtualised environments that run on top of a hypervisor. Such infrastructures are increasingly popular, and provided by industry giants such as Amazon, Google, Microsoft and DigitalOcean. Rather than exploiting a flaw in the Transport Layer Security Protocol, this new attack technique relies on extracting the TLS keys at the hypervisor level by clever memory probing.

Bogdan Botezatu continues, “We discovered this attack vector while researching a way to monitor malicious outbound activity on our honeypot network without tampering with the machine and without tipping attackers off in any way that they are being watched. Upon discovering the flaw, we decided to publically disclose this in detail, as the social, economic and political stakes of passive traffic monitoring in virtualised environments are overwhelming.”