Christian Mainka, Karsten Meyer zu Selhausen, Jörg Schwenk, Martin Grothe and Vladislav Mladenov (from left) found the security gap.
© RUB, Marquard

IT Security Bochum researchers bypass digital signatures in PDF documents

Digital signatures are supposed to prevent forgeries of invoices and government documents. Researchers from Bochum bypassed this mechanism and went unnoticed by most PDF applications.

Researchers at Ruhr-Universität Bochum have successfully altered the content of signed PDF documents without invalidating the signature. Almost none of the tested PDF applications noticed the manipulation. Signed PDF files are used by many businesses as invoices; some countries, such as Austria and the USA, use them to protect government documents. The researchers at the Horst Görtz Institute for IT Security in Bochum published their findings online on 25 February 2019 online.

As the vulnerability affected almost all common PDF applications and online services, the researchers reached out to the Computer Emergency Response Team at the Federal Office for Information Security in October 2018 in order to report it. With their help and in collaboration with Karsten Meyer zu Selhausen from Hackmanit GmbH, the Bochum-based researchers Dr. Vladislav Mladenov, Dr. Christian Mainka, Martin Grothe and Professor Jörg Schwenk helped the affected software vendors to close the security gaps.

PDF signatures commonly used

“Similar to the small green lock symbol in the web browser, digital signatures in PDF documents provide evidence of origin and identity of the sender,” explains Jörg Schwenk. “In Germany, many people daily pay invoices by bank transfer using such signed documents.”

Since the regulation pertaining to “Electronic Identification, Authentication and Trust Services” came into effect in the European Union in 2014, digital signatures have been commonly used. Many large enterprises use them for invoices, agreements in EU projects are usually digitally signed, and in Austria new laws are signed with digital signatures. “Adobe provides a digital signature service that was used to issue eight billion signatures in 2017 alone, according to the company,” elaborates Jörg Schwenk.

Desktop applications and online services tested

Users have a number of tools at their disposal to open PDF files. The researchers tested 22 common desktop applications for Windows, Linux and MacOS as well as seven online services. The latter are websites specifically designed to verify the signature in an uploaded PDF document. They are, for example, used by governmental agencies and enterprises.

The researchers tested three different attack categories for each application and each service: Universal Signature Forgery (USF), Incremental Saving Attack (ISA) and Signature Wrapping Attack (SWA). They altered the content of the document without the PDF tool noticing the attempt.

Refunds amounting to a trillion US dollars

The result: 21 of the 22 tested desktop applications and five online services proved vulnerable to at least one of the three attacks. The IT experts were able to change arbitrary content within the signed PDF document. They turned, for example, an amount payable into a refund amounting to one trillion US dollars without compromising the signature in the PDF invoice.

Updates for applications

All analysed PDF applications and online services are listed at the website documenting the attacks.

“Users of PDF readers can check which version they have currently installed and compare it with our online list,” says Jörg Schwenk. The researchers recommend that users whose current version is affected by the security gap (or who use an even older version) should contact the corresponding software vendor if an update is available.

Press contact

Dr. Vladislav Mladenov
Chair for Network and Data Security
Horst Görtz Institute for IT Security
Ruhr-Universität Bochum
Germany
Phone: +49 234 32 26742
Email: vladislav.mladenov@rub.de

Dr. Christian Mainka
Chair for Network and Data Security
Horst Görtz Institute for IT Security
Ruhr-Universität Bochum
Germany
Phone: +49 234 32 26796
Email: christian.mainka@rub.de

For general questions, please contact team@pdf-insecurity.org.

[infobox:2]

Download high-resolution images
The selected images are downloaded as a ZIP file. The captions and image credits are available in the HTML file after unzipping.
Conditions of use
The images are free to use for members of the press, provided the relevant copyright notice is included. The images may be used solely for press coverage of Ruhr-Universität Bochum that relates solely to the contents of the article that includes the link for the image download. By downloading the images, you receive a simple right of use for one-time reporting. Saving the images for other purposes or further processing of the images that goes beyond adapting them to the respective layout requires an extended right of use. Should you therefore wish to use the photos in any other way, please contact redaktion@ruhr-uni-bochum.de

Published

Monday
25 February 2019
9:08 am

By

Julia Weiler

Translated by

Donata Zuber

Share