IT Security Bochum researchers bypass digital signatures in PDF documents
Digital signatures are supposed to prevent forgeries of invoices and government documents. Researchers from Bochum bypassed this mechanism and went unnoticed by most PDF applications.
Researchers at Ruhr-Universität Bochum have successfully altered the content of signed PDF documents without invalidating the signature. Almost none of the tested PDF applications noticed the manipulation. Signed PDF files are used by many businesses as invoices; some countries, such as Austria and the USA, use them to protect government documents. The researchers at the Horst Görtz Institute for IT Security in Bochum published their findings online on 25 February 2019 online.
As the vulnerability affected almost all common PDF applications and online services, the researchers reached out to the Computer Emergency Response Team at the Federal Office for Information Security in October 2018 in order to report it. With their help and in collaboration with Karsten Meyer zu Selhausen from Hackmanit GmbH, the Bochum-based researchers Dr. Vladislav Mladenov, Dr. Christian Mainka, Martin Grothe and Professor Jörg Schwenk helped the affected software vendors to close the security gaps.
PDF signatures commonly used
“Similar to the small green lock symbol in the web browser, digital signatures in PDF documents provide evidence of origin and identity of the sender,” explains Jörg Schwenk. “In Germany, many people daily pay invoices by bank transfer using such signed documents.”
Since the regulation pertaining to “Electronic Identification, Authentication and Trust Services” came into effect in the European Union in 2014, digital signatures have been commonly used. Many large enterprises use them for invoices, agreements in EU projects are usually digitally signed, and in Austria new laws are signed with digital signatures. “Adobe provides a digital signature service that was used to issue eight billion signatures in 2017 alone, according to the company,” elaborates Jörg Schwenk.
Desktop applications and online services tested
Users have a number of tools at their disposal to open PDF files. The researchers tested 22 common desktop applications for Windows, Linux and MacOS as well as seven online services. The latter are websites specifically designed to verify the signature in an uploaded PDF document. They are, for example, used by governmental agencies and enterprises.
The researchers tested three different attack categories for each application and each service: Universal Signature Forgery (USF), Incremental Saving Attack (ISA) and Signature Wrapping Attack (SWA). They altered the content of the document without the PDF tool noticing the attempt.
Refunds amounting to a trillion US dollars
The result: 21 of the 22 tested desktop applications and five online services proved vulnerable to at least one of the three attacks. The IT experts were able to change arbitrary content within the signed PDF document. They turned, for example, an amount payable into a refund amounting to one trillion US dollars without compromising the signature in the PDF invoice.
Updates for applications
All analysed PDF applications and online services are listed at the website documenting the attacks.
“Users of PDF readers can check which version they have currently installed and compare it with our online list,” says Jörg Schwenk. The researchers recommend that users whose current version is affected by the security gap (or who use an even older version) should contact the corresponding software vendor if an update is available.
[infobox:2]