Christian Mainka, Karsten Meyer zu Selhausen, Jörg Schwenk, Martin Grothe and Vladislav Mladenov (from left) found the security gap. © RUB, Marquard

IT Security Bochum researchers bypass digital signatures in PDF documents

Digital signatures are supposed to prevent forgeries of invoices and government documents. Researchers from Bochum bypassed this mechanism and went unnoticed by most PDF applications.

Researchers at Ruhr-Universität Bochum have successfully altered the content of signed PDF documents without invalidating the signature. Almost none of the tested PDF applications noticed the manipulation. Signed PDF files are used by many businesses as invoices; some countries, such as Austria and the USA, use them to protect government documents. The researchers at the Horst Görtz Institute for IT Security in Bochum published their findings online on 25 February 2019 online.

As the vulnerability affected almost all common PDF applications and online services, the researchers reached out to the Computer Emergency Response Team at the Federal Office for Information Security in October 2018 in order to report it. With their help and in collaboration with Karsten Meyer zu Selhausen from Hackmanit GmbH, the Bochum-based researchers Dr. Vladislav Mladenov, Dr. Christian Mainka, Martin Grothe and Professor Jörg Schwenk helped the affected software vendors to close the security gaps.

PDF signatures commonly used

“Similar to the small green lock symbol in the web browser, digital signatures in PDF documents provide evidence of origin and identity of the sender,” explains Jörg Schwenk. “In Germany, many people daily pay invoices by bank transfer using such signed documents.”

Since the regulation pertaining to “Electronic Identification, Authentication and Trust Services” came into effect in the European Union in 2014, digital signatures have been commonly used. Many large enterprises use them for invoices, agreements in EU projects are usually digitally signed, and in Austria new laws are signed with digital signatures. “Adobe provides a digital signature service that was used to issue eight billion signatures in 2017 alone, according to the company,” elaborates Jörg Schwenk.

Desktop applications and online services tested

Users have a number of tools at their disposal to open PDF files. The researchers tested 22 common desktop applications for Windows, Linux and MacOS as well as seven online services. The latter are websites specifically designed to verify the signature in an uploaded PDF document. They are, for example, used by governmental agencies and enterprises.

The researchers tested three different attack categories for each application and each service: Universal Signature Forgery (USF), Incremental Saving Attack (ISA) and Signature Wrapping Attack (SWA). They altered the content of the document without the PDF tool noticing the attempt.

Refunds amounting to a trillion US dollars

The result: 21 of the 22 tested desktop applications and five online services proved vulnerable to at least one of the three attacks. The IT experts were able to change arbitrary content within the signed PDF document. They turned, for example, an amount payable into a refund amounting to one trillion US dollars without compromising the signature in the PDF invoice.

Updates for applications

All analysed PDF applications and online services are listed at the website documenting the attacks.

“Users of PDF readers can check which version they have currently installed and compare it with our online list,” says Jörg Schwenk. The researchers recommend that users whose current version is affected by the security gap (or who use an even older version) should contact the corresponding software vendor if an update is available.

Press contact

Dr. Vladislav Mladenov
Chair for Network and Data Security
Horst Görtz Institute for IT Security
Ruhr-Universität Bochum
Germany
Phone: +49 234 32 26742
Email: vladislav.mladenov@rub.de

Dr. Christian Mainka
Chair for Network and Data Security
Horst Görtz Institute for IT Security
Ruhr-Universität Bochum
Germany
Phone: +49 234 32 26796
Email: christian.mainka@rub.de

For general questions, please contact team@pdf-insecurity.org.

[infobox:2]

Download high-resolution images
Der Download der gewählten Bilder erfolgt als ZIP-Datei. Bildzeilen und Bildnachweise finden Sie nach dem Entpacken in der enthaltenen HTML-Datei.
Nutzungsbedingungen
Die Verwendung der Bilder ist unter Angabe des entsprechenden Copyrights für die Presse honorarfrei. Die Bilder dürfen ausschließlich für eine Berichterstattung mit Bezug zur Ruhr-Universität Bochum verwendet werden, die sich ausschließlich auf die Inhalte des Artikels bezieht, der den Link zum Bilderdownload enthält. Mit dem Download erhalten Sie ein einfaches Nutzungsrecht zur einmaligen Berichterstattung. Eine weitergehende Bearbeitung, die über das Anpassen an das jeweilige Layout hinausgeht, oder eine Speicherung der Bilder für weitere Zwecke, erfordert eine Erweiterung des Nutzungsrechts. Sollten Sie die Fotos daher auf andere Weise verwenden wollen, kontaktieren Sie bitte redaktion@ruhr-uni-bochum.de

Published

Monday
25 February 2019
9:08 am

By

Julia Weiler

Translated by

Donata Zuber

Share