Network security firm Cyberoam issued an over the air update for all of its Deep Packet Inspection (DPI) devices today after a decrypted version of the company’s universal private key was leaked online over the weekend.
The New Jersey-based company pushed the hotfix after an anonymous commenter posted what was apparently a master privacy key for all of its devices on a blog belonging to anonymity network Tor on Sunday.
In a blog entry posted by Tor last week, the network described an alleged security vulnerability with Cyberoam’s devices. The post, penned by Runa Sandvik, a security researcher and developer with the network, described how Cyberoam’s DPI services were insecure and could allow third party access.
The clash first began after a Tor user in Jordan was reportedly denied access to the company’s site, torproject.org. Tor’s researchers deduced that the user’s Internet connection was being intercepted by another Cyberoam device, which in turn, was triggering a fake certificate from the company. Further research by Tor revealed that all Cyberoam devices shared the same CA certificate, which Tor reasoned made it possible for anyone to intercept traffic on any of the company’s devices by any of the company’s devices.
Cyberoam responded with a blog post of their own last Thursday that admitted that while all of its devices used the same, specialized CA certificate, the company’s Unified Threat Management (UTM) tool doesn’t store HTTPS Deep Scan Inspection data since processing is done in real time. This, according to the firm, quashed any possibility of “data interception between any two Cyberoam appliances.”
Cyberoam went on to clarify that its devices disallow the export of private keys for SSL-bridging technology and that its devices shouldn’t be seen as a ‘mass surveillance device’ but as a ‘network malware protection device.’
After today’s update, each Cyberoam product will have had a new, unique key generated.
Claiming it understands the “critical nature” of the issue at hand, in its blog post, Cyberoam still feels it’s being singled out by Tor and that there are other companies who also use a universal CA for its devices. These companies, much like Cyberoam before its update, only put its devices at risk “when providing a HTTPS deep scan.”
This is just the latest warning related to insecure PKI (public key infrastructure) implementations. Earlier security compromises plagued Comodo and forced Dutch certificate authority DigiNotar out of business. In March last year, attacks on Comodo, Inc. compromised the SSL certificates of sites like Google, Yahoo and Skype while in August the now defunct, Dutch CA DigiNotar, issued a bogus certificate for Google.