How Can the DROWN Vulnerability Affect Your Data? This Simple Guide Explains It
Attackers can steal your confidential data by exploiting this encryption bug
We sometimes take the Internet for granted, so it’s easy to forget what a complex structure it’s really made from. So when a critical security vulnerability hits, we’re suddenly reminded that everything is interconnected. And that we should all be at least a bit more mindful of our online safety.
Maybe you’ve already heard about the DROWN vulnerability, but haven’t had time to really understand what it’s all about. You may even think that it has nothing to do with you or your data. But when it comes to this type of security weaknesses, it’s everyone’s business.
A bit of context
DROWN comes into play almost two years after the massive Heartbleed bug. In lay man’s terms, Heartbleed was a security bug that exposed information that was usually protected. Attackers could steal data that was kept confidential by a type of encryption used to secure the Internet.
Specifically, a bug in the SSL/TLS encryption caused around 500.000 web servers (17% of all severs on the Internet) to be exposed to potential data theft.
Quick side note (useful to understand the mumbo behind the jumbo):
According to Digi CERT:
SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook).
SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information.
So, because of Heartbleed, an attacker could easily steal data such as passwords, cookies and other types of sensitive information from the vulnerable servers. That means that cyber criminals could access your inbox, read your instant messages, see the traffic usually anonymized by your VPN or even take hold of your website/blog/online shop. Websites, email services, instant messaging (IM) and even some virtual private networks (VPNs) were all affected by Heartbleed.
Even though a fix was released the same day that Heartbleed was announced (April 7, 2014), as many as 200,000 devices remain susceptible to exploiting the massive bug even to this date.
What is the DROWN vulnerability?
So let’s see how Heartbleed and DROWN are connected, and what this new bug is all about.
DROWN stands for Decrypting RSA with Obsolete and Weakened ENcryption. It’s been deemed critical by cyber security specialists.
Because of this:
DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Our measurements indicate 33% of all HTTPS servers are vulnerable to the attack.
That amounts to approximately 11 million websites, as estimated by Dan Goodin of Ars Technica. A list of the most famous websites vulnerable to attack just before the bug was disclosed (March 1, 2016) includes Yahoo.com, Weibo.com, Alibaba.com, DailyMotion.com, Buzzfeed.com, Flickr.com and many, many more.
Just like Heartbleed, DROWN makes it possible (and cheap) for third parties to launch MiTM (Man in the Middle) attacks targeting web servers that host websites, web mail servers that host email services (obviously), but also servers that are dedicated to financial transactions, anonymizing Internet traffic (via VPNs) and more.
The problem is that DROWN makes it very easy for cyber criminals to abuse this vulnerability. They can snoop in on any data transfer between a server and an Internet user (via a website, instant message, email, etc.) that is now left unprotected because of the bug.
But how easy is it? you may ask.
Here’s what the team behind the discovery says:
We’ve been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that don’t have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hours at a total cost of $440.
Consequently, by exploiting the DROWN vulnerability, the attacker can:
- Retrieve usernames and passwords
- Harvest credit card details
- Read emails and instant messages (contents and attachments)
- See Internet traffic usually rendered anonymous by VPN
- Impersonate a secure website to get you to reveal confidential information through phishing
- Infiltrate a secure website and display malicious content (malware, phishing attempts, etc.).
Here’s how it happens:
The team behind the discovery says that they haven’t seen cyber criminals exploit DROWN before it was disclosed, but now that it’s out, they’ll certainly go for it. It’s a low-hanging fruit bad guys won’t hesitate to pick.
And there’s one more reason malicious actors could strike sooner rather than later: the solution for this vulnerability is public and big companies will certainly implement it as fast as possible. But the odds are that smaller companies (usually SMBs) lack the resources to act as quickly, so they may be left exposed for longer periods of time. Of course, there are also some servers that may be too old to be patched and will probably be vulnerable until they’re taken out of business.
How to protect your data from DROWN(ing)
If you’re a website owner, you should definitely read all the details on the DROWN attack website, so you can see what actions you have to take to immediately remove this vulnerability from your server. On the website, you can also check if your server is vulnerable to this type of attack.
If you’re a regular Internet user, just like me, there’s not much you can do about it, unfortunately. This is one of those vulnerabilities that only system administrators and other technical specialists can solve, by making the necessary change on the affected servers.
However, you can work on keeping your online safeguards at their best by using:
The fact that you’ve read this article shows that you’re already doing a very good job at keeping up to date with all things related to your Internet security, so don’t stop now.
If you’re technically-inclined, you’ll probably be curious for the details behind DROWN, so we recommend reading this whitepaper that details the vulnerability.
How did DROWN happen, though?
The context that generated this vulnerability relates to cryptography practices, so this section from the DROWN attack website may help shed some light on the reasons behind its emergence.
The days of critical vulnerabilities that affect large parts of the Internet are not over. As hardware and software infrastructure diversifies, incompatibilities and bugs are bound to appear.
But we needn’t despair, since there are plenty of dedicated, experienced specialists that can discover issues such as DROWN or Heartbleed and provide a solution to fix them.
However, even with readily available fixes, it’s up to every website owner, system admin or Internet user to apply these solutions. Only thought consistent action and vigilance can we enjoy the best parts of the web.
And if you’re one of the people who truly want to make the Internet a safer place, for yourself and for others too, here’s what I promised at the beginning of the article: