Oh Great, A Terrapin Broke SSH

A New Exploit For The Man In The Middle To Use

Terrapin is the name given to a new exploit, one which can break the security of SSH network traffic in certain conditions.  The first condition is that an attacker must already have successfully set up a man in the middle attack so that they can monitor traffic.  While certainly an awful thing to have happen, up until now it was believed that encrypted SSH traffic could not be modified nor usefully intercepted.  With Terrapin, it is possible to exploit weaknesses in two specific algorithms commonly used by SSH, specifically ChaCha20-Poly1305 and CBC-EtM.

The new attack is able to mess with the incremental counter that ensures what is coming over SSH was what was sent.  So far researchers have come up with two ways that could be taken advantage of.  The first is to break extensions with prevent keystroke timing attacks, as there are disturbingly accurate ways to determine what words are being typed simply by knowing the length of time between key presses.  The second is a way to force your SSH client to send and accept SHA1 traffic instead of SHA2, which is something of a nightmare nowadays.

If you head over to Ars Technica you can get technical details about Terrapin, and what we know about it so far.

Leave a Reply