In 2016, Dr. Fotis Loukos, Director of Security Architecture of SSL.com conducted research on security risks from reverse engineering embedded systems, and in particular Hardware Security Modules.
As part of this research work, Fotis uncovered a software bug in Utimaco’s firmware, allowing an HSM administrator to extract an encrypted backup of the Master Backup Key (MBK) database. He immediately reported this bug in a highly responsible way to Utimaco. Utimaco in turn addressed it in its next product release.
Although it has been a bug in a critical part of the Utimaco HSM, it is understood by Fotis and Utimaco that it does not constitute a vulnerability that endangers any private keys or Critical Security Parameters. At no point was there a risk for any key material to be exposed in plain.
Utimaco is grateful to Fotis Loukos and the SSL.com Research Team for their diligent research work and for the responsible contributions to Utimaco’s product quality.
Fotis presented the finding of his research work, including said bug, to a public audience at REcon Brussels 2017, and subsequently published the slides of this talk. This publication led to concerns amongst Utimaco customers that the ability to extract an encrypted MBK could be interpreted as a vulnerability. This is not the case. We regret this misunderstanding occurred and the concerns it may have caused.
In our role as the provider of the root of trust to a wide range of industries, we remain committed to highest product quality and customer satisfaction.