Security vendor Cyberoam has been forced to deny allegations that its Deep Packet Inspection (DPI) boxes intercepted a wide range of traffic.
According to research by the Tor Projects' Runa Sandvik and OpenSSL's Ben Laurie, a vulnerability in Cyberoam's DPI devices, where the devices use the same Certificate Authority certificate and private key, makes it possible for any DPI box to grab traffic from any employees monitored by Cyberoam devices.
Sandvik and Laurie said: “It is possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or, indeed, to extract the key from the device and import it into other DPI devices, and use those for interception.”
They said recommended employees to not install the Cyberoam CA certificate, or uninstall it if they have already downloaded it, from their browsers, and decline to complete any connection which gives a certificate warning.
They said: “In common with all such devices, in order to intercept these connections without causing certificate warnings, the devices require that a certificate must be issued for the intercepted site by a CA browsers trust.
“It is a little surprising that the Cyberoam devices appear to all use exactly the same CA. Examination of a certificate chain generated by a Cyberoam device shows that this CA is not used to sign an intermediate which is then used by the device, and so therefore all such devices share the same CA certificate and hence the same private key.”
However in response, Cyberoam said that it is 'committed to our customers' data confidentiality and integrity'. It said that its HTTPS deep scan technology is driven by SSL bridging technology where its appliance provides a self-signed certificate to the client, whilst establishing a secure connection with the client and server.
It admitted that while it is possible to decrypt SSL data using a conned private key, the Cyberoam unified threat manager (UTM) does not allow import or export of the private key used for the SSL-bridging technology.
“Hence, Cyberoam can now scan the SSL traffic for malware. This is the only legitimately acceptable approach being followed by the network security vendors. TOR also acknowledges the same. A default certificate is shipped which remains the same across all the appliances,” it said.
It also said that its UTM either accepts or rejects HTTPS Deep Scan Inspection data, but does not store it as processing is done in real-time. It said: “The possibility of data interception between any two Cyberoam appliances is hence nullified.”
“Having vindicated Cyberoam technology, we appreciate TOR for the awareness campaign. However we would like to assure all our customers' that Cyberoam continues to secure you.”