Screaming into the void: All e-signatures in the world are broken!

Presented at BalCCon2k22 - Loading (2022), Sept. 25, 2022, 3:30 p.m. (30 minutes).

E-signatures everywhere are insecure. They have been hacked 10 years ago. Everyone knew that but no one wanted to talk about it since there is no easy fix. We decided to create a PoC and poke the government with it. This is a story on what happened. :star: PoCs included :star: Electronically signed documents were a great relief to organizing our daily life during the pandemic. They have actually been helping us for many years (depending on the country). It's been known for some time that **dynamic content + e-signatures = trouble**, but we were surprised that no one has really done anything about it. In 2021 we got tired of explaining the vulnerability each partner that sends in a vulnerable asice for signing, so we created multiple practical PoC that allow you to modify content of e-signed documents post-signing. Some of these PoC work against many countries. And there is PoC for every single country. - What is the actual impact? - Why is no-one fixing this? - Can we even fix it? - What are we gonna do about it then?

Presenters:

  • Kirils Solovjovs
    Kirils Solovjovs is an IT policy activist, bug bounty hunter, and the most visible white-hat hacker in Latvia having discovered and responsibly disclosed or reported multiple security vulnerabilities in information systems of both national and international significance. He has extensive experience in social engineering, penetration testing, network flow analysis, reverse engineering, and the legal dimension. He has developed the jailbreak tool for Mikrotik RouterOS, as well as created e-Saeima, helping the Latvian Parliament become the first parliament in the world that is prepared for a fully remote legislative process.

Links:

Similar Presentations: