Shadow Attacks on Digitally Signed PDF Files
Published on : Saturday 25-07-2020
Before computer world, there was only one option to sign any document, which was on physical paper and using an ink pen. Those documents were surely vulnerable, as any middle man can probably change few of its papers with signature. In today's digital world, we are widely using digital signatures for our digital documents – especially digitally signed pdf files. A digital signature is a mathematical scheme for maintaining integrity or for verifying the authenticity of digital documents. It is really secured and authentic solution as compared to paper document.
According to Adobe Cloud, they provided 8 billion electronic and digital signature transactions in year 2019. While DocuSign processed around 15 million documents each day in year 2019.
I am sharing something different in this article, which will throw light on even digitally singed documents has risk.
What is Shadow Attack?
Shadow attack is popular cyber-attack targeting PDF files. The trick behind any Shadow Attack is with the concept called view layers, where different sets of content which are
overlaid on top of each other inside a PDF document are being accessed and altered.
There are three different variants of the Shadow Attacks as below. These all types of shadow attacks are more dangerous as if they replace sensitive information in financial document like the payment invoice while altering bank account details or similar - it may lead into big cybercrime activity.
- Shadow attack to “Hide”: In this case, cybercriminals use the PDF standard’s “Incremental Update” feature to hide a layer of file, without replacing it with anything else.
- Shadow attack to “Replace”: In this case, cybercriminals use the PDF standard's “Interactive Forms” feature to replace the original content with a modified content.
- Shadow attack to “Hide-and-Replace”: In case of hide-and-replace method, cybercriminals use a second PDF document contained in the original document to replace it as whole new document.
Which PDF Software Applications are Vulnerable to Shadow Attack?
According to new research published this week by academics from the Ruhr-University Bochum in Germany, there are many applications related to PDF files which are vulnerable to shadow attack.
This report is sharing research statement as, “Digitally signed PDFs are used in contracts, bills, and agreements to guarantee the authenticity and integrity of their content. A typical user would assume that digitally signed PDF files are final and cannot be further modified. However, various changes like adding annotations to a signed PDF or filling out form fields are allowed and do not invalidate PDF signatures.
In this report, we show that this flexibility allows attackers to completely change a document’s content while keeping the original signature validation status untouched. Our attacks work in a novel attacker model, which allows attackers hiding content in a PDF. After signing this PDF by a benign entity, the attackers reveal the hidden content by using permitted manipulations.”
As shown in test table summery of report, only three applications are fully compliance and not vulnerable reference to shadow attack. Nine applications are partially vulnerable, while rest applications are fully vulnerable. It is interesting to know that fifteen out of twenty-seven applications are vulnerable to at least one type of shadow attack.
How to Avoid Shadow Attack?
Atleast today, shadow attack is not an easy cyber-attack for any cybercriminal as it really requires in-depth knowledge of above methods as well as internal information of any organization targeted for cyber attack.
Let me try to list down few precautions to avoid such attacks.
- To avoid this attack, first precaution is always update application software as it has security update for latest cyber attacks.
- Do not use pirated application software or operating system, instead always invest in licensed software tools.
- To implement shadow attack, attacker need to first steal your PDF and then they can prepare for shadow attack. Best option is not to be victim of phishing attacks.
- Adopt proper cybersecurity policies for your organization.
- Keep eye on possible insider attacks, where attacker can be any of your employee or stakeholder.
- According to me - up to certain extend even verbal or other communication between parties in align with the context of content specified in digitally signed documents, can avoid communication gap among them. This will not create healthy environment for cybercriminals who are trying for shadow attacks using their different techniques.
Always read latest cyber-attack news, it really helps.
Shekhar Ashok Pawar is CEO of GrassDew IT Solutions Pvt Ltd which is primarily focused on Cybersecurity Assessment & Audits, IT Consulting, Customised Software Development and Software Products. With more than 15 years of international experience, he is CISA, CEH, CHFI, MCP, Blockchain Developer, Dip Cyber Laws, CMMi Level 5 ATM & ISO 27001 LA. He is also certified H/W & S/W expert for Mobile Phones, Computers and CCTV cameras. He did Executive Management (SJMSOM, IIT-Bombay), after Engineering in Electronics & Telecommunications, Mumbai. He is also certified for "Digital Signal Processor & Applications" by Analog Devices - DSP Learning Center, IIT Madras.
He is lead contributor to GrassDewPanther @ LinkedIn which is focused on sharing global cyber threats and related news. Shekhar's recent book “Air Team Theory: Understanding 10 Types of Team Mates and Best Practices to Succeed” was published in January 2020 and is a hot-seller on Amazon.