 day two of MCH 2022. As you probably all know, over the last few years, all over the world, electronically signed artifacts, let's call it that, became commonplace, even in emerging digital countries like Germany. But if you combine these with dynamic contact, this usually leads to disaster. So instead of screaming into the void, please welcome on stage Kirils to talk about all e-signatures in the world are broken. Thank you. Thank you, everybody. So the last presentation I did before COVID, I was going to do before COVID was actually called Travel for Hackers, how to travel the world easily. And then for three years, we were all stuck wherever we are. So this is my first presentation abroad since COVID. Hope I'm not too rusty. Anyway, this is me. If you can see the screen, I sure can't. I work in a couple of places, but most importantly, I am a hacker, even though I do manage my own company on a day-to-day basis, I still like to hack. Many of the things I'm going to talk about are available on my presentation site, Kirils.org, if you want to take a look at them later on. Some of the research that I've done in the past and that I'm currently involved in besides this presentation here. In 2017, when Google published their research on Shattered, which is they practically demonstrated the collisions of one function, I took the opportunity to show to the Latvian government that it's a thing. And those of you who took a look at the exploit that Google created, even though they did not initially publish the tool they used to do that, it was really easy to repurpose it and basically create any two different PDF documents with the same SAH1 sum. A different project that we're working on right now is Verbal Security. It's a cool project. You're probably going to hear about it in a year or two when we're done with it, so we're trying to make sure that the devices that people are safe. Anyway, this talk here, really important thing I want to communicate here. Now, most of you here are hackers. I would guess many of you are technical. I'm hoping that we do have some management people, if not in the room. Yeah? Ah, there we go. Then online as well. And with this talk, I want to bridge the gap between the technical people and the management people because, as you will see, that is what I think is what we need to actually fix the problem. And the problem isn't new on a technical level. It's been discussed on different mailing lists as long as 10 years ago, but we decided to revisit the problem because of COVID, right? And during COVID, as Harold Angel told you, we did have people using more and more digital technologies, people, companies, government agencies that did not use them before. And that kind of brought up this problem. So for the management people online and in the room, how do signatures work? That's, can you actually see that? You can, oh yeah, you have smaller screens. That's good. Basically, we take data, we hash it using, for example, SAH1, or maybe a more secure version of it. And then we sign it using cryptographic function, using, we use public and private key to sign it and then verify it, right? And the certificate is what proves that you are you. Government could, for example, give out the certificate to every person and then they could sign it. So what we are actually signing is the hash, not the actual document, right? But what's more important for this presentation and this vulnerability is we are hashing the bits. We are hashing the bits in the file. We are not actually signing what we see on the screen. And that's basically the whole concept here. Even though we may see one thing, the same bits might later turn out to be something else. Now, there are many different schemes that can be used for signing. In European Union, some of the most popular ones, the fact that we have PDF with embedded signatures, I hate it, but it's there. We have ASICE, which is a container. In Latvia, we also have EDOC, which is basically the same, the overall structure is the same. Now, since this is a container or a compound file, we can actually take a look inside it and it's really easy how it works. But one more thing with compound files is that you can put anything in it. And it's not a hacker thing. It's not that you can hack the government, you can hack the system, and you can sign, let's say, a JPEG or you can sign .mp3. It's intentional. European Union strongly holds that for ASICE containers, citizens should be able to sign any data. And that opens a huge Pandora's box, in my opinion. For example, I could sign, let's say an ISO file, that an ISO file can be interpreted in many different ways, as you know. I could even sign an ELF file, a program that every time you launch it, it displays a different content, different document. And it is perfectly legal, just because in the real life, this is much more complicated than just having a document. Now, that's where dynamic content comes in. Dynamic content are files, not signed, non-signed files where the representation changes due to some factors without bits changing. For example, we could use dynamic OLA objects in Word documents. Dynamic OLA objects are these things where you can put in a formula, or you can put in a different dynamic perspective into the object, and it basically changes every time you open the file. It can even change when the file is open, like this file right here. That's a GIF, obviously, right? We all remember GIFs from the, or GIFs, so if you're in that part of the debate, we all remember those from 20, 30 years ago, of course. But what you can do is, obviously, you can make the first frame, stay there for 20 seconds, for 10 minutes, for maybe even longer. I'm not sure what the max is there for that one. So it can change after a while. We also have static object pre-renders going back to office documents. Now, most office standards, including DocEx by Microsoft, supports or rather demands that when you use any new features that you embed in the document, the program you use to make the file with also creates a preview, which is basically a static graphic file for that object. Now, when you open such a document with modern software, the object loads. If you open it with old software that doesn't support it, you see the preview. Obviously, LibreOffice, Microsoft Office, they generate that automatically, but if you go inside the file, you can change it manually, and then you get different things for different viewers. Now, remote content is super interesting. Remote content means just as in HTML pages, you can load the remote image, for example, or remote iframe in your document. So you open it up, and it loads from the internet. And not only you can actually get dynamic content that way, you can also, of course, track document being open, and you can also decide what is going to display post sending the document, right? Instead of thinking ahead, you just have this link, and then in a year or two, you just change the content. So those are all real attacks, right? And these are for classic document formats. For other formats like GIF or ELF, that I mentioned, you can go even further. I'm gonna show you how it looks. And once again, it all works because we signed the bit, not what we see on the screen. So I have a couple of things here. First of all, the GIF file, of course. It's 613 bytes, so it's less than half a kilobyte, just a GIF, right? For this one here, I made it to change in 20 seconds. Of course, you could have text on it, and so on. Now, let's take a look at the dynamic content. Here's the dockets, right? If I opened up, it's not signed. The file is inside. If I opened up, it opens on my other screen. But basically, what we have here is a sentence. And we didn't spend the time to actually make it look believable, right? But basically, what happens here is it says, John will pay Peter this amount of money, right? John will pay Peter. If we close the document right here, and we try opening it again, we once again have John will pay Peter. And if we open it again, we have Peter will pay John, right? So this document could be signed, and we actually signed it and sent it to the government to just approve the point. And then it's hard to know what happens afterwards, right? How it's happening is quite easy. I extracted the dockets here. As you know, dockets are also compound files, which means you can just rename them to zip and open them up. And this is what's inside, right? So if we take a look here, we have this embeddings, right? And it's basically just an Excel file in this case, which has this great formula right here, which randomly chooses one of the things. Let me show you. Oops. Well, okay. Yeah, so randomly choose one of the cells and it works. That's how we get the simplest forms of dynamic content. Now, let's look at the actual signatures, right? What happens with that? Once again, since we're signing bits, it doesn't really matter. But if we open it up, it looks quite spectacular. So here we have the pre-signed document. I signed it with dynamic content. And this is the most popular standalone app that we use back in Latvia. I have signed it here. If I press validate, it's fully valid, right? And if I try to extract the dockets file, it's the same dockets file. Just for the ability, I'm gonna do that right now, of course, for you. So we have an empty folder here. Gonna not gonna work that way. Gonna export it into this folder here. Okay. And there it is. And once again, this is the same file, right? It says Peter owes some money to John. And if you open it once again, it will say John owes some money to Peter. Right. The other thing was the static preview. With the static preview, we opted to create a demo that will actually allow us to differentiate the kind of app, in a way, that's being used without it connecting to the internet or any analyzing servers. And the second file here. If you open it here with the official tool once again, what we're gonna see is, we're on screen again, what we're gonna see is it has a preview function. And if you open it up, it actually says right there, can't see that. It actually says right there, in bold on second lines, this document is opened with this specific program. And we're gonna say that always, every time you open it. But if we extract it, we will see that it's opened in normal way. And this is because of the preview function that is trapped previously, right? So this is the preview once again. And if we export it, and this is the other file, and we open it normally, it says its document is opened normally, right? So that's the problem, right? But technically, it's not that interesting. I mean, it was super easy to think of the exploit. It was quite easy to create the files. And it's not like it's a vulnerability. At least the government doesn't think it is. Now, of course, this also works for other signature schemes, like for example, a GPG or LibreOffice built-in signatures. Now, the question is, does it really matter? Is it really a problem? And this is the management, the part of my presentation where management people will fill it home. So for management people, what I've learned over the years is, it's not always the technical vulnerability. Is it there or is it not there? The mic is not working too well. Is it there or is it not there? The rather, what's important is, what happens if we exploit it? Can it be exploited and can we accept the risk? Now, does this really matter here? Well, the tempers that I demonstrated are apparent. So it tends to argue that if me and you signed an agreement like that and then I try to screw you over, you could go to court and an expert in court could tell this document was tampered in this way. It's not valid, even though we signed it. And problem solved, right? Because we do have fraud prosecution and that's what the government is betting on right now. So they will not fix it. I tried talking to different people. I contacted local Latvian cert, we got the government involved, the department's responsible for digital signature safety. We even got European partners involved. Most of the European partners didn't want anything to do with it. They wouldn't touch it with a stick. That's like, let's not talk about that. It's not a problem, right? See previous slide. Court will figure it out. So we talked and talked and talked and it didn't work. No one cared. In Latvia, we did do a coordinated release of information to general public, to developers about this risk, but it didn't really take off. So because it's not a problem, right? But now, what if we could make a document dynamic? But at the same time, if someone were to look at it in a court of law, they could not necessarily prove that it's been prepared specifically that way. Now, what I'm thinking here, of course, is remote content. And emails, we do use email. I have remote images turned off. 99% of email users don't. HTML, we have remote images loading from websites. So it's not inconceivable to convince the court that that's how your document department created the document. We just have this remote image there. It doesn't mean it's fraud, right? We use that for emails. It makes sense. So there is this potential problem with that. The other part is because this problem cannot be solved technologically and it cannot be solved politically. One party cannot solve it. We are thinking about always when we find vulnerability or when we just write an exploit for an old vulnerability like in this research here, we try to think, okay, we need to propose a solution, but we couldn't find any technological solution. And politically, they can't do anything about it neither. So we need to work together to be able to fix this. One proposal, the main proposal that we had, the one I personally like the best, is okay, if your opinion wants to allow the citizens to sign MP3 files or .exe files or malware samples, it's okay. We can leave that, but we need to create a new scheme specifically for signing documents because what people sign is what they have in front of them. We shouldn't be signing bits. We should be signing what we see on the screen and that is why we cannot fix it just by one party working, right? If we just change the technological part, then EU and some people are mad that they cannot sign MP3s. If we just change the political part, the technical vulnerability is still there. So that's the main problem there and that is my proposal how to deal with that thing over there. And I'm ready for Q&A here. If anyone has anything to suggest, I know that at the conference, we usually don't appreciate comments instead of questions, but since the tent here is only about one half full, I would love to hear from you. If you've been working with digital signatures or if you've been working on that before, that'd be really great because I have, I mean, I tried, we published this exactly a year ago, last July and not fixed. Thank you. Thank you, Kirils. Just a second, thanks for queuing up. Do we have any questions from the internets? No questions from the internets. So please, the front mic, please. Have you found any ways to explore this with PDF and PDF-A specifically? The newest PDF formats also have dynamic content in them. Yes. Our work-round solution that we propose to our partners and customers is that we use PDF version one with the only static JPEG in it. So that's how we do it right now. But modern PDFs can have dynamic content as well, yes. Do you know if PDF-A already is the restricted format that you would need? That is the safe format, I believe. We didn't find anything in there. The back mic, please. Please talk very closely to the microphone. Thank you. Yeah, it's not a question, it's only a comment. You mentioned politicians and such documents which are digitally signed. But in reality, nobody knows what is a digital signed document. Nobody use it. For example, a couple of politicians in Austria, Germany and Spain answered to an email coming from Ukraine. It was Vladimir Klitschko and it was only a video screen. And nobody knows or only some detected. That's not a question, it's only a comment. Thank you so much for the comment, yes. Maybe I am ahead of my time here. Maybe I'm talking about a problem which is a bit more complex than the actual problems that the users are facing. And I'm going to open up the signature application again. Actually, for the customers, some of the trainings we do, we include a slide on how to verify e-signature using the official app. And it's still a problem. So if I open one of the, it doesn't matter if it's dynamic, if it's temperature or not, if I open one of the documents. What we do is we open it up and we show it to them and we ask them, okay, so this is a screen. Is this document valid? Is the signature only valid? Most of you probably have never used the app. What do you think? Is the signature valid? How many of you think this is a valid signature that will, you don't trust me, do you? How many of you think it's an invalid signature? Okay, some more people. How many of you don't know? Oh, good. You're really smart. So the thing is, this is the official tool. It's the newest version of the official tool. We've had it for 10 years, I think. And you open up the document, it will not say if it's valid or not. You have to press the validate button. And only then, the blue thingy on the left bottom changes into green thingy. That's how the app works. They never, they aren't updating at NOI. So yes, thank you for the comment. And we do have lots of these problems with these signatures. And the real question, I guess, is how do we make it so that it's easy to use, but at the same time that people can trust it, right? Because it's easy to make a phone app that just displays a green check mark. And they have a bunch of those in different fields. But what if I make a similar phone app that displays the same check mark? So trying to communicate the bits in the computer memory to a human user, which is not IT savvy, is always going to be a challenge, I believe. All right, do we have any more questions from the internet? No, no questions from the internet. But someone lined up to the microphone in the front. Thank you. Question, could you actually replace a document which is signed? So if I got a signed document, could you replace a document behind it? Thank you for the question. So the attack I'm talking about here talks about prepared documents. Two kinds of those, those were a court, in my opinion, could tell that it's been specifically maliciously prepared, and those were a court couldn't conclude that conclusively. There is attack in 2017 by Google called Shattered. But even there, for a limited amount of computing resources, you would need to maliciously prepare the document for it to be completely replaced. And they work with hash sums over there, meaning that we have two completely different pages which have the same hash. Now, for vulnerable hash sums, it is also possible, of course, to replace it post factum, right? If the hash is broken, and we can generate for a known input, for an output hash, we can generate arbitrary input. We can, of course, replace it with anything all the time, right? So in that sense, these documents, let's say, I'm just guessing, in 50 years, in 100 years, they will be worthless because people will be able to use these old hash algorithms and generate collisions, I believe. And one more. So you say we wanna sign what we see, actually. So would you say that a signed bitmap is okay, that this should be valid? Yes, that's exactly, that's exactly the direction we're going in, right? If we had the political tools, if I can call it that way, to create a new format, and it is political question, right? Then we would probably go for bitmap. That's the easiest, right? There are some strange things in there as well. I don't believe you can have transparency in bitmap, right? But there are different bitmap formats that you can use. Yes. Yes, please, Mike, one. If you want to reduce the whole problem to just having static images to show that you sign, you still have the problem that you need to trust the program that displays the image, and the hardware that the image gets displayed on. So all of that, I mean, it's reduced to only experts can really work with signed data because they have to understand the whole system. And you can't really trust just consumers to understand the subtleties of a system. I think that's the core of the problem. Right, so it makes you think if with electronic signatures, we kinda skipped the part that we are now debating for electronic voting, for internet voting, right? Everyone except Estonia thinks that internet voting, at the moment thinks that internet voting is not the brightest of ideas, and we aren't using it. Now for e-signatures, what the audience, what you are telling me today, I feel like maybe we just slept and didn't notice that that's happening because all that is true, of course. Right, one's more to the signal, Angel. No questions from the internet, unfortunately. Okay, that's fine. And any other questions from the audience? We still got a few minutes left, so feel free to bother him with anything. So it's broken, but how do we fix it? That's the question, right? Because I'm gonna repeat once again what I said in the presentation. It is not that big of a problem in the eyes of the management, and at the same time, it is kinda hard to fix. Front mic. Yes, so if you just allow static content to be signed, so let's say just text, and make sure you use a secure algorithm because if the algorithm is broken, everything's broken, wouldn't that solve the problem? And of course, make sure the chain of trust is complete, so save CPU, save hardware, save everything. Yeah, that would solve the problem out of the presentation, right? But people want and they actually need images or representations when signing some contracts. You can't just have basic text, right? And if you have just static images that cannot change, do not allow dynamic content. Yeah, yeah. From technical perspective, that's great. The problem is, right EU is a slow beast. Yeah, thanks. Any evidence of real world tampering has been found? Yes, I'm not sure if I can say more than that, but we got as a feedback from the people we contacted, we got info that there have been a limited amount of tampering. I think I can name the numbers. So for a country of approximately two million people, I believe it's about two cases per five years. And did it get solved in court? Police solved it. So yes, fraud protection. Final thing I'd like to add, please, if you have any contacts in the government or the formal non-hacker world, talk to them about this. We need more allies outside of Latvia and maybe we can fix it together. Thanks. All right, and with that, thanks very much, Kirillos.