Hardware Security Modules (HSMs) are tamper-resistant special-purpose computers that protect the most sensitive cryptographic key material in an organisation. They are used for security-critical applications such as electronic payment, PKI, inter-bank transfers, and PIN management in the cash machine network. At Cryptosense we produce software to audit the application programme interfaces (APIs) of these devices and find security flaws. A natural question is: do these systems really ever suffer breaches? Don’t attacks happen elsewhere?
In this article, we’ll look at two major breaches of critical applications secured by HSMs for which the details have become more or less public, the Dutch Certification Authority (CA) DigiNotar, and the payment processor RBS Worldpay.