Digital Signatures Can Be Forged in PDF Docs

Researchers at the Ruhr-University Bochum in Germany have figured out three different ways to forge digital signatures in PDF documents.

The fakes will be treated as genuine on 21 of 22 desktop PDF viewer apps (running on Windows, MacOS and Linux) and five out of seven online PDF digital signing services. These include well-known apps, including Adobe Acrobat Reader, Foxit Reader and LibreOffice, as well as online services like DocuSign and Evotrust.

Summarizing their six month-long research in a paper and a blog, the researchers note they have been working with Germany's Computer Emergency Response Team (BSI-CERT) to responsibly disclose the results to affected service providers.

Signatures to PDF documents have come to be accepted in legally binding contracts since President Clinton signed the eSign Act. In 2014, the EU issued a regulation that gave such documents legal status in the EU as well.

Adobe has said that it processed 8 billion such signatures in 2017. The researchers found three major attack methods.

The first is Universal Signature Forgery (USF). This is a way for attackers to game the signature verification process so that it will display a fake panel/message that the signature is valid.

The second is Incremental Saving Attack (ISA). Here, attackers will add content to an already signed PDF document via the "incremental saving (incremental update)" mechanism, but without breaking what has already been saved for the signature of that document.

The last is Signature Wrapping (SWA). Similar to ISA, it will fool the signature validation process into "wrapping" around the attacker's additional content. This means the content added (the incremental update) has been digitally signed.

The researchers found that there were two root causes why this sort of spoofing could be carried out.

First, they said, "The specification does not provide any information with concrete procedure on how to validate signatures. There is no description of pitfalls and any security considerations. Thus, developers must implement the validation on their own without a best-common-practice information."

Secondly, they found "The error tolerance of the PDF viewer is abused to create non-valid documents bypassing the validation, yet correctly displayed to the user."

They came up with a verification algorithm. It's a concrete approach on how to compute the values necessary for the verification and how to detect manipulations after signing the PDF file. The specified algorithm must be applied for each signature within the PDF document. As an input, it requires the PDF file as a byte stream and the signature object.

The approach will only work on the last revision that has been done to a PDF document, and does not verify any signatures that may have been done previously to that final revision.

This problem can be serious, and enable some massive financial frauds. It is incumbent on the security team to verify that they have patched all applications affected, and that they are using services that have taken this problem seriously.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.