Keysight’s Application and Threat Intelligence (ATI) research team has uncovered a novel Transport Layer Security (TLS) handshake exploit that uses protocol-compliant behaviour to evade traditional network defenses.
This newly discovered covert channel allows attackers to manipulate TLS handshake packets by simply rearranging parameter settings, without injecting malicious code, making detection by firewalls and intrusion prevention systems nearly impossible.
By leveraging the flexible, permutation-friendly structure of TLS Client Hello packets, attackers can exfiltrate data or establish command and control (C2) communications, all while remaining invisible to most security tools.
Exploiting encryption protocols like TLS
Adversaries are exploiting the very design flexibility of widely used encryption protocols like TLS
This finding highlights how adversaries are exploiting the very design flexibility of widely used encryption protocols like TLS.
“The discovery of this novel covert channel that leverages legitimate TLS protocol behaviours for malicious purposes is a game changer,” said Ram Periakaruppan, Vice President and General Manager of Network Test & Security Solutions at Keysight.
“It helps shift the balance of power back to cyber-defenders.”
Robust testing
The average breach costs $4.88 million and takes over 250 days to contain
The prevalence of TLS encryption in nearly every internet-connected system makes this exploit especially dangerous.
According to IBM’s 2024 Cost of a Data Breach Report, the average breach costs $4.88 million and takes over 250 days to contain, amplifying the need for early detection and robust testing. This isn’t just another update, it’s a vital breakthrough.
At the recent Silicon Valley Cybersecurity Conference, Keysight presented its findings, offering the first opportunity for the security community to learn about this previously unknown class of threats. The presentation earned the Best Paper Award, underscoring its significance as a major advancement in cybersecurity research.
Security innovation
With this discovery, Keysight continues to lead the charge in security innovation, helping enterprises, service providers, and network equipment manufacturers confidently validate that their infrastructure is protected against even the most evasive and cutting-edge threats.
To help organisations proactively mitigate this unprecedented threat, Keysight has integrated the TLS covert channel exploit into the latest ATI update of its network application and security test solutions. This enables organisations to:
- Emulate the TLS exploit in a controlled lab environment
- Validate whether their defenses can detect and block the attack
- Measure performance impacts of mitigation strategies, before deploying them in production
“Cybersecurity is a constant race to stop new and emerging attacks while also maintaining the network performance that users demand,” said Periakaruppan.
“Our ATI research team worked tirelessly to uncover this covert exploit. By quickly integrating it into our products, we are empowering our customers to proactively test their systems’ ability to both defend against this threat, and maintain system performance, before attackers can gain widespread traction.”
Understand how converged physical and cybersecurity systems can scale protection.
