Thankfully, Matthew Green has prepared a short list covering a subset of such failures - specifically cryptography flaws that were exploited by non-government attackers.
The following is from Matthew Green's blog:
Over on Web 1.0, Steve Bellovin is asking an interesting question:
Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? I'm looking for real-world attacks on short key lengths, bad ciphers, faulty protocols, etc., by parties other than governments and militaries. I'm not interested in academic attacks -- I want to be able to give real-world advice -- nor am I looking for yet another long thread on the evils and frailties of PKI.Here are a few of the responses that sound pretty reasonable. They're (mostly) not mine, and I've tried to give credit where it's due:
- Cases of breached databases where the passwords were hashed and maybe salted, but with an insufficient work factor enabling dictionary attacks.
- NTLMv1/MSCHAPv1 dictionary attacks.
- NTLMv2/MSCHAPv2 credentials forwarding/reflection attacks.
- The fail0verflow break of poorly-nonced ECDSA as used in the Sony PlayStation 3.
- Various AACS reverse-engineering efforts.
- The HDCP master key leak.
- GSM decryption, which seems to have gone beyond the academic, but I have no specific knowledge of attacks "in the wild".
- Factoring of the Texas Instruments 512-bit firmware signing key for calculators, and Elcomsoft's factoring of the Quicken backup key.
- Key recovery in WEP.
- Exploits on game consoles: the original XBox, Wii software signing.
I'm not sure I would categorize all of the above as cryptography flaws (for example, CSS was DeCSSed not because of any weakness in the cryptography but because it was trivial to reverse engineer CSS from a specific implementation). To the above list I can add the following from memory:
12. Mifare Classic
13. The ASP.net padding oracle exploit
14. The MD5 collision attack [PDF] on certificate authorities
15. This brute force attack [PDF] on the Nagravision analog video scrambling algorithm
16. G Stor Plus proprietary encryption [German article]
17. Car immobilisers
I'm sure there's much more. For example, Thomas Ptacek and Michael Tracy gave four real world examples of attacks on web application security failures due to cryptography flaws in their "Crypto for Pentesters" session at BlackHat US this year, though they didn't reveal the details of the web applications that were vulnerable to these attacks.
This list is a nice start for a security failures database - and I'm considering being that "Someone". So if you can think of other security systems that failed due to cryptographic flaws, please use the comments below or send a message to my gmail account (security.fails.db).