Defeating the Secrets of OTP Apps

Transcription

1 Defeating the Secrets of OTP Apps M.A., M.Sc. Philip Polleit, Friedrich-Alexander-Universität, Erlangen Dr.-Ing., Michael Spreitzenbarth, Friedrich-Alexander-Universität, Erlangen 1

2 // Agenda Introduction Forensic Use Background Research Results Conclusion 2

3 // Introduction Information age requires secure authentication 3

4 // Introduction Information age requires secure authentication "Bitkom" sets damage caused by data theft at yearly 55 billion (2017, Germany only) 3

5 // Introduction Information age requires secure authentication "Bitkom" sets damage caused by data theft at yearly 55 billion (2017, Germany only) August 2013: Three Billion Yahoo Accounts affected 3

6 // Introduction Information age requires secure authentication "Bitkom" sets damage caused by data theft at yearly 55 billion (2017, Germany only) August 2013: Three Billion Yahoo Accounts affected April 2015: IS Hackers capture TV5Monde and spread own messages (password was readable on TV) 3

7 // Introduction Information age requires secure authentication "Bitkom" sets damage caused by data theft at yearly 55 billion (2017, Germany only) August 2013: Three Billion Yahoo Accounts affected April 2015: IS Hackers capture TV5Monde and spread own messages (password was readable on TV) July 2017: BKA reports database with 500 million stolen addresses (incl. passwords) 3

8 // Introduction Information age requires secure authentication "Bitkom" sets damage caused by data theft at yearly 55 billion (2017, Germany only) August 2013: Three Billion Yahoo Accounts affected April 2015: IS Hackers capture TV5Monde and spread own messages (password was readable on TV) July 2017: BKA reports database with 500 million stolen addresses (incl. passwords) May 2018: Twitter prompts users to change their passwords (as they saved these unencrypted). 3

9 // Introduction Information age requires secure authentication "Bitkom" sets damage caused by data theft at yearly 55 billion (2017, Germany only) August 2013: Three Billion Yahoo Accounts affected April 2015: IS Hackers capture TV5Monde and spread own messages (password was readable on TV) July 2017: BKA reports database with 500 million stolen addresses (incl. passwords) May 2018: Twitter prompts users to change their passwords (as they saved these unencrypted). > Weak PW (user) / unsalted Hashes (provider) 3

10 // Introduction 4

11 // Introduction 4

12 // Introduction 4

13 // Introduction lemotdepassedeyoutube 4

14 // Introduction 5

15 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented 5

16 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented Factors can be divided into three categories 5

17 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented Factors can be divided into three categories "Knowledge" (passwords, user names, PINs) "Being" (e.g. fingerprint, biometric features) "Possession" (hardware token, credit card, key) 5

18 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented Factors can be divided into three categories "Knowledge" (passwords, user names, PINs) "Being" (e.g. fingerprint, biometric features) "Possession" (hardware token, credit card, key) Classic implementation is SecurID token from RSA 5

19 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented Factors can be divided into three categories "Knowledge" (passwords, user names, PINs) "Being" (e.g. fingerprint, biometric features) "Possession" (hardware token, credit card, key) Classic implementation is SecurID token from RSA "Tokenless" MFA is implemented by software 5

20 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented Factors can be divided into three categories "Knowledge" (passwords, user names, PINs) "Being" (e.g. fingerprint, biometric features) "Possession" (hardware token, credit card, key) Classic implementation is SecurID token from RSA "Tokenless" MFA is implemented by software Popular forms are so-called 2FA apps für smartphones that generate OTPs ("one-time password ) 5

21 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented Factors can be divided into three categories "Knowledge" (passwords, user names, PINs) "Being" (e.g. fingerprint, biometric features) "Possession" (hardware token, credit card, key) Classic implementation is SecurID token from RSA "Tokenless" MFA is implemented by software Popular forms are so-called 2FA apps für smartphones that generate OTPs ("one-time password ) 5

22 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented Factors can be divided into three categories "Knowledge" (passwords, user names, PINs) "Being" (e.g. fingerprint, biometric features) "Possession" (hardware token, credit card, key) Classic implementation is SecurID token from RSA "Tokenless" MFA is implemented by software Popular forms are so-called 2FA apps für smartphones that generate OTPs ("one-time password ) 5

23 // Forensic Use 6

24 // Forensic Use Central question of any criminal procedure is Causality 6

25 // Forensic Use Central question of any criminal procedure is Causality Computer forensic consideration proofs whether the 6

26 // Forensic Use Central question of any criminal procedure is Causality Computer forensic consideration proofs whether the court exhibit (i.e. PC) was used as an instrument of crime 6

27 // Forensic Use Central question of any criminal procedure is Causality Computer forensic consideration proofs whether the court exhibit (i.e. PC) was used as an instrument of crime Consideration literally stops at the keyboard 6

28 // Forensic Use Central question of any criminal procedure is Causality Computer forensic consideration proofs whether the court exhibit (i.e. PC) was used as an instrument of crime Consideration literally stops at the keyboard 2FA app examination puts the user (perpetrator) into focus 6

29 // Forensic Use Central question of any criminal procedure is Causality Computer forensic consideration proofs whether the court exhibit (i.e. PC) was used as an instrument of crime Consideration literally stops at the keyboard 2FA app examination puts the user (perpetrator) into focus Otherwise defense strategy could be: it wasn t me 6

30 // Forensic Use Central question of any criminal procedure is Causality Computer forensic consideration proofs whether the court exhibit (i.e. PC) was used as an instrument of crime Consideration literally stops at the keyboard 2FA app examination puts the user (perpetrator) into focus Otherwise defense strategy could be: it wasn t me However analyzing authentication process closes the gap 6

31 // Forensic Use Central question of any criminal procedure is Causality Computer forensic consideration proofs whether the court exhibit (i.e. PC) was used as an instrument of crime Consideration literally stops at the keyboard 2FA app examination puts the user (perpetrator) into focus Otherwise defense strategy could be: it wasn t me However analyzing authentication process closes the gap Chain of evidence could be closed 6

32 // Forensic Use 7

33 // Forensic Use 7

34 // Forensic Use 7

35 // Forensic Use

36 // Forensic Use

37 // Forensic Use

38 // Forensic Use

39 // Forensic Use

40 // Forensic Use

41 // Forensic Use

42 // Forensic Use

43 // Forensic Use

44 // Forensic Use 8

45 // Forensic Use 8

46 // Forensic Use 8

47 // Forensic Use

48 // Forensic Use

49 // Forensic Use

50 // Forensic Use

51 // Forensic Use

52 // Forensic Use

53 // Forensic Use FA 8

54 // Forensic Use FA 8

55 // Forensic Use FA 8

56 // Forensic Use FA 8

57 // Forensic Use FA 8

58 // Forensic Use 9

59 // Forensic Use FA 9

60 // Forensic Use FA 9

61 // Forensic Use FA 9

62 // Forensic Use FA 9

63 // Background 10

64 // Background Leslie Lamport formulated idea of using OTP in November

65 // Background Leslie Lamport formulated idea of using OTP in November 1981 S = H(r a ggkw), see RFC

66 // Background Leslie Lamport formulated idea of using OTP in November 1981 S = H(r ggkw), see RFC 2289 a Of central importance is the "shared secret" (ggkw), as an essential basis for calculating the OTP 10

67 // Background Leslie Lamport formulated idea of using OTP in November 1981 S = H(r ggkw), see RFC 2289 a Of central importance is the "shared secret" (ggkw), as an essential basis for calculating the OTP Three different types can be distinguished: time-controlled method challenge-response controlled method event-driven method 10

68 // Background Leslie Lamport formulated idea of using OTP in November 1981 S = H(r ggkw), see RFC 2289 a Of central importance is the "shared secret" (ggkw), as an essential basis for calculating the OTP Three different types can be distinguished: time-controlled method challenge-response controlled method event-driven method Security of the 2FA app strongly depends on integrity of the operating system 10

69 // Research 11

70 // Research The samples (2FA apps) were examined whether they 11

71 // Research The samples (2FA apps) were examined whether they 11

72 // Research The samples (2FA apps) were examined whether they analyse the environmental-integrity during setup 11

73 // Research The samples (2FA apps) were examined whether they analyse the environmental-integrity during setup encrypt the shared secret (and how) 11

74 // Research The samples (2FA apps) were examined whether they analyse the environmental-integrity during setup encrypt the shared secret (and how) allow cloning of the database (with stored secrets) 11

75 // Research The samples (2FA apps) were examined whether they analyse the environmental-integrity during setup encrypt the shared secret (and how) allow cloning of the database (with stored secrets) disclose secrets due to network-traffic caused 11

76 // Research The samples (2FA apps) were examined whether they analyse the environmental-integrity during setup encrypt the shared secret (and how) allow cloning of the database (with stored secrets) disclose secrets due to network-traffic caused enable stealing of shared secret 11

77 // Research 12

78 // Research Examination procedure 12

79 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) 12

80 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) Install the apps via Google PlayStore 12

81 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) Install the apps via Google PlayStore Save "zero evidence" with a script (before execution) 12

82 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) Install the apps via Google PlayStore Save "zero evidence" with a script (before execution) Record network-traffic during execution 12

83 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) Install the apps via Google PlayStore Save "zero evidence" with a script (before execution) Record network-traffic during execution Re-backup after execution and configuration 12

84 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) Install the apps via Google PlayStore Save "zero evidence" with a script (before execution) Record network-traffic during execution Re-backup after execution and configuration Calculate the differences of both snapshots 12

85 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) Install the apps via Google PlayStore Save "zero evidence" with a script (before execution) Record network-traffic during execution Re-backup after execution and configuration Calculate the differences of both snapshots Analysis of the collected data 12

86 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) Install the apps via Google PlayStore Save "zero evidence" with a script (before execution) Record network-traffic during execution Re-backup after execution and configuration Calculate the differences of both snapshots Analysis of the collected data Verification of the results using tests in AVD 12

87 // Results Sample: Google Authenticator 13

88 // Results Sample: Google Authenticator 42:GA philip$ adb pull /data/data/ com.google.android.apps.authenticator2/databases/databases/ 42:GA philip$ sqlite3./databases "select * from accounts" > google_authenticator_secret.txt 42:GA philip$ cat google_authenticator_secret.txt 1 Dropbox rffl4xngz3bzhe5g7fhji4rzra Dropbox 42:GA philip$ 13

89 // Results Sample: Google Authenticator 42:GA philip$ adb pull /data/data/ com.google.android.apps.authenticator2/databases/databases/ 42:GA philip$ sqlite3./databases "select * from accounts" > google_authenticator_secret.txt 42:GA philip$ cat google_authenticator_secret.txt 1 Dropbox rffl4xngz3bzhe5g7fhji4rzra Dropbox 42:GA philip$ 13

90 // Results Sample: Google Authenticator 42:GA philip$ adb pull /data/data/ com.google.android.apps.authenticator2/databases/databases/ 42:GA philip$ sqlite3./databases "select * from accounts" > google_authenticator_secret.txt 42:GA philip$ cat google_authenticator_secret.txt 1 Dropbox rffl4xngz3bzhe5g7fhji4rzra Dropbox 42:GA philip$ 13

91 // Results Sample: Duo Mobile 14

92 // Results Sample: Duo Mobile 42:Duo philip$ adb pull /data/data/com.duosecurity.duomobile/files/ duokit/accounts.json 42:Duo philip$ cat accounts.json [ { "name": "philipevalu@wegwerf .info", "otpgenerator": { "otpsecret": "HVWB64JEXHST5XG2RG5J5NFWCI" }, "logouri": "android.resource://com.duosecurity.duomobile/drawable/ ic_dropbox" } ] 14

93 // Results Sample: Duo Mobile 42:Duo philip$ adb pull /data/data/com.duosecurity.duomobile/files/ duokit/accounts.json 42:Duo philip$ cat accounts.json [ { "name": "philipevalu@wegwerf .info", "otpgenerator": { "otpsecret": "HVWB64JEXHST5XG2RG5J5NFWCI" }, "logouri": "android.resource://com.duosecurity.duomobile/drawable/ ic_dropbox" } ] 14

94 // Results X = Yes; O = No; - = unwanted behavior; + = wanted behavior 15

95 // Results 16

96 // Results Security implementations vary greatly 16

97 // Results Security implementations vary greatly 50 % of apps do not encrypt shared secret 16

98 // Results Security implementations vary greatly 50 % of apps do not encrypt shared secret 12.5 % of the apps only use other notation 16

99 // Results Security implementations vary greatly 50 % of apps do not encrypt shared secret 12.5 % of the apps only use other notation Security strongly dependent on OS 16

100 // Results Security implementations vary greatly 50 % of apps do not encrypt shared secret 12.5 % of the apps only use other notation Security strongly dependent on OS 56 % of the apps allow copying the DB 16

101 // Results Security implementations vary greatly 50 % of apps do not encrypt shared secret 12.5 % of the apps only use other notation Security strongly dependent on OS 56 % of the apps allow copying the DB Only about 1/5 of the apps offer PIN protection 16

102 // Results Security implementations vary greatly 50 % of apps do not encrypt shared secret 12.5 % of the apps only use other notation Security strongly dependent on OS 56 % of the apps allow copying the DB Only about 1/5 of the apps offer PIN protection Only 44 % do not generate network traffic 16

103 // Conclusion 17

104 // Conclusion Pro 2FA-App 17

105 // Conclusion Pro 2FA-App Comprehensive use of 2FA is recommended 2FA app reduces number of devices to carry SM have more (transparent) data/sensors 17

106 // Conclusion Pro 2FA-App Comprehensive use of 2FA is recommended 2FA app reduces number of devices to carry SM have more (transparent) data/sensors Pro HW-Token 17

107 // Conclusion Pro 2FA-App Comprehensive use of 2FA is recommended 2FA app reduces number of devices to carry SM have more (transparent) data/sensors Pro HW-Token HW token self-sufficient -> no area of attack via remote "Stealing" the "shared secret" undermines factor property 2FA apps persuade to use a single device only Spread of specific malware threatens 2FA apps FIDO-Alliance combines secure hardware and PKI 17

108 Thank you for your attention Philip Polleit Questions? 42! 18