Academics Claim Google Android 2FA Is Breakable

totalcaos writes: Attackers who control the [browser on the] PC of a user consuming Google services (Gmail, Google+ etc) can surreptitiously push and activate apps on the user's mobile device, bypassing SMS-based two-factor authentication (2FA) via the phone. How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication is a paper that explains the wider issues of phone-based 2FA. Herbert Boss, professor of systems and security at Vrije Unversiteit Amsterdam, who co-authored the mobile security paper with the two PhD students, disclosed the vulnerability to Google but they "still [refuse] to fix it."

duplicate

https://it.slashdot.org/story/...

Well yeah?

if u dont secure ur box ur gonna get hacked android is no exception esp if u have weak passwords

Fixable by phone-side installation prompt

[Todd+Knarr]

Fix should be simple: when an app's installed remotely from the browser, queue the installation and put up a notification asking the user to confirm the installation. Installation doesn't proceed until the user responds affirmatively to the prompt (if they respond negatively, the installation's de-queued). The authors are right, though, that the more tightly you integrate the browser-based services with the phone the less you can depend on the separation of the two for security. What's different here is that it's showing that tight integration between Google's services and the phone affects vendors other than Google.

Re:Fixable by phone-side installation prompt

[stephanruby]

Fix should be simple: when an app's installed remotely from the browser, queue the installation and put up a notification asking the user to confirm the installation.

No, the fix already exists. If you're worried about someone accessing your google play account from a web browser, turn on 2-factor authentication. 2-factor authentication is still there, it just needs to be done through the web browser instead of the phone.

Personally, I need to be able to control/access my phone remotely if it ever gets lost/stolen. So keep it the way it is, be sure to have 2-factor authentication turned on already, because doing an halfway measure like what you're suggesting will only decrease security, not increase it.

Re:Fixable by phone-side installation prompt

[SmilingBoy]

I think you miss the premise of the paper. The PC that you use to access Google services is under control of an attacker. Therefore, even if 2FA is turned, it will not actually be requested if it is accessed from the computer in question.

Re:Fixable by phone-side installation prompt

[Todd+Knarr]

The idea is that it won't matter whether you have 2FA turned on or not, you've already authenticated to your Google account and your compromised browser can then use it's access to that account to push the malicious app to your phone and activate it. 2FA can't protect you from that because the malicious code starts after you've handled all steps of the authentication for it.

Re:Fixable by phone-side installation prompt

[chill]

If the your main PC that is used to control your Google accounts, including permissions, is under the control of bad actors, you're screwed either way.

They could always just turn off 2FA from the PC.

This paper is akin to bitching if someone got a hold of my phone in my home, where location based trust is used and keeps the phone unlocked, then the bad actor could install stuff then.

Duh!

It is next to impossible to ensure security if the bad guys have control of the actual hardware.

P.S. -- You misunderstood the premise of the person you were replying to. They are saying turn on 2FA for accessing your Google accounts ON THE PC. That way you need control of not only the PC, but the phone as well to essentially get control. Perfect? No. A much bigger hurdle? Yes.

Re:Fixable by phone-side installation prompt

[Tyr07]

It would probably be less appealing to me if I had then to enter prompts on my device instead of it being ready to go. May as well directly install the app from my device.

Re:Fixable by phone-side installation prompt

[msauve]

I think you missed the point of the GP - Google also support s 2FA for the PC web browser, which requires you have the phone in order to complete the sign on. The authors say they "assume that the attacker already has control over the victim's PC," but that's not right. They assume that they not only have the PC, but a running browser which the user left logged into Google services. The paper just glosses over this.

Simply having access to someone's PC and Google credentials is not enough if they have turned 2FA on for the web, they would also need the phone to complete the sign on on the PC. If they have control of both factors (name/password and phone), it is not a failure of 2FA, that's exactly how 2FA is intended to work. And, if you're going to base a claim on such a poor premise, why not simply premise it on the attacker having the phone itself, already logged into Google services, which makes the whole thing even easier?

This is a very poor paper. Having started with that faulty premise, they go on through a bunch of stuff which simply doesn't matter. Perhaps I'll write a similar paper about how water is wet. I'll also point out that the paper also claims a similar vulnerability for Apple's iOS, which the summary ignores. That seems pointedly biased.

Re: Fixable by phone-side installation prompt

They do that already. Android updates, require you to accept an update, unless you have the automatic update checked per application. Even then, thru play store, the apps update, carry unknown additions to your device. Noe of the updates are specific improvements. Just as Apple. So is it safer with the Apple core? Or a little robot? My only complaint, is they should notify you of the permissions needed, and allow you to opt out. Say a common text file, that would update in a common area, that the user has access to.

Re:Fixable by phone-side installation prompt

[Todd+Knarr]

If they have access to the PC, all they have to do is wait for the user to log in to Google themselves, then use that session for their purposes. No need at all to wait for an unattended browser.

Re:Fixable by phone-side installation prompt

[TheRaven64]

The authors say they "assume that the attacker already has control over the victim's PC," but that's not right. They assume that they not only have the PC, but a running browser which the user left logged into Google services

If the user is using much Google stuff, then that's pretty easy. Just wait until they log into gmail and open an invisible tab with the same cookie. And if that asks for authentication then pop up a thing in the gmail tab saying 'for extra security, Google needs you to authenticate again'. Now you've compromised their Google account and you can install the 2FA trojans for everything else.

Re:Fixable by phone-side installation prompt

Still nope. The 2FA at risk is all of the supplemental accounts that might use it, i.e. banking or brokerage accounts, shopping accounts, online services,etc. If you have a clear path to go from your email (which may or may not be well protected) and allows you to sidestep any other account's 2FA is keys to the castle. You can do anything you want to that person. Drain their bank account, take over websites or social media accounts, other email accounts, anything. This exploit is in the wild and being used right now.

Re:Fixable by phone-side installation prompt

That's not a fix at all. The premise is that the browser compromise has taken place (which unless you have a good adblocker you are really vulnerable all the time) and that basic intrusion will allow access to EVERYTHING else that person has. Bank accounts secured with 2FA? Quick password reset backed by 2fa, and they are in and all your money is gone. Other online accounts, like domains, social media, etc. Quick password resets, and all accounts are now pwned. Google makes it way too easy to pull this off, and it's already happening in the wild (and most people dont even know how because its so freakishly quiet and sneaky).

Re:Fixable by phone-side installation prompt

[mlts]

How is this different from someone who manages to get a RAT on a victim's computer and control iTunes, installing/buying/removing apps at will? iOS is pretty much "vulnerable" to the same thing.

Re:Fixable by phone-side installation prompt

[chill]

It is essentially the same thing. Unless you absolutely trust nothing, this is a possibility. The problem comes because there is a limited amount of trust based on things like other device ownership, location and paired association.

I like the convenience I get from my phone not locking when I'm at home, or when it is paired via BlueTooth to my car radio. I made the conscious choice to weaken the security and not require manual unlocking in those situations.

Because of my home PC being the main control point for everything I have, if that is ever taken over, I'm fairly well screwed. I *could* make it much harder, requiring 2FA (not via phone) for logging in to my home PC and not saving any accounts or passwords, but it is a much bigger pain-in-the-ass than is justified by risk likelihood.

Re:Fixable by phone-side installation prompt

[tlhIngan]

How is this different from someone who manages to get a RAT on a victim's computer and control iTunes, installing/buying/removing apps at will? iOS is pretty much "vulnerable" to the same thing.

Except you can't do that unless the phone is present - either on the same WiFi (with WiFI sync enabled) or via cable.

You can buy apps, but they cannot be remotely installed. The only way is if the user is syncing with iTunes to then wait for the phone to be connected and then alter the sync settings to sync your app over.

Also, those apps have to be approved. If you want to try load your own app, that would require a mobile provisioning file which the user has to manually approve to install (this is for enterprise signing)

So yes, iTunes/iOS is vulnerable, but the attack surface is a lot more complex.

Re:Fixable by phone-side installation prompt

[aaarrrgggh]

FWIW, a yubikey isn't that hard to set up for 2FA on the PC.

Is this a proof of concept?

[Errol+backfiring]

The second link is to a google doc, which is a possible attack vector according to the submission. Should I visit this link with my android phone? Or is someone really not thinking clearly?

Link uses Google PDF viewer to read the paper

Is that the exploit?

Interesting but not sure how 'practical' it is

[trawg]

I glanced through some of the Android parts of the paper; it describes these as 'practical attacks' but it also opens with "we assume that a victimâ(TM)s PC has been compromised, allowing an attacker to perform Man-in-the-Browser (MitB) attacks", so it would appear the immediate risk would be at least on the low side. Unless your PC is pwned, but of course if that's the case, you're in trouble already.

For Android, the paper describes a mechanism by which a malicious app can be published to the Google Play store, then silently installed and activated through a Google Chrome plugin trojan (installed as part of the PC pwnage). There are more [interesting] details about how that process works and circumvents some existing Google tricks intended to stop it (e.g., static analysis of apps).

At this point, the app can now intercept SMS tokens that are sent to you as part of 2FA.

I was mostly interested to see if there were vulnerabilities in the Google Authenticator mechanism/implementation; it seems that this is not the case. It basically just takes advantage of the fact that Google offer a way to skip the Google Authenticator by using an SMS instead, although I guess this requires that your Google account is set up with a phone number (which may or may not be a requirement?).

The end of the paper notes that "Google believes that our proposed attack is not feasible in practice". I feel like eventually we'll see a bunch of common trojans that are set up to mess with 2FA. I kind of think that this is a pretty involved process with a lot of room for things to go wrong (for the attackers) so how effective it is remains to be seen. (I also wonder with Android M if the permissions model is different enough so that the SMS reading permission needs to be invoked on a per-app basis? But that might be work-aroundable anyway.)

Re:Interesting but not sure how 'practical' it is

[SmilingBoy]

That's what I thought as well first and deleted my main mobile phone number immediately from 2FA settings. But I think the Authenticator App itself might be vulnerable as well. I was able to take screenshot, and I would assume that there are apps that could do the same. It would then just need some OCR and the Authenticator would be broken as well. However, it may be the case that Android does not allow other apps to take screenshots and that there is no way to give them a permission to do so.

Re:Interesting but not sure how 'practical' it is

[karmatic]

"I was mostly interested to see if there were vulnerabilities in the Google Authenticator mechanism/implementation; it seems that this is not the case."

For the standalone authenticator, the security largely comes from the security of the built-in hash function. If that's broken, so are a lot of things.

Barring that, the goal would be to extract the secrets from the app. Google likes to use time-based, which means that a cloned token won't get out of sync, and won't be detected (though it does protect against attacks where someone says the first OTP is wrong, gets a second one, then redirects you with the first, leaving them with the second).

On a rooted device (particularly ones with non-standard bootloaders), it's reasonably easy to extract those secrets if you get your hands on the device, even if it's just to modify the device to log the decryption password. Once you have the secret, you have all the tokens you want.

Re:Interesting but not sure how 'practical' it is

[thejynxed]

The screenshot function is built in to many Android phones as a button press combo using (depending on the manufacturer) a short press of one of the volume keys + power. I imagine this functionality can be intercepted or rerouted with Android not even throwing up a warning about it.

Re:Interesting but not sure how 'practical' it is

[SmilingBoy]

Apparently it is not possible. See http://stackoverflow.com/quest... - "This code requires the activity to be in memory and in the foreground. Without root access and without modifying Android's source there is no way you can one can take a screenshot."

Re:Interesting but not sure how 'practical' it is

[fuzzyfuzzyfungus]

Given that basically everyone with something even resembling an 'ecosystem' is pushing as hard as they can to have users logging into the same services, under the same account, on their phones, computers, tablets, etc. the only real fix is going to involve dropping the pitiful little farce that 'something on your phone' is actually a 'second factor' in any useful sense.

Phones(whether running software implementations of authentication fobs, or using SMS) have never been ideal for the job(software fobs on network connected devices are obviously vulnerable to attack; and SMS could hardly have been designed with less interest in securing the contents of messages); but at least in the dumbphone days there was no particularly good way to correlate the PC you just hacked with the correct phone, must less initiate a push install of some horrid BREW or mini-java-something program to the handset. The user would be pretty screwed if they were going up against a state-level adversary, since those typically have the full cooperation of the telco and thus do have a decent shot at identifying the correct handset and getting access to the SMS traffic sent to it.

Thanks to the vendors' cross-platform ambitions, though, we have the same lousy device security(possibly worse, since the OSes have gotten substantially more complex); but correlating the target PC and the target phone is no longer an intractable business for all but the atypically motivated and well supplied. I doubt we'll see much change, since it's probably still less dreadful than most people's passwords; and it's certainly a lot cheaper than any of the proper 'second factor' options; but it's not really a second factor.

Re:Interesting but not sure how 'practical' it is

Please don't call these tokens OTPs. OTP has a very specific meaning in cryptography, which gives them very specific guarantees which are not shared by these authentication systems.

Re:Interesting but not sure how 'practical' it is

[fuzzyfuzzyfungus]

Apparently the older RSA-and-imitators fobs were a bit shaky; so there would be real reason for concern if anyone is still making authentication 'apps' based on it(recording the token's output every 60 seconds for a couple of months to a year, depending on your luck, would be a serious pain in the ass with a hardware token in someone else's possession; but becomes much more viable if the phone OS allows(whether by design or failure) your application to access the display output of another application. Though, as you mention, in the case of 'soft tokens', if you are privileged enough on the phone to be reading over the target's shoulder, you can probably just grab the initialization value directly; and once you have that absolutely nothing distinguishes your cloned token from the 'real' one.

Re:Interesting but not sure how 'practical' it is

[AmiMoJo]

What the paper doesn't mention is that their app installed via Google Play shows up like any other app you remotely installed, i.e. there is a notification message that an app was installed.

This attack isn't very practical against anyone with much of a clue. Their browser has to be compromised, they have to be using SMS for 2FA rather than an app like Google Authenticator (others are available, including open source), and they have to ignore warning messages. The iOS version is a little bit easier to exploit because it doesn't require the remote app installation (only the browser hack), so iOS users might want to consider using an authenticator app rather than SMS.

Re:Interesting but not sure how 'practical' it is

[tepples]

The confusion is that "OTP" stands for one-time pad, which you're talking about, and one-time password, which people discussing Google Authenticator are talking about.

Re:Interesting but not sure how 'practical' it is

[BradleyUffner]

AZ Screen Recorder ( https://play.google.com/store/... ) is able to record video of your screen without root access and without being in the foreground.

Re:Interesting but not sure how 'practical' it is

[karmatic]

I'm talking about one time passwords.

Apple 2FA

So... I enabled 2FA on my Apple account. I set my iPad as a trusted device. Then I log into my account from the trusted iPad, I select the trusted iPad as the device to receive the code, I receive the code on my trusted iPad, and input the code in. It's a bit pointless to go through the extra step on the same device, isn't it?

Poulty conundrum?

Sounds a bit like "if someone can hack your computer AND trick you into installing a trojan on your phone, he can then use that combination to install yet another app on your phone, that you only have to activate to enable it to do naughty stuff from that point on."

I wonder why he wouldn't just put the whole chicken in that first egg?

Or did I skimp over TFA too fast and miss something?

User "consuming" Google services?

How do I "consume" e-mail hosting?

It isn't a resource that is depleted after I use it. It's a service. You can't "consume" an e-mail hosting service any more than you can "consume" a movie. You can consume a bagel, a glass of juice, or a hamburger. Fire can consume a building. But there is nothing consumable about using an e-mail service. Stop redefining words for marketing purposes.

Re:User "consuming" Google services?

[dave420]

"Consume" is synonymous with "use" or "utilise", so no, its use is perfectly valid in this context. Why did you assume you were correct instead of spending a few seconds to read the definition? You'd have taught yourself something, and not told the world how your hubris has blinded you to your shortcomings. I hope you don't vote, as you are quite likely not as informed as you seem to think you are.

Re:User "consuming" Google services?

[genner]

How do I "consume" e-mail hosting?

It isn't a resource that is depleted after I use it. It's a service. You can't "consume" an e-mail hosting service any more than you can "consume" a movie. You can consume a bagel, a glass of juice, or a hamburger. Fire can consume a building. But there is nothing consumable about using an e-mail service. Stop redefining words for marketing purposes.

Your consuming bandwidth and drive space on the server. Both are resources that are not infinite.

Re:User "consuming" Google services?

That is some kind of manipulated definition created by corporations in the last ~10 years.

Also laughable that you think that voting changes anything. You eat that bullshit right up, don't you "sheep420".

Should be worried about not microagressing anyone!

These so-called "academics" are a stain on higher learning.

They're wasting their time trying to learn things.

Thinking?!?!?!

That's a waste of time. You could wind up upsetting someone if you dare to do THAT heinous activity!

They really should be spending all their time worrying about not microagressing anyone, because that's what's really important to true academics!

How easy?

[Midnight+Thunder]

All security or encryption should be treated as breakable, so the real question is not is it breakable, but how much effort needs to be made to break it? This should also be put in the context of who we are really trying to protect data from?

Shocking

[liqu1d]

Code isn't secure.

Uhh...

[The+MAZZTer]

Nobody's beaten Google's 2FA. Remote install does not REQUIRE 2FA. If Google should decide it does, they can throw up a prompt for a code when you go to do a remote install and suddenly the "vulnerability" is gone. I agree with the article as much as they might want to do this. Right now Google uses 2FA for login and protecting account security settings only.

It's important to note that an attacker would already have to be logged in as a user. If a user keeps themselves logged into an insecure PC an attacker can use there's only so much Google can do... the article doesn't really mention the attacker has access to much of the user's Google services and data in addition to remote install. It brings to mind the "It rather involved being on the other side of this airtight hatchway" class of "vulnerability" that Raymond Chen bases off a quote from The Hitchhiker's Guide.

In addition there's a couple problems not addressed in the link I can see. First of all, AFAIK, other than on a really old version of Android through a glitch, any newly installed app cannot run any code until the first time the user launches it. Then it is allowed to install background services and whatever. But not before then. So if you manage to silently install an app which the user never sees or runs you've defeated yourself. Secondly, this can only be used to install apps from Google Play, which Google can manage to take down malicious apps as they are reported.

Your entitlement to a service is consumed

[tepples]

How do I "consume" e-mail hosting?

It isn't a resource that is depleted after I use it. It's a service.

Then what's a better term for "entity to whom a product or service of a producer is delivered"?

For a paid service Your entitlement to the service is a resource, which is consumed after all months of service for which you have paid have elapsed. For a service provided without charge It can't be "customer" if one is using only services provided without charge, such as Gmail (not Google Apps For Work) on a PC, iOS device, or out-of-warranty Android device.

Re:Your entitlement to a service is consumed

[KGIII]

How do I "consume" e-mail hosting?

It isn't a resource that is depleted after I use it. It's a service.

Then what's a better term for "entity to whom a product or service of a producer is delivered"?

For a paid service Your entitlement to the service is a resource, which is consumed after all months of service for which you have paid have elapsed. For a service provided without charge It can't be "customer" if one is using only services provided without charge, such as Gmail (not Google Apps For Work) on a PC, iOS device, or out-of-warranty Android device. this

Re:Your entitlement to a service is consumed

[KGIII]

I have no idea how that happened. I was going through an older thread that I'd not read and I meant to reply to someone below you but was also checking out your formatting. So, that's how I ended up sending you that. Err... You can safely ignore that.

I was going to reply below but the use of DL and DT made me curious. They say curiosity killed the cat but I am not a feline. Either way, sorry for bugging you.

LOL

[Richards-Thoughts]

this is nothing important, go get an old copy of windows 95 and use a hex editor to modify command.com so that all the key commands like DIR do not work and have changed, then make sure that you made additional changes to maintain the file size and you will can a command.com that passes all security checks. Now extrapolate to use this system to modify ssd firmware and you can hack any computer in the world since the firmware that passes verification now has a virus to send windows update to a hacked server for infection. lol bye bye security