google-jacking: a review of google 2-factor authentication
DESCRIPTION
nCircle's Craig Young presented his research on the Google 2-step verification system at BSides San Francisco 2013. More information: http://community.ncircle.com/t5/VERT-Security-Research-Blog/Google-Jacking-A-Review-of-Google-s-2-Step-Verification-BSides/ba-p/7876TRANSCRIPT
![Page 1: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/1.jpg)
A Review of Google 2-Factor Authentication
Google-Jacking
Craig Young Security B Sides San Francisco, USA 2013
![Page 2: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/2.jpg)
Look Who’s Talking
![Page 3: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/3.jpg)
• Defining 2-Factor Authentication (2FA)
• Defining 2-Step Verification (2SV)
• diff -Burp 2FA 2SV # Compare & Contrast
• Attacking Application-Specific Passwords
• DEMO: Do androids dream of übertokens?
• TODO: Making 2SV Better
Talk Overview
![Page 4: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/4.jpg)
Define: 2-Factor Authentication
![Page 5: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/5.jpg)
• 2SV is Google’s 2FA branding
• Phone becomes the ‘something you have’
- STEP 1 – Login to with account password
- STEP 2 – Enter code from phone
• Application-Specific Passwords (ASPs) - Used for 3rd party & legacy support
- 16 lowercase letters
- Limited by application (in theory anyway)
man 2SV
![Page 6: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/6.jpg)
Authentication Credentials 2FA 2SV
Something you have + Something you know ♦ ♦
Something you know ♦
Something you have ♦
$ diff –Burp 2FA 2SV
Bottom Line?
2FA enhances security by compromising convenience
2SV enhances security but only when it is convenient
![Page 7: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/7.jpg)
• Are ASPs the Achilles heal of 2SV?
1. ASPs are all powerful
2. ASP revocation is broken
3. ASPs increase the risk of token attacks
4. Google recommends saving ASPs
Attacking Application-Specific Passwords
![Page 8: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/8.jpg)
Google attempts to restrict browser-based ASP use:
Android browser auto sign-in bypasses this restriction:
ASPs Provide Full Account Access
![Page 9: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/9.jpg)
HOWTO: punting the intruder Recovery Measure Tested Result
Revoke application-specific passwords No effect on logged in intruder
‘Sign out all other sessions’ from Gmail No effect on logged in intruder
Revoke ‘Android Login Service’ Androids must re-authenticate
Change account password Androids must re-authenticate
Recommended Procedure: STEP 1 : Revoke all ASPs STEP 2: Change account password STEP 3: Verify account settings
![Page 10: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/10.jpg)
• Pay attention to permissions!
• Apps with root can directly access acounts.db
• ASPs are backdoors by design
Android Apps Can Generate ASPs
![Page 11: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/11.jpg)
• Privacy advisors don’t look at token related permissions
• Far too many apps have the ability to request tokens
There’s An App For That
![Page 12: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/12.jpg)
Auditing the ASP Auditing
ASPs added and removed in the same activity period are not reported!
![Page 13: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/13.jpg)
Check “Remember Password”
![Page 14: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/14.jpg)
• Saving passwords gives attackers an edge
- OS X Keychain can be dumped
• Pidgin (chat) doesn’t bother to use crypto
- Most applications provide limited protection
What could go wrong?
![Page 15: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/15.jpg)
DEMO!
![Page 16: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/16.jpg)
• Ideal Solution:
- ASPs are no longer part of 2SV
- Use account password + time-based code
• Quick Fix:
- Force authentication when generating ASPs
- Allow users to disable ASP creation
TODO: Ditch ASPs
![Page 17: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/17.jpg)
• Ideal Solution:
- Tokens should be revoked along with the ASP
- Requires tokens & ASPs to be related
• Quick Fix:
- Treat ASP removal like a password change
- All sessions are forced to authenticate again
TODO: Fix ASP Revocation
![Page 18: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/18.jpg)
NO MORE ANDROID LOGIN WITH ASP!
• Explicit ASP Model: - Specify allowed services for an ASP
- Limits abuse of compromised ASPs
• Implicit ASP Model:
- Restrict the ASP to the 1st application using it
TODO: Make ASPs Application Specific
![Page 19: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/19.jpg)
• Require a password to enable auto sign-in
• Don’t allow auto sign-in for account settings
• Allow disabling auto sign-in at an account level
TODO: Lock Down Auto Sign-In
![Page 20: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/20.jpg)
• Audit how and when an ASP is used
• ‘Access type: Mobile’ is too vague
• ASP name in the activity screen would help
TODO: ASP Auditing
![Page 21: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/21.jpg)
1. Android is a logged in browser session • Use caution when sharing your device
• Consider unlinking your Google account when traveling
• Watch app permissions closely (guard your tokens)
• Use a strong password (Lock screen widgets FTW)
2. Don’t save ASPs without encryption
3. Monitor ASPs & change your passwords
How to Protect Yourself
Android 4.2 Lock Screen
Dialer Widget
![Page 22: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/22.jpg)
Concluding Remarks
• 2SV is vulnerable-by-design
• 2SV increases risk from token-based attacks
• Android + 2SV reduces security
• ASPs are a bad idea
- Password + OTP code makes security in 1-step
- Let users decide whether ASPs are allowed
![Page 23: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/23.jpg)
1. 11/26/12-11/30/12 - Multiple 2SV/ASP issues reported to Google
2. 12/5/12 – Confirmation of reported behavior as known issues
3. 1/11/13 – Google notified of BSides SF CFP submission
4. 2/18/13 – Account Activity Logic Error Reported to Google
5. 2/22/13 – Fix details received (Re-auth requirement implemented)
6. 2/24/13 – BSides presentation
7. 2/25/13 – ASP revocation fix begins to roll out
Disclosure Timeline
![Page 24: Google-Jacking: A Review of Google 2-Factor Authentication](https://reader036.vdocuments.us/reader036/viewer/2022081400/5552ececb4c90584028b47a9/html5/thumbnails/24.jpg)
For more information about enterprise risk management or Google 2-step verification:
• Visit nCircle RSA booth 1023
• Check out the nCircle VERT blog: http://vert.ncircle.com
• Follow @craigtweets
Questions?