nCircle's Craig Young presented his research on the Google 2-step verification system at BSides San Francisco 2013.
More information:
http://community.ncircle.com/t5/VERT-Security-Research-Blog/Google-Jacking-A-Review-of-Google-s-2-Step-Verification-BSides/ba-p/7876
5. • 2SV is Google’s 2FA branding
• Phone becomes the ‘something you have’
- STEP 1 – Login to with account password
- STEP 2 – Enter code from phone
• Application-Specific Passwords (ASPs)
- Used for 3rd party & legacy support
- 16 lowercase letters
- Limited by application (in theory anyway)
man 2SV
6. Authentication Credentials 2FA 2SV
Something you have + Something you know ♦ ♦
Something you know ♦
Something you have ♦
$ diff –Burp 2FA 2SV
Bottom Line?
2FA enhances security by compromising convenience
2SV enhances security but only when it is convenient
7. • Are ASPs the Achilles heal of 2SV?
1. ASPs are all powerful
2. ASP revocation is broken
3. ASPs increase the risk of token attacks
4. Google recommends saving ASPs
Attacking Application-Specific Passwords
8. Google attempts to restrict browser-based ASP use:
Android browser auto sign-in bypasses this restriction:
ASPs Provide Full Account Access
9. HOWTO: punting the intruder
Recovery MeasureTested Result
Revoke application-specific passwords No effect on logged in intruder
‘Sign out all other sessions’ from Gmail No effect on logged in intruder
Revoke ‘Android Login Service’ Androids must re-authenticate
Change account password Androids must re-authenticate
Recommended Procedure:
STEP 1 : Revoke allASPs
STEP 2: Change account password
STEP 3:Verify account settings
10. • Pay attention to permissions!
• Apps with root can directly access acounts.db
• ASPs are backdoors by design
AndroidApps Can Generate ASPs
11. • Privacy advisors don’t look at token related permissions
• Far too many apps have the ability to request tokens
There’s An App ForThat
12. Auditing the ASP Auditing
ASPs added and removed in the same activity period are not reported!
14. • Saving passwords gives attackers an edge
- OS X Keychain can be dumped
• Pidgin (chat) doesn’t bother to use crypto
- Most applications provide limited protection
What could go wrong?
16. • Ideal Solution:
- ASPs are no longer part of 2SV
- Use account password + time-based code
• Quick Fix:
- Force authentication when generating ASPs
- Allow users to disable ASP creation
TODO: Ditch ASPs
17. • Ideal Solution:
- Tokens should be revoked along with the ASP
- Requires tokens & ASPs to be related
• Quick Fix:
- Treat ASP removal like a password change
- All sessions are forced to authenticate again
TODO: Fix ASP Revocation
18. NO MORE ANDROID LOGIN WITH ASP!
• Explicit ASP Model:
- Specify allowed services for an ASP
- Limits abuse of compromised ASPs
• Implicit ASP Model:
- Restrict the ASP to the 1st application using it
TODO: Make ASPs Application Specific
19. • Require a password to enable auto sign-in
• Don’t allow auto sign-in for account settings
• Allow disabling auto sign-in at an account level
TODO: Lock Down Auto Sign-In
20. • Audit how and when an ASP is used
• ‘Access type: Mobile’ is too vague
• ASP name in the activity screen would help
TODO: ASP Auditing
21. 1. Android is a logged in browser session
• Use caution when sharing your device
• Consider unlinking your Google account when traveling
• Watch app permissions closely (guard your tokens)
• Use a strong password (Lock screen widgets FTW)
2. Don’t save ASPs without encryption
3. Monitor ASPs & change your passwords
How to ProtectYourself
Android 4.2
Lock Screen
DialerWidget
22. Concluding Remarks
• 2SV is vulnerable-by-design
• 2SV increases risk from token-based attacks
• Android + 2SV reduces security
• ASPs are a bad idea
- Password + OTP code makes security in 1-step
- Let users decide whether ASPs are allowed
23. 1. 11/26/12-11/30/12 - Multiple 2SV/ASP issues reported to Google
2. 12/5/12 – Confirmation of reported behavior as known issues
3. 1/11/13 – Google notified of BSides SF CFP submission
4. 2/18/13 – Account Activity Logic Error Reported to Google
5. 2/22/13 – Fix details received (Re-auth requirement implemented)
6. 2/24/13 – BSides presentation
7. 2/25/13 – ASP revocation fix begins to roll out
DisclosureTimeline
24. For more information about enterprise risk
management or Google 2-step verification:
• Visit nCircle RSA booth 1023
• Check out the nCircleVERT blog:
http://vert.ncircle.com
• Follow @craigtweets
Questions?