Google-Jacking: A Review of Google 2-Factor Authentication

1,671 views
1,574 views

Published on

nCircle's Craig Young presented his research on the Google 2-step verification system at BSides San Francisco 2013.

More information:
http://community.ncircle.com/t5/VERT-Security-Research-Blog/Google-Jacking-A-Review-of-Google-s-2-Step-Verification-BSides/ba-p/7876

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,671
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Google-Jacking: A Review of Google 2-Factor Authentication

  1. 1. A Review of Google 2-Factor AuthenticationGoogle-JackingCraigYoungSecurity B SidesSan Francisco, USA 2013
  2. 2. Look Who’sTalking
  3. 3. • Defining 2-Factor Authentication (2FA)• Defining 2-Step Verification (2SV)• diff -Burp 2FA 2SV # Compare & Contrast• Attacking Application-Specific Passwords• DEMO: Do androids dream of übertokens?• TODO: Making 2SV BetterTalk Overview
  4. 4. Define: 2-Factor Authentication
  5. 5. • 2SV is Google’s 2FA branding• Phone becomes the ‘something you have’- STEP 1 – Login to with account password- STEP 2 – Enter code from phone• Application-Specific Passwords (ASPs)- Used for 3rd party & legacy support- 16 lowercase letters- Limited by application (in theory anyway)man 2SV
  6. 6. Authentication Credentials 2FA 2SVSomething you have + Something you know ♦ ♦Something you know ♦Something you have ♦$ diff –Burp 2FA 2SVBottom Line?2FA enhances security by compromising convenience2SV enhances security but only when it is convenient
  7. 7. • Are ASPs the Achilles heal of 2SV?1. ASPs are all powerful2. ASP revocation is broken3. ASPs increase the risk of token attacks4. Google recommends saving ASPsAttacking Application-Specific Passwords
  8. 8. Google attempts to restrict browser-based ASP use:Android browser auto sign-in bypasses this restriction:ASPs Provide Full Account Access
  9. 9. HOWTO: punting the intruderRecovery MeasureTested ResultRevoke application-specific passwords No effect on logged in intruder‘Sign out all other sessions’ from Gmail No effect on logged in intruderRevoke ‘Android Login Service’ Androids must re-authenticateChange account password Androids must re-authenticateRecommended Procedure:STEP 1 : Revoke allASPsSTEP 2: Change account passwordSTEP 3:Verify account settings
  10. 10. • Pay attention to permissions!• Apps with root can directly access acounts.db• ASPs are backdoors by designAndroidApps Can Generate ASPs
  11. 11. • Privacy advisors don’t look at token related permissions• Far too many apps have the ability to request tokensThere’s An App ForThat
  12. 12. Auditing the ASP AuditingASPs added and removed in the same activity period are not reported!
  13. 13. Check “Remember Password”
  14. 14. • Saving passwords gives attackers an edge- OS X Keychain can be dumped• Pidgin (chat) doesn’t bother to use crypto- Most applications provide limited protectionWhat could go wrong?
  15. 15. DEMO!
  16. 16. • Ideal Solution:- ASPs are no longer part of 2SV- Use account password + time-based code• Quick Fix:- Force authentication when generating ASPs- Allow users to disable ASP creationTODO: Ditch ASPs
  17. 17. • Ideal Solution:- Tokens should be revoked along with the ASP- Requires tokens & ASPs to be related• Quick Fix:- Treat ASP removal like a password change- All sessions are forced to authenticate againTODO: Fix ASP Revocation
  18. 18. NO MORE ANDROID LOGIN WITH ASP!• Explicit ASP Model:- Specify allowed services for an ASP- Limits abuse of compromised ASPs• Implicit ASP Model:- Restrict the ASP to the 1st application using itTODO: Make ASPs Application Specific
  19. 19. • Require a password to enable auto sign-in• Don’t allow auto sign-in for account settings• Allow disabling auto sign-in at an account levelTODO: Lock Down Auto Sign-In
  20. 20. • Audit how and when an ASP is used• ‘Access type: Mobile’ is too vague• ASP name in the activity screen would helpTODO: ASP Auditing
  21. 21. 1. Android is a logged in browser session• Use caution when sharing your device• Consider unlinking your Google account when traveling• Watch app permissions closely (guard your tokens)• Use a strong password (Lock screen widgets FTW)2. Don’t save ASPs without encryption3. Monitor ASPs & change your passwordsHow to ProtectYourselfAndroid 4.2Lock ScreenDialerWidget
  22. 22. Concluding Remarks• 2SV is vulnerable-by-design• 2SV increases risk from token-based attacks• Android + 2SV reduces security• ASPs are a bad idea- Password + OTP code makes security in 1-step- Let users decide whether ASPs are allowed
  23. 23. 1. 11/26/12-11/30/12 - Multiple 2SV/ASP issues reported to Google2. 12/5/12 – Confirmation of reported behavior as known issues3. 1/11/13 – Google notified of BSides SF CFP submission4. 2/18/13 – Account Activity Logic Error Reported to Google5. 2/22/13 – Fix details received (Re-auth requirement implemented)6. 2/24/13 – BSides presentation7. 2/25/13 – ASP revocation fix begins to roll outDisclosureTimeline
  24. 24. For more information about enterprise riskmanagement or Google 2-step verification:• Visit nCircle RSA booth 1023• Check out the nCircleVERT blog:http://vert.ncircle.com• Follow @craigtweetsQuestions?

×