SlideShare a Scribd company logo

Google Authenticator, possible attacks and prevention

Boštjan Cigan
Boštjan Cigan

This presentation describes Google's Time Based One Time Password authentication scheme and its practical implementation Google Authenticator. It also presents possible attacks and their prevention.

Technology
1 of 41
Download to read offline
TOTP Possible attacks Conclusions References Google TOTP Two Factor Authentication Boˇtjan Cigan s 29. Januar 2013 Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks TOTP basics Conclusions Practical implementation References TOTP TOTP - Time-Based One-Time Password algorithm. described in RFC 6238, Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks TOTP basics Conclusions Practical implementation References TOTP TOTP - Time-Based One-Time Password algorithm. described in RFC 6238, also uses RFC 4226 as a basis: HOTP(K, C) = Truncate(HMAC-SHA-1(K, C)) Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks TOTP basics Conclusions Practical implementation References TOTP TOTP - Time-Based One-Time Password algorithm. described in RFC 6238, also uses RFC 4226 as a basis: HOTP(K, C) = Truncate(HMAC-SHA-1(K, C)) Truncate is a function that can convert HMAC-SHA-1 into HOTP (HMAC-based One-Time password). K is the shared secret, C is the counter value (RFC 4226). In TOTP C is replaced by T (a time based value). Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks TOTP basics Conclusions Practical implementation References TOTP TOTP is defined as: TOTP = HOTP(K, T) Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks TOTP basics Conclusions Practical implementation References TOTP TOTP is defined as: TOTP = HOTP(K, T) where T is defined as: T = (Current UNIX Time - T0 ) / X Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks TOTP basics Conclusions Practical implementation References TOTP TOTP is defined as: TOTP = HOTP(K, T) where T is defined as: T = (Current UNIX Time - T0 ) / X where X is the time step (usually 30 seconds) and T0 the initial time. Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks TOTP basics Conclusions Practical implementation References Practical implementation Google Authenticator is an open source practical implementation of TOTP. How it works: 1 generate the secret (minimum is 16 characters length), Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks TOTP basics Conclusions Practical implementation References Practical implementation Google Authenticator is an open source practical implementation of TOTP. How it works: 1 generate the secret (minimum is 16 characters length), 2 create a QR code, Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks TOTP basics Conclusions Practical implementation References Practical implementation Google Authenticator is an open source practical implementation of TOTP. How it works: 1 generate the secret (minimum is 16 characters length), 2 create a QR code, 3 scan the QR code using the Google Authenticator application, Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks TOTP basics Conclusions Practical implementation References Practical implementation Google Authenticator is an open source practical implementation of TOTP. How it works: 1 generate the secret (minimum is 16 characters length), 2 create a QR code, 3 scan the QR code using the Google Authenticator application, 4 use the password to login. Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks TOTP basics Conclusions Practical implementation References Google Authenticator on Android Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Possible attacks Attacks are only possible, if incorrectly implemented. Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Possible attacks Attacks are only possible, if incorrectly implemented. replay attack, Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Possible attacks Attacks are only possible, if incorrectly implemented. replay attack, brute force attack, Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Possible attacks Attacks are only possible, if incorrectly implemented. replay attack, brute force attack, (trivial) “phone stealing” attack, Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Possible attacks Attacks are only possible, if incorrectly implemented. replay attack, brute force attack, (trivial) “phone stealing” attack, QR code stealing Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Possible attacks Attacks are only possible, if incorrectly implemented. replay attack, brute force attack, (trivial) “phone stealing” attack, QR code stealing To show the first two attacks, lets use Wordpress (a commonly used content management system) and expand the login security with the Google Authenticator plugin. Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Replay attack Prerequisites: A countermeasure is not implemented (unique session keys, making a key invalid in the timeframe after using it). Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Replay attack Prerequisites: A countermeasure is not implemented (unique session keys, making a key invalid in the timeframe after using it). using Wireshark, looking for POST requests, Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Replay attack Prerequisites: A countermeasure is not implemented (unique session keys, making a key invalid in the timeframe after using it). using Wireshark, looking for POST requests, we can expose the username, password and the google authenticator code Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Brute force attack Prerequisites: A countermeasure is not implemented (limit number of login attempts, lock IPs etc.). Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Brute force attack Prerequisites: A countermeasure is not implemented (limit number of login attempts, lock IPs etc.). possible combinations of codes range between 000000 and 999999, Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Brute force attack Prerequisites: A countermeasure is not implemented (limit number of login attempts, lock IPs etc.). possible combinations of codes range between 000000 and 999999, so in theory we have to send 1.000.000 requests in a timeframe of 30 seconds, assuming that we started from 0 seconds, Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Brute force attack Prerequisites: A countermeasure is not implemented (limit number of login attempts, lock IPs etc.). possible combinations of codes range between 000000 and 999999, so in theory we have to send 1.000.000 requests in a timeframe of 30 seconds, assuming that we started from 0 seconds, because Wordpress itself does not limit the number of login attempts, this attack is possible. Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Brute force attack A simple script running on multiple servers would theoretically suffice (the following is implemented in Python): Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing “Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing “Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. With root access we can extract the database using the tool adbd Insecure. 1 adb pull /data/data/com.google.android.apps.authenticator2/databases/databases Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing “Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. With root access we can extract the database using the tool adbd Insecure. 1 adb pull /data/data/com.google.android.apps.authenticator2/databases/databases 2 sqlite3 ./databases Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing “Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. With root access we can extract the database using the tool adbd Insecure. 1 adb pull /data/data/com.google.android.apps.authenticator2/databases/databases 2 sqlite3 ./databases 3 select * from accounts Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing “Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. With root access we can extract the database using the tool adbd Insecure. 1 adb pull /data/data/com.google.android.apps.authenticator2/databases/databases 2 sqlite3 ./databases 3 select * from accounts The third column contains the secret we need. 1|test@gmail.com|HBGZ5SYGSVR3GBWO|0|0|0 Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing QR code stealing Prerequisites: The attacker can access the computer where the user scanned his original QR from, the browsers cache was not cleared. Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing QR code stealing Prerequisites: The attacker can access the computer where the user scanned his original QR from, the browsers cache was not cleared. Google Chrome and other browsers cache data in a predefined folder. For Chrome checking the cache is easy: 1 type in the URL chrome://cache, Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing QR code stealing Prerequisites: The attacker can access the computer where the user scanned his original QR from, the browsers cache was not cleared. Google Chrome and other browsers cache data in a predefined folder. For Chrome checking the cache is easy: 1 type in the URL chrome://cache, 2 from here search for the string chart?cht=qr, Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing QR code stealing Prerequisites: The attacker can access the computer where the user scanned his original QR from, the browsers cache was not cleared. Google Chrome and other browsers cache data in a predefined folder. For Chrome checking the cache is easy: 1 type in the URL chrome://cache, 2 from here search for the string chart?cht=qr, 3 if successfull, we have a full QR code URL Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing QR code stealing A working example, the URL that was used to display the QR code is still in the cache. We can easily extract the seed (marked orange) that is used to generate TOTP tokens. Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks Conclusions References Conclusions Google Authenticator is safe, but only if properly implemented, Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks Conclusions References Conclusions Google Authenticator is safe, but only if properly implemented, To properly implement it, programmers must read and understand the RFC documents before beginning development, Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks Conclusions References Conclusions Google Authenticator is safe, but only if properly implemented, To properly implement it, programmers must read and understand the RFC documents before beginning development, The presented Wordpress Google Authenticator plugin enables attacks because of improper implementation (it does not comply with the rules written in the RFC document). Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks Conclusions References Conclusions Google Authenticator is safe, but only if properly implemented, To properly implement it, programmers must read and understand the RFC documents before beginning development, The presented Wordpress Google Authenticator plugin enables attacks because of improper implementation (it does not comply with the rules written in the RFC document). The full article describing the methods of attack, its implementation and methods of prevention is available at http://zerocool.is-a-geek.net/?p=842. Boˇtjan Cigan s Google TOTP Two Factor Authentication
TOTP Possible attacks Conclusions References References Online: 1 Google TOTP Two Factor authentication 2 RFC 4226 3 RFC 6238 4 Stealing Google Authenticator credentials Boˇtjan Cigan s Google TOTP Two Factor Authentication

Recommended

Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review GuideNicola Pietroluongo
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Achieving High Availability in PostgreSQL
Achieving High Availability in PostgreSQLAchieving High Availability in PostgreSQL
Achieving High Availability in PostgreSQLMydbops
 
Write microservice in golang
Write microservice in golangWrite microservice in golang
Write microservice in golangBo-Yi Wu
 
gRPC
gRPCgRPC
gRPCMajid Alaeinia
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 

Recommended

Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review GuideNicola Pietroluongo
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Achieving High Availability in PostgreSQL
Achieving High Availability in PostgreSQLAchieving High Availability in PostgreSQL
Achieving High Availability in PostgreSQLMydbops
 
Write microservice in golang
Write microservice in golangWrite microservice in golang
Write microservice in golangBo-Yi Wu
 
gRPC
gRPCgRPC
gRPCMajid Alaeinia
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your applicationVMware Tanzu
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Michel Schudel
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Vert.x for Microservices Architecture
Vert.x for Microservices ArchitectureVert.x for Microservices Architecture
Vert.x for Microservices ArchitectureIdan Fridman
 
파이썬 생존 안내서 (자막)
파이썬 생존 안내서 (자막)파이썬 생존 안내서 (자막)
파이썬 생존 안내서 (자막)Heungsub Lee
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018Scrum Breakfast Vietnam
 
KSUG 스프링캠프 2019 발표자료 - "무엇을 테스트할 것인가, 어떻게 테스트할 것인가"
KSUG 스프링캠프 2019 발표자료 - "무엇을 테스트할 것인가, 어떻게 테스트할 것인가"KSUG 스프링캠프 2019 발표자료 - "무엇을 테스트할 것인가, 어떻게 테스트할 것인가"
KSUG 스프링캠프 2019 발표자료 - "무엇을 테스트할 것인가, 어떻게 테스트할 것인가"용근 권
 
gRPC Design and Implementation
gRPC Design and ImplementationgRPC Design and Implementation
gRPC Design and ImplementationVarun Talwar
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
gRPC Overview
gRPC OverviewgRPC Overview
gRPC OverviewVarun Talwar
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

More Related Content

What's hot

Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your applicationVMware Tanzu
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Michel Schudel
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Vert.x for Microservices Architecture
Vert.x for Microservices ArchitectureVert.x for Microservices Architecture
Vert.x for Microservices ArchitectureIdan Fridman
 
파이썬 생존 안내서 (자막)
파이썬 생존 안내서 (자막)파이썬 생존 안내서 (자막)
파이썬 생존 안내서 (자막)Heungsub Lee
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018Scrum Breakfast Vietnam
 
KSUG 스프링캠프 2019 발표자료 - "무엇을 테스트할 것인가, 어떻게 테스트할 것인가"
KSUG 스프링캠프 2019 발표자료 - "무엇을 테스트할 것인가, 어떻게 테스트할 것인가"KSUG 스프링캠프 2019 발표자료 - "무엇을 테스트할 것인가, 어떻게 테스트할 것인가"
KSUG 스프링캠프 2019 발표자료 - "무엇을 테스트할 것인가, 어떻게 테스트할 것인가"용근 권
 
gRPC Design and Implementation
gRPC Design and ImplementationgRPC Design and Implementation
gRPC Design and ImplementationVarun Talwar
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 

What's hot (20)

Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your application
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Vert.x for Microservices Architecture
Vert.x for Microservices ArchitectureVert.x for Microservices Architecture
Vert.x for Microservices Architecture
 
파이썬 생존 안내서 (자막)
파이썬 생존 안내서 (자막)파이썬 생존 안내서 (자막)
파이썬 생존 안내서 (자막)
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
 
KSUG 스프링캠프 2019 발표자료 - "무엇을 테스트할 것인가, 어떻게 테스트할 것인가"
KSUG 스프링캠프 2019 발표자료 - "무엇을 테스트할 것인가, 어떻게 테스트할 것인가"KSUG 스프링캠프 2019 발표자료 - "무엇을 테스트할 것인가, 어떻게 테스트할 것인가"
KSUG 스프링캠프 2019 발표자료 - "무엇을 테스트할 것인가, 어떻게 테스트할 것인가"
 
gRPC Design and Implementation
gRPC Design and ImplementationgRPC Design and Implementation
gRPC Design and Implementation
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
gRPC Overview
gRPC OverviewgRPC Overview
gRPC Overview
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 

Recently uploaded

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

Google Authenticator, possible attacks and prevention

  • 1. TOTP Possible attacks Conclusions References Google TOTP Two Factor Authentication Boˇtjan Cigan s 29. Januar 2013 Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 2. TOTP Possible attacks TOTP basics Conclusions Practical implementation References TOTP TOTP - Time-Based One-Time Password algorithm. described in RFC 6238, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 3. TOTP Possible attacks TOTP basics Conclusions Practical implementation References TOTP TOTP - Time-Based One-Time Password algorithm. described in RFC 6238, also uses RFC 4226 as a basis: HOTP(K, C) = Truncate(HMAC-SHA-1(K, C)) Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 4. TOTP Possible attacks TOTP basics Conclusions Practical implementation References TOTP TOTP - Time-Based One-Time Password algorithm. described in RFC 6238, also uses RFC 4226 as a basis: HOTP(K, C) = Truncate(HMAC-SHA-1(K, C)) Truncate is a function that can convert HMAC-SHA-1 into HOTP (HMAC-based One-Time password). K is the shared secret, C is the counter value (RFC 4226). In TOTP C is replaced by T (a time based value). Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 5. TOTP Possible attacks TOTP basics Conclusions Practical implementation References TOTP TOTP is defined as: TOTP = HOTP(K, T) Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 6. TOTP Possible attacks TOTP basics Conclusions Practical implementation References TOTP TOTP is defined as: TOTP = HOTP(K, T) where T is defined as: T = (Current UNIX Time - T0 ) / X Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 7. TOTP Possible attacks TOTP basics Conclusions Practical implementation References TOTP TOTP is defined as: TOTP = HOTP(K, T) where T is defined as: T = (Current UNIX Time - T0 ) / X where X is the time step (usually 30 seconds) and T0 the initial time. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 8. TOTP Possible attacks TOTP basics Conclusions Practical implementation References Practical implementation Google Authenticator is an open source practical implementation of TOTP. How it works: 1 generate the secret (minimum is 16 characters length), Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 9. TOTP Possible attacks TOTP basics Conclusions Practical implementation References Practical implementation Google Authenticator is an open source practical implementation of TOTP. How it works: 1 generate the secret (minimum is 16 characters length), 2 create a QR code, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 10. TOTP Possible attacks TOTP basics Conclusions Practical implementation References Practical implementation Google Authenticator is an open source practical implementation of TOTP. How it works: 1 generate the secret (minimum is 16 characters length), 2 create a QR code, 3 scan the QR code using the Google Authenticator application, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 11. TOTP Possible attacks TOTP basics Conclusions Practical implementation References Practical implementation Google Authenticator is an open source practical implementation of TOTP. How it works: 1 generate the secret (minimum is 16 characters length), 2 create a QR code, 3 scan the QR code using the Google Authenticator application, 4 use the password to login. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 12. TOTP Possible attacks TOTP basics Conclusions Practical implementation References Google Authenticator on Android Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 13. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Possible attacks Attacks are only possible, if incorrectly implemented. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 14. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Possible attacks Attacks are only possible, if incorrectly implemented. replay attack, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 15. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Possible attacks Attacks are only possible, if incorrectly implemented. replay attack, brute force attack, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 16. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Possible attacks Attacks are only possible, if incorrectly implemented. replay attack, brute force attack, (trivial) “phone stealing” attack, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 17. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Possible attacks Attacks are only possible, if incorrectly implemented. replay attack, brute force attack, (trivial) “phone stealing” attack, QR code stealing Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 18. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Possible attacks Attacks are only possible, if incorrectly implemented. replay attack, brute force attack, (trivial) “phone stealing” attack, QR code stealing To show the first two attacks, lets use Wordpress (a commonly used content management system) and expand the login security with the Google Authenticator plugin. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 19. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Replay attack Prerequisites: A countermeasure is not implemented (unique session keys, making a key invalid in the timeframe after using it). Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 20. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Replay attack Prerequisites: A countermeasure is not implemented (unique session keys, making a key invalid in the timeframe after using it). using Wireshark, looking for POST requests, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 21. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Replay attack Prerequisites: A countermeasure is not implemented (unique session keys, making a key invalid in the timeframe after using it). using Wireshark, looking for POST requests, we can expose the username, password and the google authenticator code Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 22. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Brute force attack Prerequisites: A countermeasure is not implemented (limit number of login attempts, lock IPs etc.). Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 23. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Brute force attack Prerequisites: A countermeasure is not implemented (limit number of login attempts, lock IPs etc.). possible combinations of codes range between 000000 and 999999, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 24. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Brute force attack Prerequisites: A countermeasure is not implemented (limit number of login attempts, lock IPs etc.). possible combinations of codes range between 000000 and 999999, so in theory we have to send 1.000.000 requests in a timeframe of 30 seconds, assuming that we started from 0 seconds, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 25. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Brute force attack Prerequisites: A countermeasure is not implemented (limit number of login attempts, lock IPs etc.). possible combinations of codes range between 000000 and 999999, so in theory we have to send 1.000.000 requests in a timeframe of 30 seconds, assuming that we started from 0 seconds, because Wordpress itself does not limit the number of login attempts, this attack is possible. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 26. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing Brute force attack A simple script running on multiple servers would theoretically suffice (the following is implemented in Python): Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 27. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing “Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 28. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing “Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. With root access we can extract the database using the tool adbd Insecure. 1 adb pull /data/data/com.google.android.apps.authenticator2/databases/databases Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 29. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing “Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. With root access we can extract the database using the tool adbd Insecure. 1 adb pull /data/data/com.google.android.apps.authenticator2/databases/databases 2 sqlite3 ./databases Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 30. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing “Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. With root access we can extract the database using the tool adbd Insecure. 1 adb pull /data/data/com.google.android.apps.authenticator2/databases/databases 2 sqlite3 ./databases 3 select * from accounts Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 31. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing “Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. With root access we can extract the database using the tool adbd Insecure. 1 adb pull /data/data/com.google.android.apps.authenticator2/databases/databases 2 sqlite3 ./databases 3 select * from accounts The third column contains the secret we need. 1|test@gmail.com|HBGZ5SYGSVR3GBWO|0|0|0 Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 32. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing QR code stealing Prerequisites: The attacker can access the computer where the user scanned his original QR from, the browsers cache was not cleared. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 33. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing QR code stealing Prerequisites: The attacker can access the computer where the user scanned his original QR from, the browsers cache was not cleared. Google Chrome and other browsers cache data in a predefined folder. For Chrome checking the cache is easy: 1 type in the URL chrome://cache, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 34. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing QR code stealing Prerequisites: The attacker can access the computer where the user scanned his original QR from, the browsers cache was not cleared. Google Chrome and other browsers cache data in a predefined folder. For Chrome checking the cache is easy: 1 type in the URL chrome://cache, 2 from here search for the string chart?cht=qr, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 35. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing QR code stealing Prerequisites: The attacker can access the computer where the user scanned his original QR from, the browsers cache was not cleared. Google Chrome and other browsers cache data in a predefined folder. For Chrome checking the cache is easy: 1 type in the URL chrome://cache, 2 from here search for the string chart?cht=qr, 3 if successfull, we have a full QR code URL Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 36. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing QR code stealing A working example, the URL that was used to display the QR code is still in the cache. We can easily extract the seed (marked orange) that is used to generate TOTP tokens. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 37. TOTP Possible attacks Conclusions References Conclusions Google Authenticator is safe, but only if properly implemented, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 38. TOTP Possible attacks Conclusions References Conclusions Google Authenticator is safe, but only if properly implemented, To properly implement it, programmers must read and understand the RFC documents before beginning development, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 39. TOTP Possible attacks Conclusions References Conclusions Google Authenticator is safe, but only if properly implemented, To properly implement it, programmers must read and understand the RFC documents before beginning development, The presented Wordpress Google Authenticator plugin enables attacks because of improper implementation (it does not comply with the rules written in the RFC document). Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 40. TOTP Possible attacks Conclusions References Conclusions Google Authenticator is safe, but only if properly implemented, To properly implement it, programmers must read and understand the RFC documents before beginning development, The presented Wordpress Google Authenticator plugin enables attacks because of improper implementation (it does not comply with the rules written in the RFC document). The full article describing the methods of attack, its implementation and methods of prevention is available at http://zerocool.is-a-geek.net/?p=842. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  • 41. TOTP Possible attacks Conclusions References References Online: 1 Google TOTP Two Factor authentication 2 RFC 4226 3 RFC 6238 4 Stealing Google Authenticator credentials Boˇtjan Cigan s Google TOTP Two Factor Authentication