Hello everyone! today , I'm going to be talking about bypassing two-factor authentication (2FA) mechanisms in different kinds of web apps, mobile apps, mobile phones as well as other stuff. So, this is me. My name is Shahmir Amir and I work for a company called Vailiux, which is a cybersecurity consultancy company. I'm gonna tell you a little bit about myself. I'm a penetration testing engineer and I'm a cyber security researcher by nature I do bug bounty hunting a lot for a lot of different companies on a lot of different platforms: Facebook, Microsoft Google, Yahoo, Twitter. I did my masters in security science recently and I'm gonna pursue my PhD very soon. So, yeah, that's about me. An agenda: what are we gonna talk about?
\
First of all, we're going to talk about what two-factor authentication really is. Then we're gonna talk about conventional implementations of 2FA in web applications. We're going to move to bypassing those implementations via different methods. Then we're gonna see how multi-factor authentication is initiated in different mobile phones and then, we're going to talk a little bit about FaceID. So, as you can see, I have a very good agenda here, today, for you, guys. to,you know, actually, see 2FA, yeah. Initially, first, we have to understand what it really is, because most of us don't have, at the exact, idea of what 2FA is
. It's not just sending code to your mobile phone, it's not just sending code to your hardware token device, it's actually much more than that. Is it secure? Of course not! 2FA, by nature, is not a secure design platform, because most organizations considered it's secure, but it's actually, not. We'll see how it's not secure in a few minutes. Yeah. So, There are several implementations. First, we, on mobile phones we get SMS on our cell phones to authenticate into web applications, you know and then, we have third party software's like, Oauth Google Authenticator and stuff like that. So, we're going to be talking about how to bypass these different kinds of implementation flaws in different 2FA mechanisms to have a workflow. So there's I have a little video here, that I want to show you, guys. We use one password for everything, but that wasn't good enough. So, we started making our passwords even more complicated, then began, using password managers to organize the dozens or hundreds of the unique passwords be used.
But, no matter how complex our password system, once it was never enough to prevent account takeover. Because, all it took - was one phishing email or database exploit and your password was out in the world. So, if passwords are impossible to protect on, what do we do? That's where two factor authentication comes in. Two-factor authentication or 2FA as a second method of identity verification to secure your accounts. First, the thing, you know - your password, then, something unique, that you have, like your phone or a fingerprint. By combining your password with one of these factors, attackers can't access your account, even if they have your password. The most common 2FA systems use it unique one-time code with every login attempt. This code is tied to your account and, generated by token smartphone or sent to you by text message.
The more modern and most secure form of 2FA, uses a mobile app to send an approval notification to your smartphone or SmartWatch for the least hassle possible. With 95% of breaches, involving account takeover, two-factor authentication is the most effective method of prevention. It's time for everybody: businesses, governments and you to take the easy and effective step of enabling two-factor authentication on all accounts. If it uses a password,
we need to use 2FA authentication. Yes,so, that was about. That was a little video about two-factor authentication. I know that you, guys understood, most of you, already, had an idea what it really is now. That let's get to the technical part of the stuff - what kind of tokens are in 2FA. We have three kinds of main kinds of tokens. One is - event-based, the other is - time-based and then, we have challenged base tokens. Event based token. An event based token is a token, that is generated on a specific time, you know, based on a certain event, that happens, otherwise it's not generated. For example, take Facebook its connection with OAuth.
You connect with that and that's an event that triggers the artsy's back in mechanism, which generates an event based token. Then, we have a time-based token. You can take the example of RSA hardware token device which generates a time-based token every second or every minute, which you can law, which you can use to login to the systems. That it's specifically triggered on a certain timeline. Then, we have a challenge based token, basically on OTP. System generates a challenge based token on demand, using random challenge keys, that
is provided by the authentication server. So, this is the more complex form of short tokens and it can be used to sign people in, based on certain challenges. We can take the example of different single sign-on mechanisms in thin clients and thick clients via this. So, yeah, let's get to the good stuff now. Since we have took over a lot of time in understanding what 2FA is, we're gonna look at five different mechanisms, today in bypassing 2FA in mobile apps or web apps. Initially, we're gonna look at, you know, these are some of my findings, that I did in different platforms and I'm gonna be sharing them with you, so and, of course, other researchers. First of all,
we're going to look at how I bypassed 2FA in Mapbox, which is a map analytics website. Then, we're gonna look at how I bypass a multi-factor authentication mechanism in one of the e-wallet in Pakistan and then, we're gonna look at there's another researcher, who bypass PayPal's 2FA assume, wire secret questions. Then, we're gonna look at that then we're gonna look at how 2FA can be bypassed with zero auth and then, we're gonna look at how we can bypass 2FA by exploiting voicemail services. Yeah. So, Mapbox 2FA bypass. How did I do? It was that the basic flaw, in this entire mechanism, was that the application allowed users to login, just after changing their passwords, without a primary authentication mechanism. So, that could be used to bypass 2FA. Let's take a look at, you know, how did a normal process flow, would have work. I'm a user, I request a password change in a web app. I get the password should change token in my email address. I changed the password and by, my convenience, it automatically logs me in to the web app, without any authentication. Now, if I have 2FA enabled on my account and, since this process is not following the particular standards or policies, while taking a look at login or session management and, the attacker would come in, of course, assuming that he has the victims credentials,
attacker would come in, he would be faced with 2FA page and then, he would request a password reset token to his email address. And, just after that, he can bypass the 2FA mechanism easily, by just changing the password, that would log me in into the account. So, yeah and this is one of the bounty shots, that I got, you know,here. These are certain kinds of business logic laws, that have high values in the market, so companies pay a lot. So, this is, you know, what I was paid about $1000 for this flaw. So, this is the first one. Now, e-wallet bypass. And this is interesting, actually. There is e-wallet, that had three forms of authentication mechanisms. So, I utilized response manipulation techniques to actually bypass the 2FA in this e-wallet.
There's a complete video of it. I'm gonna show you, right now. So, as you can see, that so, what the Android AES encryption key was actually hard-coded into the Android app. So, what I did was, I took that away and since it was, as you know, hard-coded, I could easily encrypt or decrypt the communication that was going on. So, initially, they would the application would ask for your national identity number and a mobile phone number, which, of course, you would know in order to bypass the 2FA system. Now, it was very easy to bypass that: I simply took it, you know, Burp suit and activated the Android app. Then, I was logged in successfully, but after an interception we got the Android AES encryption key from the end of that was hard-coded in it. After, we found out that a complete 200 available response generated this structure, you know
, as you can see, that I've highlighted here. And, you know, we encrypted that using the AES encryption key and, you know, even if we entered the wrong OTP, that was being sent to the server, we could easily intercept that and replace the response codes with the valid ones. And we would be logged in, as you can see, I'm intercepting the response right here and I could change the response code with the valid ones and I would be logged into the application successful. Now, they had another authentication mechanism which was the PIN.
The PIN was actually the password, but it was a four character password, that was sent to that that the user knew. Initially, what we did was, we also intercepted a valid response of that PIN and, you know, saved it for us. And we, just, had to change the user ID within the valid response after decrypting the AES key and then, encrypting it again. And, you know, we could easily bypass the second form of authentication there, as well as, you can see that PIN. We don't know the PIN. So, it's telling us that it's unsuccessful Now, using Burp suit, we intercept a response and we intercept the response and moving forward after intercepting the response. We could replace the response with a valid response code and using that valid response code, we bypassed the 2FA in this e-wallet. Now there was also a third form of authentication here that we bypassed
. That was the initial login PIN. We bypassed that as well and using the same response manipulation mechanism, that we utilize in the past. We bypassed 2FA in this as well. So, this is how basically we bypassed 2FA in this e-wallet system, that we had. Abusive scenario now. How could an attacker abuse this. So, basically, attacker logs in, he doesn't know anything: he doesn't know he just knows your and national identity card number and your phone number. He logs in, he initially, he makes an account himself after logging in and intercepts all the valid response codes. so he can decrypt that those response codes and replace that with your user ID, which we can automatically get by intercepting the response codes of the initial login mechanism and then we can replace those with every forthcoming login portals. Yeah. So, now we're gonna talk about, I'm going to show you how there's one of the researchers bypassed 2FA in one of the PayPal websites. Here, he utilized request manipulation technologies so, this was the process
flow. If you go to a PayPal website, they will ask you to enter your 2FA code or you could actually try another way, which was the the secret question and then and answers. So, here if the attacker did not know the secret answers to the questions, he would be denied of of the access of the internal application. But, if the attacker, himself,
removed the challenge and response fields from the request, then the servers and the backend API would not, would completely ignore that and allow login. So, attacker logs in, he selects the alternative option and enters the incorrect answers. He intercepts the request from Burp and removes the parameters challenged in response. And, by removing the parameters, the attacker is granted access to the internal application. Yeah, RELATEIQ.
This was a website that I bypassed 2FA in as well and using this was, actually, using zero auth implementations. This is according to my survey, 90- 95% of web applications do not implement zero odd techniques on zero, 2FA techniques on zero odds. So, I have video of how i bypass it here as well which, I'm going to show you. As you can see, when you log in, using your user email address and password, it asks you for your 2FA code, which you don't have. So, if you have access to the victims zero implementation account, you can just click on that particular zero auth mechanism and it would allow you internal access to the systems.
Like here, you know, it was just in a jiffy. According to my servant, 95% of web applications have this vulnerability. They do not implement 2FA standards on zero auth mechanisms. Yeah. So, the abusive scenario here would be that: the attacker compromises the users Facebook account, he clicks on login via Facebook and the attacker is easily granted access to the victims again. Yeah. So, this is a very interesting one bypassing 2FA mechanisms why exploiting voicemails. So, let's get down to it. Yeah. So, the process flow is simple: user logs in to an application, he requests 2FA hold wire call, if, at the same time, the user is on another
call with anyone else, then, 2FA code gets to alert to their voicemail address. Pretty simple. But, how would an attacker exploit this? An attacker would initially, you know, log in to the victim account, engage himself with on a call with the victim. And, moving forward, the attacker would simply, you know, get the 2FA code on the victims voicemail and, as the wicked, is engaging on another call, he could extract the 2FA code from the voicemail
. So, how do we exploit the voicemail? Initially, this is actually for Australian service providers.You need to obtain the caller ID spoofing service. I, normally, use spoof card for it. Of course, then we have the Australian number registered, Australien region input number, the destination number, you got to put which is written. I'm gonna tell you why I'm putting this destination number in a way, you know. And then, you have to enter the caller ID, that you need to be displayed on the victims mobile number. And, if you're using space spoof card number and access code is displayed, you call this number, you input the access code and you will be granted access every point hash. Now explanation of how and why we use the voicemail number
. Basically, all resellers use the exact same main services as Optus does. Optus is one of the Australian telecom providers. Primary number to call for voicemail - is 321. So, when spoofing, we need a remote number to call, as we're unable to reach 321. Australian cellular providers, provide a remote number, to call in case for customer overseas.
This number is this. So, the voicemail, actually, gets delivered to this number and you can call the fresh hash and access the voicemail easily. And, since you're spoofing the victims own number and you're calling from the victim's number, you can, you know, harvest the codes from there. So, it's actually exploiting the voicemail itself. Yeah. Now, we're gonna look at how to bypass 2FA in mobile phones. You know, we're gonna look at,
you know, how to bypass 2FA in the pattern lock in different Samsung phones using ADB. So, this option will only work, if you have USB debugging enabled on your device and your PC is allowed to connect by ADB. If you meet such requirements, then any pattern lock in the world can be bypassed using this technique. It's fairly simple. You connect your cell phone to a laptop or a device and moving forward, you simply write this command. It will remove the gesture key function from your phone. Thus, letting gain it when you restart it. You have to set a new PIN and, if you set a new PIN, that is your desired PIN and then you can bypass the pattern lock very easily. So, using this particular technique ADB shell RM, you're removing the entire gesture key function from the phone, which you can later gain access to. Okay. Yeah. So, bypassing the iris scanner in S8 Samsung. Our scanner and S8. This is a very interesting one. Samsung, I recite a S8 scanner, according to my analysis and research, is not a very secure retina scanner.
Here's the hare the things you need: you need a lens specifications with about 200 millimeters, you need it, you need to be at a distance of 15 meters. I'm sorry, I wrote millimeters there, 15 meters from the target. You need to print that photo in a high-quality copy and then, you're gonna need a wet lens, if you want to unlock it. And, would submit sufficient amount of time and access to the phone, you can, actually, unlock it. So, let's see how this works. I'm gonna surely show you a little video on how this works. So, as you can see, these are two guys sitting next to each other. This guy takes a photo of that guy, using his high quality camera phone, a high quality camera and which is a night mode. So, you get better lighting from the better lighting. Yeah
. So, now you need to print that photo in high quality. While zooming in on the eye and the infrared image that is printed on the Samsung paper it actually prints that eye out. And, it's really easy, if you just, you know, cut that thing out and put a wet lens on it. And, after putting, the wet lens on it, you can fairly easily bypass the iris scanner. I'm gonna show you how it's done real quick. So, as you can see, the iris scanner is activated and the phone won't be unlocked without iris recognition. Now, we have the photo of the eye next to us and we have a wet lens
, that is also here. So, we place the wet lens on the photo of the eye and we show that photo to the safe scanner and here we get - bypass. So, that's how easy it is and similarly, the same thing goes for all facial recognition systems in Samsung. I'm gonna talk about FaceID just now. So, you know and this is gonna be the last part of my talk. So, hopefully if you have any questions after that I'll be happy to answer them. FaceID.
Apple explain a lot of good stuff about FaceID on their iPhone X launch, but the hardware's are awesome, you know. We have a dot projector, we have an IR camera, we have a 3d model of the face and everything. But, what if it's not the vulnerability? Is not in the external hardware? What if the vulnerability is in the internal hardware? How can it be hacked? Well, my analysis and the analysis of a lot of other researchers that
I work with on the Internet, show that Apple saves its facial and iris scanning images in something, called secure and clave processor or SEP. So, what is it? It's basically, SEP it's a system, that is within the iPhone, that actually, has its own power source, its own dedicated IO lines, its own operating system, its own peripherals. It's a standalone device within an another device. Actually, this is how it is. This is its basic core infrastructure.
This is the SEP KF core, that's the boot ROM, we have the crypto core and then, these are this is basically hierarchical structure of how the SEP works. So, yeah, the feature of FaceID is basically based on SEP, but SEP also has several thoughts. SEP operating system lacks basic exploit protections. There is no memory layout randomization, the power manager and the PLL are open to attacks. We have inclusion of few sources pins,
that should be revaluated over time and then the demolition functionality to other, which is dangerous. So, according to my initial analysis, when we get our hands on the iPhone X, which has FaceID, I'm sure that it's gonna, it's not going to take a long time to bypass it
, because attackers look for different kinds of flaws whether it's in the external hardware or internal one. So, the future of FaceID is not secured as Apple face it is. Yeah, that's about it for my presentation. Guys, if you have any questions, I would be happy to answer them. [Music]
No comments:
Post a Comment