Frighteningly Bad Security Keys

Earlier this week, Adam Langley published a report on the security of FIDO U2F security keys. FIDO U2F security keys are typically small USB devices (some are NFC or BLE enabled) which provide a secondary authentication factor for websites. The report is a follow up to his previous review where he took a quick overview of the various keys sold on Amazon.com.

The typical authentication process involves a user authenticating with a website with his or her credentials through a supported browser such as Google Chrome. After the credentials are verified, the webserver will respond with a challenge sent to the FIDO U2F token which will light up waiting for the user to initiate the secondary factor by pressing a button located on the USB device. The device will cryptographically sign the challenge using a key previously registered with the website.

The results are quite scary for a security-focused product. Adam’s testing revealed a number of implementation errors in the existing FIDO U2F keys ranging from invalid ASN.1 DER serialization to the ability to crash the token with a ping of death. The big takeaway is the research to be done on the security of security keys.

If you’re looking to get into two-factor authentication (2FA) or multi-factor authentication (MFA), you can’t go wrong with a Yubico U2F security key. Just make sure you don’t use SMS-based 2FA when other, more secure, options are available.

The Packets are Coming from Inside the Ceiling

Marion Correction Facility partnered with a nonprofit, RET3, as part of the prison’s green initiative to have inmates help recycle old computers. However, they didn’t expect a network of computers to magically appear in the ceiling.

The tale of how prison inmates pilfered recycled computers, hid them in the ceiling, and committed identity theft reads like an episode of “It’s Always Sunny in Philadelphia” but underscores how basic security principles could have thwarted the crime.

Physical security and port security would have prevented the inmates from connecting unauthorized computers to the prison’s internal network. Preventing shoulder surfing would have protected staff members passwords.

Masquerading Password Prompts

Just in time for Halloween, researcher Felix Krause demonstrated a proof of concept attack against iOS devices to trick users into entering their Apple ID password.

The problem lies in the unified user experience (UX) where dialog boxes for passwords appear the same regardless of their provenance, which makes it extremely difficult for users to differentiate between a legitimate Apple ID prompt as opposed to a malicious app spoofing for credentials.

For example, a malicious app could spoof for your Apple ID credentials and use it to lock you out of your Apple products in exchange for a Bitcoin ransom.

The iOS platform isn’t the only one susceptible to this type of attack. Google Chrome suffers from a similar issue in trying to convey the certificate status for HTTPS websites. Microsoft solved a similar problem in the Windows operating system by requiring users to press the Ctrl+Alt+Del key combination prior to logging in. The Ctrl+Alt+Del key combination is known as a secure attention sequence which is used to thwart spoofing attacks.

For now, the only way to validate if an Apple ID prompt is real or fake is to lock your phone and see if credential prompt is displayed on the lock screen notifications.