This research provides an insight to bypassing two factor authentication mechanisms in multiple ways. The goal is to demonstrate theoretically as to how common two factor authentication protected systems can be bypassed using simple techniques. This has been done by examining many systems and a practical approach has been utilized in order to dig out realistic methodologies which can be used to bypass two factor authentication systems in web based systems. By proving that the author aims to provide a basis of research to future researchers for bypassing 2fa in other such techniques.
"Bypassing two factor authentication", Shahmeer Amir
1. ШАХМЕЕР АМИР
Shahmeer Amir
Обход двухфакторной аутентификации с
использованием наиболее простых
методов.
CEO @ Veiliux
Bypassing Multi Factor Authentication
2. WHO AM I?
• Penetration Tester and Founder @ Veiliux
• Cyber Security researcher
• Leisurely Bug Bounty Hunter
• M.Sc Security Science
• Pursuing Ph.D in Information Security
3. AGENDA
• What is 2fa
• Conventional 2fa implementations in Web applications
• Methods of Bypassing 2fa in Web apps
• Methods of bypassing MFA in mobile phones
• Foreword about FaceID
4. 2FA, WHAT IS IT?
Two factor authentication is a method of utilizing
a handheld device as an authenticator for online
portals.
5. IS 2FA SECURE?
While most organizations consider it a secure
means of authenticating their users into their
portals, there are methods using which two
factor authentication can be bypassed.
8. TYPES OF 2FA TOKENS
There are three different OATH OTP types that
are the most widely used:
• Event based Tokens
• Time-Based Token
• Challenge-Based Token
9. An OTP system generates event-based
tokens on demand using a combination
of a static random key value.
EVENT BASED TOKEN
10. An OTP system generates time-based tokens
automatically every so often based on a static
random key value and a dynamic time value
TIME BASED TOKEN
11. An OTP system generates challenge-based
tokens on demand using a random challenge key
that is provided by the authentication server at
each unique user log-in
CHALLENGE BASED TOKEN
12. BYPASSING 2FA IN WEB APPS
• Bypassing 2fa in Mapbox (Session Management)
• Bypassing 2fa in an E-Wallet (Response Manipulation)
• Bypassing 2fa in Paypal (Try another way)
• Bypassing 2fa in Recurly (Universal Oauth bug)
• Bypassing 2fa via exploiting voicemail
14. User requires a password change
User requests a password reset token
User changes password via the token
Application lets user log automatically after change
RECURLY 2FA BYPASS (Cont.d)
Process Flow:
15. Attacker has victim’s credentials
Attacker logs in and is faced with the a 2fa page
Attacker requests password reset token
Attacker changes the password and is logged in
RECURLY 2FA BYPASS (Cont.d)
Abusive Scenario
19. Attacker logs into account
Attacker puts incorrect response code
Attacker intercepts response with Burp suite Proxy
Attacker changes response code and
corresponding data to 200 OK
E-WALLET 2FA BYPASS
Abusive Scenario:
20. • Cause of Vulnerability: Secret question request
manipulation
PAYPAL 2FA BYPASS
25. Attacker compromises user’s facebook account
Attacker clicks on “Login via Facebook”
Attacker is granted access to the victim’s account
RELATEIQ 2FA BYPASS
Abusive Scenario:
26. BYPASSING 2FA VIA VOICEMAIL
Cause of Vulnerability: Exploiting Voicemail
27. BYPASSING 2FA VIA VOICEMAIL
User logs in
User requests 2fa code via call
User gets a call from someone else at the same time
User’s 2fa code is sent to voice mail
Process Flow:
28. Attacker logs into the victims account
Attacker engages a call with the victims phone number
Attacker chooses the 2FA code via Phone Call option
As the victim is engaged in the call by the attacker,
the 2FA phone calling service will send the 2FA code
to the victims voicemail, immediately.
Abusive Scenario:
BYPASSING 2FA VIA VOICEMAIL
29. EXPLOITING VOICEMAIL
Obtain a ANI/Caller ID spoofing service (either
via a VoIP provider) or via a dedicated spoofing
provider.
STEP 1:
30. EXPLOITING VOICEMAIL
For all the services in the Australian region input
the destination number as: +610411000321.
STEP 2:
32. EXPLOITING VOICEMAIL
If you're using SpoofCard, a number and access
code is displayed. Call this number and input the
access code.
STEP 4:
33. EXPLOITING VOICEMAIL
You will be connected to the victims voicemail
service providers endpoint. In this, input the
victims mobile number and press #.
STEP 5:
34. EXPLANATION FOR USING VM NO.
• All reseller's use the exact same main services
as Optus does.
• Primary number to call for Voicemail is "321"
• When spoofing, we need the remote number
to call as we are unable to reach "321"
• Austrailian cellular providers provide a remote
number to call, in case customers are
overseas. This number is: +610411000321
35. 2FA BYPASS IN MOBILE PHONES
• Bypassing pattern lock via ADB
• Bypassing S8 Iris scanner
36. BYPASSING PATTERN LOCK USING ADB
This option will work only when you have
enabled USB Debugging previously on your device
and your PC is allowed to connect via ADB. If you
meet such requirements, it is ideal to use this
method to unlock Samsung lock screen.
37. How to
• Connect your device to the PC using USB cable
and open Command prompt in ADB directory.
Type the command "adb shell rm
/data/system/gesture.key" and then Enter.
BYPASSING PATTERN LOCK USING ADB
38. BYPASSING IRIS SCANNER in S8
Take a photo of the person’s eye
Lens Specs: 200 mm
Distance: 15 mm
Print: High Quality Color Copy
Use a Wet lens over it and it will be unlocked
With a sufficient amount of time and complete
access to the phone, you could theoretically
unlock any Galaxy S8 with iris scanning enabled.
41. SO, HOW CAN IT BE HACKED?
The Secure Enclave Processor
The images captured by Face ID are kept in the
encrypted memory of Apple’s special
coprocessor, which is called Secure Enclave
Processor
42. SEP, What is it
Security circuit designed to perform secure
services for the rest of the SOC
SEP has its own set of peripherals accessible by
memory-mapped IO
Dedicated IO lines
Runs its own operating system (SEPOS)
44. The Future of FaceID is based on SEP
• SEP(OS) lacks basic exploit Protections E.g. no
memory layout randomization
• Shared PMGR and PLL are open attack to
attacks
• Inclusion of the fuse source pin should be re-
evaluated
• The demotion functionality appears rather
dangerous