Thursday, November 13, 2014

POC bypassing 2FA (2 Factor Authentication)

one thing i love about trying to secure systems is that people forget "you are as strong as your weakest link"

Today, we hack a system that has 2FA this where as an example to googles gmail, you would sign in using your password, then to put enough secure activity you would have another token required such as a code sent t your phone via SMS.

Pretty secure huh? not really.... it still can be broken, of course many people would start by assuming we will be stealing a phone by the end of this write up but the truth of the matter is, I wont need to touch your phone, so here we go.

The setup:

first we would have the users password (am not willing to engage in this as many a tutorials already exist to try and achieve this , from phishing to down right plain brute force)

second we would obviously require the SMS token sent to the user (hint: this tutorial is about that)
I will break this down to 2 parts, the explanation only then the POC .


we will be intercepting the SMS by attacking the um (air) interface between the victims mobile phone and the BTS (Base transmission station)

why does this work and what might be a solution/remediation to it.
1. I have covered this topic before but am going to explain. GSM is a broken technology (so far if you use a CDMA phone you are safe read so far)
2.GSM in most countries use a weak/broken encryption these are either
A5/0 ---- no encryption
A5/1 ---- most commonly used very low encryption and breakable with 2 TB rainbow tables in less than 5-30 minutes on a decent computer
A5/2 ---- much weaker version not commonly used... already  broken
A5/3 --- new version (KASUMI) theoretically broken
3. Phones dont do authentication checking to which BTS they are connected to or if any sniffing* activity is ongoing
4. Non hopping on BTSs allow passive sniffing (explained on part 2)

POC? as usual find it on part two meanwhile google up what those terms that may have eluded you on this piece , as we will indulge even deeper later on.

No comments:

Post a Comment

Dynamic Binary Instrumentation (pt2)

Quick how to: After install of Frida on your machine, you will need to install your server agent on your (use case is phone) iphone/andro...