June 3, 2011
-
i hax goog 2-step auth
I just "hacked" Google's 2-step authentication using ADB shell and an instance of the repackaged/modified Google Authenticator App (and Android SDK).
Having 2-step authentication makes it harder for your account to be hijacked and for malicious users to pose as you--instead of just guessing, stealing, or cracking your password (something only you're supposed to know) to gain completely free access to your account, they would additionally need to have your phone with the Google Authenticator App installed, that generates a cryptographically pseudo-random number every 30 seconds (something only you're supposed to have).
It's a well-known fact that smartphones today, whether iOS or Android-based, are essentially computers. And yes, that means they are vulnerable to "viruses" and "malware" much the same as PC's are. In particular, one way for malicious software to get onto your smartphone is through repackaging and redistribution through a third-party grey-market or non-official market (e.g. Apple Store, Android Market)--or even sneak their apps in. Once the malicious code is on your phone, it has free reign to do whatever it wants, having root access to your phone (via jailbroken iOS, rooted Android, OS exploit, etc). With root access, it can listen to your network traffic and examine your file system.
In this simulated attack, even though apps are "sandboxed" from one another through file ownership (user, group = app_321), a root user has no such restrictions. Simply copy over the SQLite DB file, examine and/or manipulate it in SQLite, and the attacker now has your auth key to impersonate you as often as he wants and pleases.
Screenshot here, with sensitive commands/output replaced:
Edit: 2011.06.14 - Here is a published Android exploit that the attacker could use in conjunction to compromise Google Authenticator--it's just an example, but there are many out there.
Comments (6)
Question!
1) Does the malicious app give itself root access? Meaning if you didn't root your phone, are you immune to this?2) Can the attacker hijack your phone and take complete control over it?
@steelspine - 1) Can it? I haven't seen or heard it happen yet, but it's not impossible. But you're only at risk if the attacker also knows your password. 2) Define "complete control." I would say yes, but not through this exploit. I was just pointing out that Google's security key for 2-step verification is currently stored unencrypted on the Android (not sure about iPhone), and it was a design choice: http://code.google.com/p/google-authenticator/issues/detail?id=5
Thanks for the response!
by complete control, like can they send text messages from your phone, or take a picture with your camera phone and email it somewhere.
Theoretically I mean... like not this app in particular, but could the phone be exploited in this way?
@steelspine - Yep, the phone could be exploited in this way. =/
@steelspine - Updated with an example of an Android attack: http://www.computerworld.com/s/article/9217554/Google_pulls_more_malware_from_Android_Market
Comments are closed.