Here is an article by Roger Grimes, Data-Driven Defense Evangelist at KnowBe4
Ever since Google told the world that none of its 85,000 employees had been successfully hacked (https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/) since they started implementing Security Keys, like Yubico’s YubiKey (https://www.yubico.com/products/yubikey-hardware/), I’ve been contacted by friends and the media about my thoughts.
Apparently as the author and presenter of the 12 Ways to Hack 2FA (https://www.brighttalk.com/webcast/14421/326691/twelve-ways-to-defeat-two-factor-authentication) and an author of a similar CSO column (https://www.csoonline.com/article/3272425/authentication/11-ways-to-hack-2fa.html), I’m purported to be an authority on it. I’m not, but I did recently stay at a Holiday Inn.
Never one to be a wall flower, I’ve given my opinion and limited expertise over and over. I had to repeat it enough that I decided to write an article about it so I can just point future requests to a link.
MFA and Google Are Awesome
First, and foremost, any multi-factor authentication (MFA) method should be applauded and supported. I feel almost criminal saying anything bad about any MFA solution. We need to replace as many one factor authentication (1FA) and/or simple password authentication scenarios wherever and whenever we can. I’m saying it right here, MFA is awesome!
Google is awesome in so many ways, not the least of which is their incredible push to better secure more web sites, using more default HTTPS and trying to fix our digital authentication mess as examples, but also in switching all their users to MFA. The security vendors providing Google Security Key MFA solutions are awesome. Yubico’s YubiKey is awesome. What’s not to love about any company or person trying to improve computer security?
Now that we’ve got the obligatory “I’m not insane” moment out of the way, I’m just as correct to say that there is no doubt in my mind that Google’s Security Key MFA device can be hacked. Just because it hasn’t or didn’t (not sure how you ultimately prove that of course) get hacked, doesn’t mean it can’t be hacked. Apple computers and devices didn’t get hacked until they became super popular, and now they are. Same thing here.
There is not an authentication solution made that cannot be hacked. That includes what Google has. It includes whatever we come up with in the future. It includes all known biometrics. It includes everything in the computer security world. If a vendor or person tells you they have something that is unhackable, run! They are either lying or don’t know what they are talking about. Either way, not the sources of authority you should be listening to.
Yes, Google Security Keys Can Be Hacked
Critics of mine are probably saying if Google has gone over a year without any of their 85,000 employees getting hacked, how can I say that they are hackable with any degree of expertise, certainty, or personal dignity?
Start by watching my Hacking 2FA video or read the CSO column (listed above). Or just watch my friend, co-worker, and world’s best-known hacker, Kevin Mitnick, blow past a popular 2FA solution (https://www.youtube.com/watch?v=xaOX8DS-Cto) using social engineering and some common hacking methods like the 2FA token isn’t even there.
After Kevin first posted his video, people said that his method wouldn’t work on Google, and so he goes around demonstrating breaking around Google’s software-based 2FA solution, Google Authenticator, for giggles. Repeat after me, any authentication solution is hackable. Some are just easier than others.
My still remaining critics might counter that Mitnick’s particular hack wouldn’t work against Google’s hardware-based 2FA solution, and in particular Google Security Keys, because they contain a feature (i.e. U2F) that prevents that sort of attack. And those people would be right. The FIDO Alliance’s (https://fidoalliance.org/) Universal 2nd Factor (https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-overview-v1.2-ps-20170411.html) specification has a feature that prevents man-in-the-middle attacks, like the one Mitnick demonstrates.
Yes, but it does not prevent all attacks. Just a cursory review shows me that Google Security Keys are probably susceptible to 8 of the 12 attacks I cover in my talks. These include:
· Fake Web Sites and Fake Authentication Experiences
· Downgrade/Not Required Attacks
· Tech Support Social Engineering Attacks
· Hijacking Shared Authentication Attacks
· Subject Hijacking
· Buggy Code
· Physical Attacks
I don’t have the time or space to cover all of them, but let me cover the fake web site and fake authentication attack scenario. You get a fake email with a look-alike web site that you use Google Security Keys on. The fake web site looks like the legitimate site and prompts you to use your Google Security Key just like you expect, and you are let onto the web site after authentication just like you expect.
Except for the whole thing is a fake.
Maybe you then get prompted to input otherwise confidential information, get prompted to install a “Security Key” upgrade, or maybe get completely kicked out and asked to re-authenticate at the real site, but now there is a session stealing process running. If these scenarios seem implausible, they have been used successfully against other MFA solutions in the past and there is nothing to indicate the design of Google Security Keys prevents them.
To be fair, no authentication solution can prevent all of these attacks.
At least not in a way that people would want to use them. Many times, it isn’t a design issue, it’s a human issue. If I can talk technical support into downgrading your authentication into something that is more hackable or into sending me a completely new security key, it isn’t a fault of the security device at all. But that’s the problem with security solutions, they may be designed in a theoretical bubble, but in practice they run in a completely system…and that entire system is attackable.
But I don’t want to just wimp out and say that Google Security Keys are only theoretically hackable. The technology and design they rely on has been recently hacked. I don’t want to steal all the thunder of these great, creative hackers, so go read the details here: https://pwnaccelerator.github.io/2018/webusb-yubico-disclosure.html. But in a nutshell, the authors of this hack found a specific design flaw with the U2F design when using something called WebUSB. They reported it and made a presentation around it. Then when asked for more details by Google, it appears that “suddenly” Yubico reported the bug to Google, got paid the $5000 bug bounty, instead of the creators, and Google closed the hole.
I want to applaud Google, Security Keys, FIDO’s U2F, and everyone’s push to replace 1FA with MFA solutions. Please do it. Kudos! But don’t think because Google reports that none of their users got hacked that it means they can’t be hacked (or really, weren’t hacked…hard to prove). And there is no doubt that if Security Keys or any other MFA solution became ubiquitous, they would be hacked over and over. Why, because that’s what has happened to every other security solution in existence. Still, it’s orders of magnitude better than what we’re facing with 1FA and password solutions. Just don’t oversell it as unhackable. Even Google is not saying that.