Blog: Fortigate CVE-2023-27997 (XORtigate) in the eyes of the owl
Strong authentication is good, when it is secure it is better
Following an exchange with a CISO, I found it interesting to share with you my thoughts regarding a certain context using Office 365 (but not only), strong authentication has been activated (without bypass 😉 ). This strong authentication is done there by sending an SMS to the employees' pro phones (or personal but that's not the point), in addition to the login and password.
Very recently, Twitter suffered an interesting attack aiming at compromising employees in order to access the Twitter account management portal to disable strong authentication and change the passwords of users of the platform. As a result of this attack, messages were sent to the Twitter accounts of celebrities with the aim of scamming their followers. The scam consisted of promising to double the amounts transferred to a given bitcoin account (the attackers' 😉).
To date, the exact origin of the attack is not really confirmed, I read articles that spoke of "Sim Swap", interception of SMS, internal complicity (https://www.vice.com/en_us/article/jgxd3d/twitter-insider-access-panel-account-hacks-biden-uber-bezos) ...
As said in the introduction, following these attacks, the CISO who recently deployed strong authentication (MFA) asked me several questions that here... with the answers of course 😉.
Strong authentication by "what I have"
As already seen several times, a strong authentication is an authentication performed with an identifier (login, email...) and two factors among :
- What I know (my password, a sentence...) ;
- What I am (biometrics such as fingerprint, retina, foul breath...)
- What I can do (signature, coded gesture https://twitter.com/mynameisv_/status/1258372512628555779 ...) ;
- What I have (a phone receiving a code by SMS, a smartphone receiving a notification, a small token generating one-time codes or OTP derived from time and a secret, or the same thing but in application on a smartphone ...) ;
- The place where I am (geolocation) ;
Here, we focus on the "what I own", namely a subcategory that is "a phone" allowing, among other things (before you bitch, you should read the end 😉 ), the following second authentication factors:
- Receive a unique code by SMS ;
- Receiving a phone call dictating a unique code. These means of transmitting a code are vulnerable to the following attacks (excluding government attacks, interception by IMSI catcher...).
What is "Sim Swapping"?
As the name suggests, it is about swapping the SIM, the smart card contained in your phone and containing various secrets allowing you to connect to the GSM network of your operator, as well as to authenticate yourself.
There are many techniques, but basically, the most obvious technique is to call the support of the target's phone operator, pretend to be this person and ask to be sent a new SIM card following a theft, a loss...
There are also techniques with e-SIM, which do not require sending a smart card.
In general, it is still necessary to have some information and access beforehand, such as personal information, access to the target's email...
Once in possession of the new SIM card, it is like having the target's phone. Knowing that many password reset procedures are based on the phone number, it is therefore possible (in some cases) to reset the target's password and then receive the codes used for strong authentication by SMS.
You will find many articles on the internet detailing this technique:
How to prevent it ?
Directly, it is rather complicated to protect oneself against it because it is with the operator that it happens.
On "professional" mobile fleets, it may be requested that a single contact person make this type of request with validation by email or other specific process.
On personal subscriptions, apart from choosing an operator that does serious checks, I don't have a solution (nor a list of operators 😉 ). I can only recommend to have strong and different passwords everywhere, dedicated and unique mails for each service, to respect good security practices, not to publish private or sensitive information about yourself in social networks...
How to detect it?
It is also difficult to detect the problem apart from making people aware of this type of attack, because once the "SIM Swapp" is done, the user loses his phone line, which should arouse suspicion.
Interception of SMS
What is SMS interception?
SMS interception is... intercepting SMS messages. Thanks cap'n obvious 😉.
Intercepting SMS requires a little more skill than knowing how to call a support service. You have to manage to get into the GSM network but since the release of OsmocomBB (open source library allowing to interact with GSM networks and SS7 protocol, used to route SMS to recipients: https://www.sstic.org/media/SSTIC2010/SSTIC-actes/Projet_OsmocomBB/SSTIC2010-Slides-Projet_OsmocomBB-welte.pdf) and all associated libraries, it is not so complicated to get into these networks anymore. And it's not like there are no tutorials on Youtube 😉 : https://www.youtube.com/watch?v=udceOS6vvfQ
Here is also a small article in French on the subject: https://blog.e-xpertsolutions.com/authentification-forte-par-sms-fiable-ou-pas-fiable/
Or this presentation at Hackito Ergo Sum: http://2014.hackitoergosum.org/slides/day3_Worldwide_attacks_on_SS7_network_P1security_Hackito_2014.pdf
How to prevent it?
As far as I know, for a private individual or a company, it is impossible to protect yourself from SMS interception (unless the company in question is a GSM operator 😉 ).
How to detect it?
Again, it is very difficult to detect the interception because if someone asks for an authentication code via SMS without the target's knowledge and intercepts it, the target will see nothing. The only case I can see would be if the target does a strong authentication at the same time and doesn't receive the SMS but I doubt that would raise any suspicion.
What to do?
Strong authentication based on a login, password and "what I have" is not limited to sending SMS to a phone.
What you have to understand is that the techniques mentioned above are aimed at the phone, i.e. the GSM, but today, almost nobody owns a simple phone but rather smartphones.
The smartphone is a computer connected to the internet, allowing to offer the following second authentication factors :
This involves enrolling the smartphone in order to deposit a secret (a unique number or "seed"). This secret will be used, in addition to the time, to generate a "One Time Password" / OTP, by passing both in a condensation algorithm (combination of "HMAC-based One-time Password algorithm / HOTP" and "Time-based One-time Password algorithm / TOTP").
For more details, here is a very ugly slide I made (a long time ago...) to illustrate the strong authentication solution I had developed for my former company, the famous "Cépafo" 😉 for "Portable External Authentication Client by OTP" :
There are many mobile applications offering this functionality like Microsoft Authenticator, Google Authenticator, Cepafo 😉... The secret can be entered manually, by taking a picture of a QRCode, by following a URL...
The advantage of this solution is that even without internet access, the OTP can be generated by the application but which must be roughly on time (a few seconds delay is usually not annoying). On the other hand, generating an OTP from a smartphone, on which you enter your login and password to access a site or service, breaks a bit the idea of multiple factors, since everything is on your smartphone, but that's another debate 😉.
Whether the smartphone is on iOS or Android, it benefits from the notification service of these publishers, allowing to send notifications.
Following an enrollment, during an authentication, after entering its login and password, the smartphone will receive a notification asking if the authentication should be validated or not. Simple and efficient but requires an Internet connection.
Strong authentication on Office 365 ?
Microsoft Office 365 supports the following second factors:
- PhoneAppOTP, OTP generated by a mobile application on the smartphone ;
- OneWaySMS, code received by SMS on the phone ;
- PhoneAppNotification, notification sent to the smartphone (sometimes called "Push notification");
- TwoWayVoiceMobile, code received by a phone call. Therefore, it is quite easy to replace the SMS by an OTP or a notification, provided that you manage to enroll the smartphones of users, whether they are mastered (smartphones pro, managed) or personal (more complicated because mixing private life and professional life, not mastering the terminal ...).
Here you know everything 😃.