Hardware tokens, small devices that produce a code or plug into your computer, provide possibly the best way to add an extra lock onto your email account. Whereas two-factor authentication sent by SMS can be intercepted, an attacker is probably going to have a harder time getting hold of the unique code these little gizmos generate.
But, it's not impossible. Two security researchers at the annual DEF CON hacking conference in Las Vegas presented several proof-of-concept attacks against popular hardware tokens, including the YubiKey.
"Hardware security devices are an improvement. They're great. They provide a level of protection nothing else does. However, we need to be mindful of our hardware, and just because we say this magic token is secure, we don't implicitly assume that," Joe FitzPatrick, one of the researchers behind the project, told Motherboard at the conference. Michael Leibowitz also worked on the research.
Image: Joseph Cox
On Github, anyone can download some code to emulate a YubiKey on an Arduino, a tiny computer similar to a Raspberry Pi. So the researchers took that, but rather than leaving the key as just a naked looking computer board, they also tried to copy the real YubiKey's appearance to create what they dub a DoobieKey. In a live demo, FitzPatrick and Leibowitz showed that the YubiKey servers recognized their device as a genuine YubiKey.
Although the proof-of-concept version likely wouldn't trick someone in the flesh, Leibowitz also presented a 3D-printed design that could make the key much more convincing. As for how an attack might work in practice, a hacker might make a batch of DoobieKeys and then hand them out to attendees at a crypto-party; gatherings where people meet to learn about encryption and security. When the victims go and link their fake YubiKey to their Gmail, for example, the attacker also has a copy of their two-factor token.
"It's a supply chain attack; you're modifying them before the user gets them," FitzPatrick told Motherboard.
Christopher Harrell, VP of engineering at Yubico told Motherboard in an email, "Today's hardware plus supply chain hacking demonstration at DefCon illustrated that when purchasing security products, both software and hardware, choosing a trustworthy source and carefully evaluating procurement and distribution channels are key. At Yubico, we manage our own supply chain and ensure that all factory provisioned device secrets are handled with care and are never exportable. The demonstrated attack did not compromise or bypass any functionality or keying material in the YubiKey."
The researchers also dug into RSA tokens, similar devices that display a code which a user has to enter into their computer. The fake RSA device broadcasts that verification code over bluetooth.
Hypothetically, the hacker "would be in proximity, and would basically tell the device to give it a code," FitzPatrick said. The other approach, he explained, would be for the malicious RSA token to constantly broadcast the verification key so any nearby bluetooth device could pick up the code.
For the RSA project, FitzPatrick is going to upload the board design to Github in the near future and potentially the code too so others can have a go at creating their own malicious token. Apart from that, attackers will need to get a specific board manufactured which would take a week, and buy a bluetooth module for around $10.
"The tough part would be getting the code to a workable state," FitzPatrick said.
Again, none of this research means that you generally should stop using hardware security devices. But it's still important to be aware of potential vulnerabilities so that those who may be under threat of these sort of attacks, even if fairly niche, can be informed and researchers find solutions.
"Keep using your YubiKeys, keep using your tokens," FitzPatrick said during the presentation.
Update: This piece has been updated to include comment from Yubico.
Got a tip? You can contact this reporter securely on Signal at +44 20 8133 5190, OTR chat at firstname.lastname@example.org, or email email@example.com