
Chrome lets hackers phish even 'Unphishable' Yubikey users - asm
https://www.wired.com/story/chrome-yubikey-phishing-webusb/
======
crispyporkbites
This is the attack:

> If a victim logs into a fake Google site, the phishing site passes on their
> username and password to the real Google login page. Then the spoofed site
> passes back Google's request for the user's U2F token and collects the
> Yubikey's unique answer, all via WebUSB. When that answer is then presented
> to the real Google site, the attackers gain access to the victim's account.

So basically they are somehow able to trick the yubikey neo into accepting a
challenge from a different domain, by using the webusb API.

Reading further:

> The technique would only work with U2F keys that offer protocols for
> connecting to a browser other than the usual way U2F tokens communicate with
> a computer, known as the Human Interface Device or HID, which isn't
> vulnerable to the attack. The Yubikey Neo, for instance, can also connect
> via the CCID interface used by smartcard readers

> An assumption was made by Chrome that all U2F is HID, which doesn't hold for
> the Neo, whereas Yubico made an assumption that USB will never be accessible
> by web pages directly

So:

\- Don't use a Yubikey Neo anymore

\- Don't use Chrome

\- Don't use U2F because FireFox doesn't support it

\- Never use your yubikey because hardly anything supports it

Sigh

~~~
mfontani
> \- Don't use U2F because FireFox doesn't support it

It does! Open about:config and switch security.webauth.u2f to true. It'll Just
Work.

I've in the recent past modified a barebones Perl webapp to try and understand
U2F better, see [https://u2fdemo.darkpan.com/](https://u2fdemo.darkpan.com/)

I've been able to log in / use U2F from:

* FF on Windows and OSX

* Chrome on Windows, OSX

* Chrome on Android using either a OTG cable for a U2F USB key, a Bluetooth U2F key, and a NFC U2F key (works if you install Google Authenticator)

* Unfortunately, not FF on Android as I can't find how to enable U2F there yet :/

~~~
superdaniel
Firefox barely supports U2F. It works on Github and Dropbox, but doesn't work
on sites like Vanguard and Google. Every time I do a Firefox update I do a
search of the bug listing and they seem to have an incomplete implementation
of the spec. They're kicking the can until they fully implement the WebAuth
API and jump over dealing with whatever earlier spec they were targeting.

Speaking of which, why does Vanguard force you to still have SMS two factor
available even when you add a U2F device...

~~~
saltcured
The usual rationale from companies forcing SMS two factor is that you need to
have a convenient account-recovery mechanism before you enable something
strict and lock yourself out. They don't want the support cost of dealing with
these lockouts.

Unfortunately, these same companies often then claim that there is no harm in
SMS two factor since "clearly it is stronger than one factor". But they are
blind to their own systematic design flaw which is that the same SMS setting
to enable two factor also usually enables one-factor password-recovery via
this supposedly trusted phone.

Given what we know about SMS security, it is pretty obvious that one-factor
SMS is weaker than one-factor good strong password. And if the good strong
password can be merrily reset by whomever hijacks your phone, you have really
just decreased your security posture while performing this whole security
theater around two-factor and hardware tokens.

~~~
Too
SMS is already 2fa. You need the sim card and the pin code. Hence a hijacked
phone could be seen as stronger than a 1fa password.

~~~
tinus_hn
Unfortunately the network security is kind of a joke so an attacker can
intercept your messages if he is near you.

Not to mention that traffic inside the network is not encrypted so a lot of
parties have legitimate access to the messages anyway.

I understand your point but SMS should not be used as the only factor for
authentication.

------
cpburns2009
It's almost as if browsers are slowing reinventing Java applets while ignoring
all of the security implications that go along with it.

~~~
Santosh83
They're slowly inventing operating systems, complete with hypervisor
technology, with all the gargantuan complexity that it implies, to please big
business that wants the client OS to essentially become obsolete.

~~~
throwaway23424
The web browsers are so much more secure than what we had before (just
accepting executable binaries from other people), so I look at this as a way
forward.

~~~
cpburns2009
I'm not that confident. Browsers blindly accept and execute whatever they
receive. The more features that get added, the larger surface there is to
exploit. A case in point: WebUSB as mentioned in the article.

~~~
Ajedi32
The nice thing though is that, although the added attack surface is there, its
not really accessible to web pages until a user grants the necessary
permissions. Not really all that different from telling users to execute a
native app in that respect.

In this case it's not even an exploit really; more like social engineering.
(Tricking users into granting the phishing site unrestricted access to their
Yubikey, then using that access to trick the user into authenticating a login
session for the phishing site.)

~~~
codedokode
Imageine if there is an USB device with new Chrome WebUSB driver (which has
necessary permissions) and then vendor's website gets hacked.

------
LethargicStud
I'm unclear as to how this would work in practice. Chrome supports U2F out of
the box, so getting a big weird pop-up asking to access your USB device, you'd
at least be suspicious.

Upon registration, the server also collects a nonce, which is used for
verification[0]. The attackers would need to get that nonce from the site.
Hopefully, the site disables CORS so a phishing site cannot request a
challenge.

Lastly, on Linux (I know, a minority), you need to make an entry in rules.d[1]
to even allow Chromium to access USB devices.

I can see how this potentially maybe could catch someone, but I don't see it
as much of a risk.

[0]: [https://blog.fastmail.com/2016/07/23/how-u2f-security-
keys-w...](https://blog.fastmail.com/2016/07/23/how-u2f-security-keys-work/)
[1]: [https://developers.google.com/web/updates/2016/03/access-
usb...](https://developers.google.com/web/updates/2016/03/access-usb-devices-
on-the-web)

~~~
Ajedi32
Part of the problem is that, assuming you didn't know much about how U2F
works, it seems pretty natural for a site to request access to your YubiKey in
order to use it to authenticate you.

While its obviously not a total solution, I do think that maybe the
permissions prompt should be a bit more scary:
[https://developers.google.com/web/updates/images/2016-03-02-...](https://developers.google.com/web/updates/images/2016-03-02-access-
usb-devices-on-the-web/usb-device-chooser.png)

I'd rephrase that to something more along the lines of "example.com wants full
control of". Maybe with an option for device manufacturers to opt-in to
support for WebUSB, allowing for protocol enhancements to improve security and
a less scary permissions prompt.

------
codedokode
What is the usecase for WebUSB? Here [1] someone from Google suggests vendors
should write device drivers in Chrome HTML and Chrome Javascript. Please
don't.

Or (my assuption) it might be for devices that cannot work without browser and
network connection.

[1] [https://developers.google.com/web/updates/2016/03/access-
usb...](https://developers.google.com/web/updates/2016/03/access-usb-devices-
on-the-web)

~~~
Ecco
Well, we found it really, really useful!
[https://www.numworks.com/blog/webusb-firmware-
update/](https://www.numworks.com/blog/webusb-firmware-update/)

~~~
makomk
Yeah, the great thing about WebUSB is that it can easily be used to upgrade
devices to new firmware with new features. For example, suppose that some end
user's USB device lacks the ability to act like a USB Rubber Ducky and inject
malicious keystrokes in order to compromise their machine. WebUSB allows a
clean, easy way to fix that remotely.

WebUSB terrifies me.

------
anfilt
A website should never access to usb devices with just an allow prompt.
Imagine taking control of a usb mouse or keyboard... You could then just take
control of the machine...

------
andybak
Didn't lots of people suggest this kind of thing as a potential issue when
WebUSB was first mooted?

------
exabrial
I wish channel bound tokens were _mandatory_ in the u2f spec, or a browser key
was part of the auth request to the token, for exactly this reason. U2f is
"optionally" unphishable.

~~~
eximius
FIDO discussed this on their site. It's optional so corporate firewalls that
perform MITM can continue to work with U2F.

~~~
exabrial
... sigh.

~~~
eximius
I mean, if you want a standard for everyone, it's hard to ignore where most
people work.

------
basicplus2
It seems like i am often reading about reasons why Not to use Chrome..

Are there any good writeups about security of different web browsers?

is Chrome a real issue?

~~~
Sylos
I can't imagine that there would be such a writeup. Even just trying to
understand the security framework of one browser is a gargantuan task.

As for Chrome being a real issue, some points off the top of my head: \- Its
extension store breeds out malware in regular intervals (feels like there's
headlines about that at least every other month). \- Pretty bad autofill
exploit that was left unfixed for years:
[https://github.com/anttiviljami/browser-autofill-
phishing](https://github.com/anttiviljami/browser-autofill-phishing) (Might've
been fixed in the past year, I haven't checked, but I doubt it.) \- Chrome
Sync is not end-to-end-encrypted without the use of a second password, which
effectively means that it is unencrypted for 99.9% of Chrome users. Google
also actively uses this data, weaving your browsing history into the profile
that they keep of you. So, if they ever have a data leak, a lot of data is
going to come from people using Chrome, too. The NSA/CIA/FBI also tap into
this data, possibly using it for cyber war attacks, so if you live in a
country other than the USA, you're making yourself a prime target and an easy
target by inputting this data through Chrome.

------
ezoe
At this rate, you should rather write down the passwords in the paper and
stick it to the computer.

Sure, it's vulnerable to the man behind your back. But if such threat exists,
you shouldn't type your password anyway.

------
christefano
Well, that's ironic. Just yesterday I subscribed to a magazine that offers a
Yubikey as a free gift. The magazine? Wired.

It looks like this vulnerability is limited to Chrome at the moment. Good to
know if using Chrome (or even Epichrome for SSBs) when doing things like
online banking.

------
nimbius
U2F != OTP, which is Yubikey 4. For some reason the FIDO alliance decided they
didnt want OTP.

Yubikey 4 allows openPGP keys as well as OTP Yubikey functionality, making it
half HSM/half token. the FIDO keys offered by Yubi only do asymmetric
cryptography.

~~~
Buge
>For some reason the FIDO alliance decided they didnt want OTP.

OTP is regularly phishable, not requiring any webusb. Before this webusb
attack, u2f was unphishable.

------
ewindisch
The Yubikey is great and has uses outside of U2F, which I've never had much
faith in.

~~~
eximius
U2F is actually a very cool spec, basically a user friendly version of client
side certificates (which could be user friendly, but arent).

What are your concerns?

------
vanadium
The Ledger Nano S also uses WebUSB to sign into the Stellar (Crypto) dashboard
and can be used as a U2F authentication device.

I'm curious (assuming even) that it could be subject to this exploit?

------
valkum
hmm. I assumed U2F does not protect you from phishing. It just adds a second
layer of protection to your account. Protecting you from credential theft. U2F
antiphishing stuff implemented by chrome is just a neat little extra. Is this
behaviour of checking the origin in the spec?

~~~
Ajedi32
Yes, preventing phishing by only sending credentials to the appropriate
origins is a very important part of the spec:
[https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fid...](https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-
appid-and-facets-v1.2-ps-20170411.html)

