
DontDuo: Bypass 2FA with DTMF Tones - _wldu
https://dontduo.com/
======
floatingatoll
To explain what's going on here for the unaware —

1) Duo is a commercial service that offers multi-factor authentication through
a variety of means, one of which is the Phone Call.

2) This site lets you register them as your Duo phone number, when demanded to
do so by someone who's trying to protect your high-value access from being
hijacked (such as your employer).

3) This site provides you a phone number that auto-accepts all Duo
authentication requests, even if you're asleep, offline, or otherwise not
authorizing the hacking activity.

4) This site has zero contact information and accountability, and could very
well be backed by a black market site that offers hackers lookup access for
any Duo phone number for $50/number.

NOTE: I, personally, would absolutely push to fire anyone I found using this,
no matter where I worked.

~~~
bscphil
It would help if Duo wasn't a closed off trash fire that no one should be
forced to use. I'm not condoning bypassing it if it's something your employer
has required, but there's really no excuse for not supporting an open method
like TOTP and/or security keys.

~~~
zzrrt
If it were free, I'd be pretty tempted to use it, and hope somebody would
notice my protest. Duo is thrust upon me by my university. I don't want to
install Duo's proprietary app for receiving pushes or generating codes (I
effectively can't anyway because my phone is de-Googled), and getting cell
reception to receive their call can be difficult in some buildings. The other
day it took three calls until the system detected my DTMF press, maybe because
I was sitting next to a loud fan.

I dabbled at reversing their Android app, but I saw some references to key
rotation and got disheartened -- I don't want to spend man-weeks on this. I
was hoping to see some URL I could hit and just get a TOTP secret.

To my uni's credit, they offer support for hardware tokens, and maybe someday
I'll get sick enough of the phone calls to start carrying one of those around.

Edit: Thanks to commenters in sibling threads with possible solutions to
extracting the secret.

~~~
dogma1138
It’s free for upto 10 users I actually use it on some of my machines, with the
call back features disabled.

There should be a URL that gives you a QR code for the TOTP/DuoPush
enrollment.

~~~
bscphil
Parent means the DontDuo service isn't free, not Duo itself.

------
markstos
Or instead of handing over your second factor authentication to a startup web
service, you could buy a Yubikey, leave it on your keyring or plugged into
your laptop and just touch it.

Some Yubikey models also store the secrets that generate the frustrating 6
character TOTP codes. A pairing a Yubikey with a desktop app, you can
copy/paste the codes instead of the error-prone process of manually re-typing
them.

~~~
gruez
>Or instead of handing over your second factor authentication to a startup web
service, you could buy a Yubikey

...assuming the service in question accepts yubikeys, or even TOTPs. I've seen
plenty of services (mostly financial) that only allow sms or voice calls.

~~~
the_pwner224
Duo implements a proprietary setup layer over HOTP (counter based instead of
time based, useful for hardware key generators that don't have a clock). I
needed it for my University and internship, and was able to set it up on an
Android emulator (or rooted device), copy the secret key and counter off of
the app's config file, and then use it on my laptop.

On the computer I have ~/.totp/ which contains files like `github` with the
secret key as the file content. In my bashrc I made a function which runs
oathtool on the contents of the given filename to generate the 6 digit code
and then copies it to the clipboard with xclip (run it like `$ totp github`).

For the duo thing, I had to make the same `name` file with the secret key as
the content, and a `name-counter` file with an integer. I put a hotp function
in bashrc, so running `hotp name` generates the 6 digit code, copies it to the
clipboard, and increments the counter.

I had to tell Duo I was adding a tablet (since the emulator had no phone
number), it gives a QR code with a URL as a backup; I opened the URL in the
emulator which opened the Duo app in the emulator and finished the setup. Then
on the host computer run adb shell and cat out
/data/data/com.duosecurity.duomobile/files/duokit/accounts.json from the
emulator shell (or the shell on your rooted Android)

Get the 'otpSecret' and counter, at the end of otpSecret replace the \u003d
with its actual character: '=', then put the secret into the file ~/.otp/name
and the counter into ~/.otp/name-counter

Turns out I actually put a tiny script in my PATH instead of adding a function
to bashrc:

    
    
        #!/bin/sh
        typeset -i counter=$(<~/.otp/name-counter)
        oathtool --hotp -b $(<~/.otp/name) -c $counter | xclip -selection clipboard
        echo $((counter + 1)) >~/.otp/name-counter
    

On macOS there's a `clip` command which you will have to use instead of xclip
to copy to clipboard.

I have saved a very old (2 years?) version of the Duo APK which works great
for this (or at least was working great the last time I tried, 2 months ago).
The newer app versions refuse to run without Google Play Services, but you can
still make a throwaway andorid emulator with GPS. I'd like to share the APK I
have, but no way to do so without linking this pseudonym to my real
identity...

The most idiotic thing is that basically the entire 2FA ecosystem fucked up
into turning 2FA into phoneFA. Your password is a secret, it can be guessed by
some hacker on the other side of the world, so let's have two secrets, with
the second one being unguessably long and only known to your hardware, so that
it can make a human-sized login code. There are standards for this like TOTP
and HOTP, but instead of having basically password managers for these secret
keys, we get SMS auth and Duo and Authy, with no way for a normal person to
generate otp codes on their actual computer. Google Authenticator and even the
Duo app actually allow you to scan QR codes with TOTP secret keys and get the
6 digit OTPs from their app, but Duo itself won't let you use the standards to
login, or to do it on your computer.

For completeness, here's the TOTP function in my bashrc:

    
    
        function totp() {
         oathtool --totp -b $(<~/".totp/${1}") | xclip -selection clipboard;
        }
    

So if you have a file ~/.totp/github with the secret key as the content, you
would open a terminal (or something like Guake/Yakuake) and run the command
`totp github` and the 6-digit OTP would be in your clipboard.

~~~
bubblethink
I have been doing the same on AOSP with the andOTP app. Can't get why large
companies/universities have boners for proprietary crap like duo. A company
comes along and says, "Here's some textbook standard stuff, and here we add
our lock-in on top of it. Would you like the lock-in ?" And everyone says,
"Yes please."

For those suffering, this helps: [https://github.com/puddly/android-otp-
extractor](https://github.com/puddly/android-otp-extractor)

Edit: Responding to your edit

>with the second one being very long and only known to your hardware. There
are standards for this like totp and HOTP,

TOTP/HOTP don't provide phishing protection. Neither does Duo (which is
largely HOTP), but that's a different issue.

>but instead of having basically password managers for these secret keys, we
get SMS auth and duo and authy, with no way for a normal person to generate
otp codes on their actual computer

SMS auth is terrible, but TOTP/HOTP are also hard to secure. There isn't a
meaningful way of securing the secret, and computers are far more insecure
than phones. You don't want your 2nd factor on the computer if that's your
first factor too. So the right way forward is hardware based keys. However, it
should all still be open standards based. Not some hacked up garbage that
needs google play services.

~~~
paranoidrobot
> Can't get why large companies/universities have boners for proprietary crap
> like duo.

It's like the classic HN argument of "Why don't you just use rsync/sftp vs
dropbox" \- because it's easier. For users, for admins, for the business.

The biggest problem with rolling out 2FA is onboarding and adoption.

Onboarding people is a massive pain in the arse. Issuing hardware tokens to
people is even more of a giant pain in the arse, particularly if you have more
than a handful of people in more than one city or country.

We deployed Duo because it allowed us to add 2FA reasonably easy to a wide
range of services. It allowed us to require our contractors in countries like
India and the Philippines to use it. They all have phones, even basic android
devices can run it.

Rolling out physical tokens requires us to mail them out to people. Everything
we sent to our offices in Spain larger than a letter got caught in customs for
three months and/or "lost". Even USB thumb drives.

I've worked with people who are continually losing or destroying phones, keys,
wallets, etc. Making them carry a hardware token, which will also get
lost/destroyed means you're now constantly issuing them a new one.

On the systems side of things - it allowed us to add 2FA to devices that don't
support it, or don't support the same 2FA you've chosen for everything else.

On the support side of things, it was dead easy to have automatic
enrolment/signup based on existing processes (eg read LDAP/AD group
membership), and it has a UI that actually allows us to properly delegate
access to support staff.

Could we have rolled our own? Absolutely. But we'd have had to spend a lot
more time, and a lot more money setting it up and maintaining it, and it gives
_good enough_ security.

Our biggest threat isn't a nation state or directed attack where someone can
steal your phone and pull the token secrets.

Our biggest threat is Jim from Marketing who used the same damn password for
his corporate email as he used when signing up for MarketingCon, and then
having that registrant database leak.

~~~
bubblethink
I don't even have a strong objection to Duo or their offerings. If they can
make a buck by automating stuff or reducing friction, that's fine. The only
part I hate is the artificial end-user lock in. If they just called it HOTP
and let the users use whatever client they want, that would be ok. Instead,
they have this artificial wrapper around HOTP and make people use their app.

------
warhorse10_9
This is a horrible idea. I just can't. Why does this service even exist. I
seriously hope duo figures out the numbers this site is using and blacklists
them.

~~~
w8rbt
I think the point is that relying on phone calls and DTMF tones for two factor
authentication is trivial to bypass. Anyone can record DTMF tones in a
voicemail message and forward calls to that number.

~~~
Thorrez
What do you mean trivial to bypass? If I have an account secured with a
password and with Duo, then I give you my password, can you get into my
account? How?

~~~
notatoad
A "sim hijacking" attack is where an attacker calls your phone company and
pretends to be you. They claim to have lost their phone, and get a new sim
card issued to them with your phone number. when they put the sim in their
phone, the duo authentication message goes to their phone instead of yours.

any 2-factor system based on the phone system is no more secure than your
phone company's willingness to give away your phone number, and they're
usually pretty willing. I actually had this happen to me, in a benign way: my
employer started paying my phone bill, they transfered my phone number from my
personal plan on one carrier to the company plan with a different carrier.
Somebody at the office just handed me a new sim card and told me my old SIM
didn't work anymore - it required no interaction on my part to transfer my
number to a new plan with a new company. that's apparently just normal
procedure.

~~~
empath75
i worked at a voip company and we were once slammed by another voip company
who stole a block of 1500 of our phone numbers. It took 3 days to get them
back.

POTS telephones are a mess and should just be deprecated.

------
snek
Remove your account defenses while simultaneously giving authentication
information to a third party? What could go wrong‽

------
morpheuskafka
If you fill this out with the same email as the protected account, you're
basically inviting an untrusted third party to launch a brute-force attack on
your now-defenseless account.

Using this sounds like a good way to take liability when your account gets
hacked. It will not look good to be fired for intentionally defeating
corporate security systems.

------
goode
Duo was one of the last things keeping me from switching to Google-free AOSP,
and I toyed with a similar idea while trying to reverse-engineer a free
software replacement. Instead, I ended up writing a small tool that allows you
to use any old HOTP authenticator with Duo. I use FreeOTP+ on my phone, but
you could just as easily stick that HOTP secret in a script or onto a Yubikey.
You might find it useful if you're working your way up to 100% Stallman
status: [https://github.com/evan-goode/duolibre](https://github.com/evan-
goode/duolibre).

By the way, I gotta say this project is pretty hilarious, and you're a true
baller for trying to sell this to people.

------
keyle
The website is strangely sparse. Just trust us. We're a website, we have
https. All I could work out is that they're apparently from Georgia according
to their generated T&C.

------
DKnoll
I got the trial. Gave me a 201 area code number. Called it and it waited some
seconds after answering, played a DTMF tone and hung up. No, I didn't test it
with Duo (lol). Every time this number receives a phone call it increments a
login counter on the dashboard.

~~~
floatingatoll
You may want to contact Twilio abuse and ask them if they operate that number,
and if so, point them to the terms of service that issued it and note that
they appear to be a flight-by-night credential harvester.

------
ars
I'm very confused about what this is.

Duo as in Google's Duo video calling? There's 2FA on that? I've never seen
any.

Or is there some other Duo it's referring to?

~~~
amanzi
I assume this is referring to Duo Security, owned by Cisco:
[https://duo.com/](https://duo.com/)

~~~
evancox100
I was just as lost as OP. Can someone also explain how it uses DTMF tones? Is
it using tones to deliver or receive 2FA codes? Scanned the above url but
didn't see the info.

~~~
URSpider94
You register with this service, get a new phone number from them that they
auto-answer, then provide this number to the security service. When the
security service calls this number, it will play back DTMF codes to simulate
whatever buttons you need to press to enter your code key.

