To wrap up my coverage of the show, here’s some additional odds and ends of what I learned about, including a look at Yubico and their new Yubikey 5Ci, biometric authentication hacks, and more.
Yubico announces Yubikey 5Ci availability
Yubico announced the general availability of their latest Yubikey on Wednesday, the Yubikey 5Ci, which features a Lightning connection on one end and a USB-C on the other. This means iOS and macOS Yubikey users no longer need adapters to use their hardware security key. The Yubikey 5Ci costs $70.
I met with CEO Stina Ehrensvard at Black Hat to talk about what Yubico was up to in 2019. Some of Yubico’s current focus, alongside releasing the 5Ci, is on working to reverse the stigma around physical security devices. Stina said that companies have told her things like, “we just eliminated tokens/dongles and now we need hardware keys?” Employees have never been particularly big fans of tools like RSA securid. With Microsoft, Google, and other vendors pushing hardware keys, we’re bound to see wider acceptance eventually.
Stina explained that Yubico has no plans to release a Bluetooth Yubikey, preferring to continue using NFC since the former requires a battery and wasn’t originally created with security in mind. Yubico feels the next challenge is in figuring out how you tie the authentication key to one person and feel secure in the knowledge that it’s really them; the keys aren’t tied to identity just yet.
Yubikey 5Ci thoughts
I got to try out the new Yubikey 5Ci, testing it with a few different services, just to get a feel for using it. (You can see my review of the Yubikey NEO to get my thoughts from last year, too.) The first site I paired the key with was Twitter. I plugged the Yubikey 5Ci into my MacBook, which predictably thought it was a keyboard, but it still paired to my Twitter account through Chrome just fine. After downloading the Brave browser on iOS (Chrome on iOS doesn’t yet work with hardware keys—I tried, same with the Twitter app), I signed into Twitter and plugged in the Yubikey 5Ci and had no issues. I normally use the native iOS Safari browser, so this required an extra step, but not a big deal. The Yubikey also works with LastPass Premium, 1Password, Github, and more.
USB-C iPad Pros do not yet support Yubikey 5Ci. I reached out and Yubico told me that “some capabilities are not currently supported on iPad Pro models with USB-C.” Hopefully, a future version iPadOS changes this, but we’ll have to wait and see (Apple keeps things very locked down). The older iPad models with Lightning support Yubikey much in the same way as your iPhone.
We’re at the point that hardware security keys are becoming easier for more and more consumers to use. I previously looked at how you can still use FIDO, albeit in a limited form, on macOS and iOS.
I briefly mentioned a session around liveness hacking in my first Black Hat article, but I wanted to go a little further in depth here, explaining some of what the researcher covered. Yes, some of the attacks are silly and easy to mitigate, but interesting to see what steps people go through to hack someone.
The researcher explained some of the issues with trying to get around facial and voice recognition products. Fake voice can create playback reverberation and background noise issues, while trying to bypass facial recognition can lead to focus blur, texture, and HSL (hue, saturation, lightness) color loss.
So, they thought about what if you inject the signal into the device directly? You can eliminate info loss, hide attack medium characteristics like the above, and is often undetectable at a system level. You would need to ensure the injection solution had low latency to prevent recognition failure and provide real-time fake data importing.
The researcher showed off two demonstrations. The video injection one focused on tricking a smartphone into accepting a PC-generated fake video (where they moved the still image to try and fake liveness). They created an injection attack device that connects to the PC and device with an Android development board connected to a Toshiba TC358749XBG chip that converts an HDMI stream from the PC to MIPI camera serial interface into the smartphone. This helps emulate a video stream captured by a native camera.
The second demo showed how to trick voiceprint authentication systems. Much like the video injection one, you use the PC to generate the fake audio, then connect to an audio-to-mic module, which then connects to the microphone jack. Of the two attacks, this one is easy enough to mitigate by simply not allowing voiceprint authentication via microphone cable.
The last demo covered the sillier hack, which involved taking glasses and covering the middle of the lenses with a strip of black tape and a dot of white tape. The researcher then placed the glasses upon the sleeping victim and that was enough to trick the device into unlocking. This was due to Face ID not relying on 3-D info when the user wears glasses, using 2-D characteristics instead. Jack and I actually tested this method ourselves and found that it actually worked fairly well to unlock Jack's phone since he wears glasses normally, but we couldn't unlock my iPhone.
Airlines sending unencrypted data
I spoke to Wandera’s Michael Covington about the latest regarding some recent airline vulnerabilities. While this isn’t an area we normally cover here, it was still interesting as it highlights the continued struggle between providing a good user experience with security.
A few months back, Wandera found that several airlines were sending users unsecured check-in links through email. When the user clicked on the link, they are automatically logged in so they can easily check in, without any further authentication. Unfortunately, anyone on the same network could intercept the link. Navigating to the URL would log them in, and give them access to customers’ personally identifiable information (PII), such as names, booking references, boarding passes, and flight numbers and times. In addition to being able to collect PII, attackers could also use that same info to make changes to the person’s flight (seat assignments, adding/removing bags, etc.), change info, and all the way up to printing out a boarding pass.
Along the same lines, Wandera also found that British Airways sent vulnerable check-in links to users, except this time the problem was that the URL parameters included the booking reference and last name. An attacker on the same Wi-Fi network could see that URL, which contained PII. Wandera says that the links are subject to replay attacks, but attackers already have enough PII to impersonate and log in as the customer through the ba.com website. The booking reference and your last name are pretty important—they can be used to collect lots of PII if there’s no other authentication used (using additional authentication at this step is one of Wandera’s recommendations).
These vulnerabilities show some basic lessons about authentication and protecting PII—Black Hat was great for learning new ways that these can crop up.
Windows process injection library
Lastly, I spoke with SafeBreach CTO and co-founder Itzik Kotler and VP of security research Amit Klein about Windows process injections. SafeBreach researchers spend some of their time trying to discover new process injections techniques, and, in doing so, noticed that no one had put together a repository of the known techniques. So, they decided it was time that someone put together a catalog of process injection techniques that those in the industry could refer to. Once they created a collection, they went a step further and created a C/C++ library called Pinjectra. It’s a free, open-source tool that allows anyone to test process injection techniques.
Until the next Black Hat!
As you can see from my articles covering the show, I learned quite a lot during my two days at the conference, both from sessions and in speaking with several vendors. Excited to see what next year brings!