SAN FRANCISCO -- Don't use a mobile authenticator app on an old smartphone, because the app is only as secure as the operating system in which it's running, two security researchers said at the RSA Conference here earlier this week.
Aaron Turner and Georgia Weidman emphasized that using authenticator apps, such as Authy or Google Authenticator, in two-factor authentication was better than using SMS-based 2FA. But, they said, an authenticator app is useless for security if the underlying mobile OS is out-of-date or the mobile device is otherwise insecure.
- Best Android antivirus: Protect your smartphone
- The best phones you can buy
- Just In: Google Home having big Bluetooth issues: What you need to know
"You don't want the risk associated with 32-bit iOS," said Turner, adding that you should use only iPhones that can run iOS 13. "In Android, use only the Pixel class of devices. Go to Android One if you can't get Pixel devices. I've had good experiences with Motorola and Nokia Android One devices."
Turner, who is the president and chief security officer of enterprise-security provider HighSide, warned the audience to stay away from one well-known Android brand.
"[German phone hacker] Karsten Nohl showed that Samsung was faking device updates last year," Turner said. "Stop buying their stuff."
To be fair, Samsung was far from the worst offender among phone makers in the study Turner cited, and the study authors later said "they got it wrong" regarding Samsung's issues, without going into further detail. (Slides for Turner and Weidman's presentation are available on the RSA website.)
The problem is that if an attacker or a piece of mobile malware can get into the kernel of iOS or Android, then it can do anything it wants, including presenting fake authenticator-app screens.
"One of my clients had an iPhone 4 and was using Microsoft Authenticator," Turner said, indicating another authenticator app. "All an attacker would need to do is to get an iPhone 4 exploit. My client was traveling in a high-risk country, his phone was cloned and then after he left the country, all sorts of interesting things happened to his accounts."
Some Android phones are safer than iPhones
And don't think iOS devices are safer than Android ones -- they're not. There are just as many known exploits for either one, and Weidman extracted the encryption keys from an older iPhone in a matter of seconds onstage.
The iPhone's Secure Enclave offers "some additional security, but the authenticator apps aren't using those elements," said Weidman, founder and chief technology officer of Washington-area mobile security provider Shevirah, Inc. "iOS is still good, but Android's [security-enhanced] SELinux is the bane of my existence as someone who's building exploits."
"We charge three times as much for an Android pentest than we charge for an iOS one," Turner said, referring to an exercise in which hackers are paid by a company to try to penetrate the company's security. "Fully patched Android is more difficult to go after."
- More: Stay secure on the go with the best mobile VPN apps
Attacking from underneath
Authenticator apps beat SMS texted codes as 2FA second factors because app codes can't be intercepted over the air, aren't tied to a phone number and never leave the device. But authenticator app codes can be stolen in phishing attacks, and as we saw yesterday, by Android malware in screen-overlay attacks.
However, even the best training against phishing attacks and the best Android antivirus apps won't stop attacks that come from the kernel, the underlying part of the mobile operating system to which the user doesn't have access.
"What could possibly go wrong when installing a user-mode application with sensitive cryptographic key materials on a platform with kernel vulnerabilities?" Turner asked rhetorically.
Kernel vulnerabilities also can be used to hack two-factor push notifications, which Google uses for its own accounts and which can't be phished.
In short, "we need to move away from usernames and passwords," Turner said.
Fingerprints aren't the answer, but this might be
Asked about biometric authentication such as fingerprint readers and facial recognition, Weidman said that it's "better than nothing when used in addition to passwords."
Turner wasn't so sure.
"I am fundamentally opposed to using biometrics because it's non-revocable," he said, citing a famous case from Malaysia in which a man's index finger was cut off by a gang to steal the man's fingerprint-protected Mercedes. "Fingerprint readers are biometric toys."
The only form of two-factor authentication without security problems right now, Turner said, is a hardware security key such as a Yubikey or Google Titan key.
"I've got two Yubikeys on me right now," Turner said. "Hardware separation is your friend."
And according to SnoopSnitch, my Galaxy S8 has every patch it's supposed to have.
"Among the top 10 smartphone makers, nearly 96% of Nokia smartphones, sold cumulatively since Q3 2018, is already running on Android Pie or have had an Android Pie update issued to them. Samsung closely follows Nokia with 89% and Xiaomi with 84%. Xiaomi is good at ensuring its mid-price range products launch with the latest version of Android," per Tarun Pathak, Counterpoint associate director.
Next, I am not sure what onecommenter's beef is with Lenovo. The only connection that I could find linking Lenovo to the Chinese Government is that Lenovo is a publicly listed company with headquarters in Beijing, China, and Morrisville, North Carolina, United States. The company does a lot of business in the US and has never been called out by the US government for spying or for selling technology to Iran. I have a Lenovo product in my house that is actually somewhat old and it still receives occasional security updates.
China is an open global market for consumer electronics. Lenovo and Xiaomi are competing in China against Apple and Samsung. These companies would not survive if they could not meet the expectations of their customers, with Xiaomi, and One Plus in particular, both companies have built up a cult-like following by catering to tech gurus such as myself who are fans of modifying the OS with custom Operating systems called custom ROMs.
we are able to remove all advertising and use Android open source, along with Google Apps, which can operate only under strictest protocols. In addition, it is quite easy to keep updated with monthly security updates released by Google.
In addition, all of the these devices can be encrypted and once a device is encrypted, all user-created data is automatically encrypted before committing it to disk and all reads automatically decrypt data before returning it to the calling process. Encryption ensures that even if an unauthorized party tries to access the data, they won’t be able to read it. This experience has also along for me to personally review open source provided by the companies list above, I can assure you that nothing nefarious is happening.
Tom's Guide doesn't make the the lion-share of their money from Apple and Google directly, mostly ads for random gear and product shout outs with affiliate links. They're simply reporting on a recent security talk, at a security conference where talks like this happen amongst security professionals. it's a good article.
All modern devices have storage encryption. This discussion was about other vulnerabilities.
As for communists, I don't have anything against them - it's a different way of living, that is not my own. as for china tech I stand with opinions of this nature: https://www.theverge.com/2019/3/17/18264283/huawei-security-threat-experts-china-spying-5g
I liked custom roms back in the day, I was using MIUI roms on my rooted androids before Xiaomi had major market hardware available. I ended up switching to iOS jailbreaking. and today I only run latest versions of stock iOS for fear of being pwned.
Yes, the original Hack-in-the-Box paper claimed that Samsung was missing a huge number of patches, but the researchers acknowledged afterwards that their methodology was flawed and in fact, when they re-examined the data, they found that Samsung was among the best in class and very complete in their patching, and they acknowledged this fact on their web site as well as in an updated slide deck, in which they also apologized to Samsung for their error..
Share your sources please, RSA is not a sensationalist source, it's a respected security conference. :)
Also read the updated slide deck .pdf where the following statement of apology was added "The initial version of this talk also showed a Samsung J3 device as having multiple patch gaps. These gaps were measurement errors that have since been corrected for. Sorry, Samsung! "
RSA is definitely NOT supposed to be a sensationalist source, which is why it's so surprising that the president and CSO of a company would make such a claim based on a 2-year old paper that was acknowledged by the original author to be flawed, and tell everyone to stop buying a company's devices without carefully checking his sources and basically opening himself, his company and RSA up to a potential lawsuit.. Same goes for the reporter, who covered the original HITB presentation in 2018 and should have been aware of this and even if not, should have checked sources even though RSA is supposed to be a reliable source..
I'm not saying that Samsung is totally innocent in all things, but the incidents you've cited are basically a marketing organization that's a bit "ethically challenged" (as if all marketing isn't to some degree) in promoting their product vs. the security organization, which has historically been quite open..