I posted a link to Twitter earlier on a recent discovery of the ability to clone RSA SecurID soft tokens:
It (rightfully so) received some critical responses by @wh1t3rabbit & @wikidsystems since, apart from what the hypesters may say, this is a low-risk weakness.
@Wh1t3Rabbit @hrbrmstr once you own the machine and can enumerate SIDs in AD, aren't you in? And, don't you still need the PIN?
— Nick Owen (@wikidsystems) May 22, 2012
Think about it. Just looking at the two most likely threat actors & actions: an insider trying to siphon off soft tokens and an external attacker using crafted malware to grab soft tokens. The former (most likely) knows your organization is using soft tokens (and probably has one herself). The latter is unlikely to just try to blanket siphon off soft tokens so they’ll have to do some research to target an organization (which costs time/money).
Once a victim (or set of victims) is identified, the cloning steps would have to be perfectly executed (and, I’m not convinced that’s a given). Let’s say that this is a given, though. Now both the insider and external agent have access to the bits to clone a token. It is easier for the insider to get that data, but the external attacker has to exfiltrate successfully it somehow (more complexity/time/cost).
To be useful, the attacker needs the user id, PIN and – in most implementations – a password. An insider would (most likely) know the user id (since she probably has one herself) but that data would require more time/effort/cost to the external attacker (think opportunistic keylogger/screenscraper with successful exfiltration). For both attackers, getting the password requires either social engineering or the use of a keylogger. Even then, there’s a time-limit of 90 days or less (since, if you’re using soft tokens, you probably have a 90 day password policy). That shrinks the amount of time the attack can be successful.
Now, both attackers need to know where this soft token can be used and have direct access to those systems. Again, probably easier for an insider and fairly costly for an external attacker.
Looking at this, there’s definitely a greater risk associated with an insider from this weakness than there is from an external party (as pointed out by the aforementioned twitter commentators). As @wikidsystems further pointed out, this also shows the inherent positives of multi-factor authentication :: you need far more component parts to execute a successful attack, making the whole thing very costly to obtain. Security economics FTW!
My comment has been that if using the TPM store for Windows-based SecurID soft token implementations negates this weakness, then why not do it? Does the added deployment & management complexity really cost that much?
In the end, I would categorize this weakness as a low risk to most organizations using soft tokens with a non-TPM storage configuration. Unless you know you’re a nation-state target (my opine for the origin of the attacker) – and, even then, you’re probably using hard tokens – far too many celestial bodies need to align for this weakness to be exploited successfully.
NOTE: This post was not meant to be a comprehensive risk assessment of the weakness and does not cover all attack scenarios. I left out many, including Windows desktop administrators and privileged script access. I was merely trying to do my part to counter whatever hype ensues from this weakness. Comments on those vectors or the analysis in general are most welcome.
2 Comments
Hey Bob,
Good assessment. There is a noticeable need to wave hands and hype up issues like this when they’re identified to generate interest, perhaps push a little FUD, and satisfy an agenda otherwise known only to the hype-ster.
Is this a risk? Yes, absolutely. Unfortunately, it is also (sadly) likely that the administrator’s dog is held hostage in order to gain access to the system through blackmail. I would agree with you – this is low-risk – especially given the complexity with which the attack must be executed… and if someone is going to go through all that, there is probably a much easier path to infiltrate/exfiltrate.
Yes, the industry hypes it, and soon it will be discussed at a conference somewhere as the latest threat against this authentication method… I guess I’m just desensetized to the hype.
/Wr
Nice article, well written and balanced.
Hard tokens are arguably more secure than soft tokens, however the latter can provide a little more convenience and hence may be adopted in areas/applications with less privilege and risk.
The orginal post also makes a presumption about being able to complete one of the steps without actually doing so. It would be interesting to see a real-life replication of this.
Factor in the pre-requisites of a sucessful attack (either root kit or physical access & account compromise) and you can gain a realistic risk assessment in real life.