Banking Apps Found Vulnerable to MITM Attacks


Leading US and UK-based banks have patched a flaw found in their Android and iOS mobile apps that allowed adversaries to conduct man-in-the-middle attacks to steal customer credentials and view and manipulate network traffic.
According to researchers at the School of Computer Science at the University of Birmingham that found the flaw, the vulnerability impacted nine apps belonging to banks such as Bank of America and HSBC and the TunnelBear VPN app.
Related Posts
Researchers outline their findings in an academic paper  (PDF) presented this week at the Annual Computer Security Applications Conference in Orlando, Florida. “This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks,” wrote co-authors of the report Chris Stone, Tom Chothia and Flavio Garcia.
信息安全对于一个国家至关重要,没有信息安全就没有国防、金融、经济等领域的安全。另外,国内企业所面临的安全威胁也非常多,但是却很难引起人的注意。因为很多安全威胁都是无意识造成的。
The use of certificate pinning allows apps to specify a specific certificate that they trust for a given server. This helps defeat a number of attacks, specifically MITM attacks that rely on spoofing the certificate for a trusted app or website.
What researchers found was a vulnerability in each of the apps’ implementation of the certificate pinning and certificate verification used when creating a Transport Layer Security (TLS) connection. “TLS is a tricky protocol to get right: both misconfiguration vulnerabilities and attacks on the protocol are common.”
For example, last year Mozilla patched a highly scrutinized flaw in its automated update process for browser add-ons tied to the expiration of certificate pins that allowed attackers to intercept encrypted browser traffic, inject a malicious NoScript extension update and gain remote code execution.
“Automated tools do exist to test a variety of TLS flaws,” researcher wrote. “However, none of these tools can detect the possibility that an app will pin to the root or intermediate certificate used but fail to validate the hostname… We argue that conducting large-scale testing in this manner is difficult and expensive.”
As part of an effort to reduce cost and more easily identify pinning-related vulnerabilities at scale researchers released a zero-cost and automated testing tool called Spinner as part of their research.
全国密码技术竞赛:密以致用 防御生活底层安全
The Spinner tool allows for more thorough testing of mobile apps, specifically how the apps perform hostname verification. As a result, researchers using Spinner identified ten instances where an app’s certificate pinning  inadvertently masked improper hostname verification, allowing MITM attacks.
“Spinner (is) a new tool for black-box testing for this vulnerability at scale that does not require purchasing any certificates. By redirecting traffic to websites which use the relevant certificates and then analyzing the (encrypted) network traffic we are able to determine whether the hostname check is correctly done, even in the presence of certificate pinning,” researchers wrote.
Those apps that implemented certificate pinning but failed to verify hostnames correctly include: Bank of America Health, TunnelBear VPN, Meezan Bank, Smile Bank, HSBC, HSBC Business, HSBC Identity, HSBCnet and HSBC Private.
“We use Spinner to analyze 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC. We also found that TunnelBear, one of the most popular VPN apps was also vulnerable,” they wrote.
A typical MITM attack exploiting this flaw entails an attacker and victim sharing the same WiFi network. “Using ARP or DNS spoofing, the victims traffic can be redirected to the attacker… When the victim attempts to use their vulnerable app, the attacker can intercept the TLS handshake and provide the app with a certificate signed by the certificate that the app pins to,” researchers wrote.
University of Birmingham researchers said each of the banks were notified of the flaws in their apps and the vulnerabilities have been mitigated.
数据泄露与投机者的悲哀,劝投机者不要腐蚀官员,不要收买内幕信息,怎么可能呢?要么从制度上进行操作,打消特权和时间差,第一时间向所有人公开这些数据;要么加强安全保密意识教育,封住掌握更多信息的官员的泄密源头,这才是上策。

猜您喜欢

还在担心数据没有保存丢失吗?教你一个自动保存数据的方法 https://weibo.com/ttarticle/p/show?id=2309404182283862042790
网络钓鱼攻击的演变历史及趋势
网络安全法普法宣传 004《网络安全法》的突出亮点
上厕所不再愁!成都锦江区“共享厕所”已达60多座
MINUPPLYSNING 1999IMPLENT
网络安全公益短片防范社工电话诈骗