Great Update, but “TL;DR: Don’t Turn It On”

Great Update, but “TL;DR: Don’t Turn It On”

As the UK wrestles with the Franstein’s monster that is end-to-end encryption (E2E), much of the cybersecurity community know that it has been the savour our flawed Internet. The protocols used in creating the Internet nearly really had a focus on cybersecurity — they just needs to make sure that a packet from one computer will arrive at another one in a relable way. If we were to start again, we would certainly encrypt our data at its core, and not rely on network protocols to perform our encryption.

And, so, you hope that some of the fundamental building blocks of our more security Internet will be solid, as so many things build on them. But, think again, here’s a recently blog post outlining the risks of updating the Google 2FA Authenticator [here]:

The new update addresses a major problem with our authenication, and where you might lose the device with your main authenicator. This update aims to synchonise you the 2FA onto a number of your devices. But, in a forensic analysis of the networked traffic, it was found that the network traffic for the synchonization of the added authenication services, that they traffic was not encrypted:

Overall, a conversion hexadecimal to Base32 (not an encryption method!), showed that your secrets that are stored on Google’s servers:

The risk of this, is that a 2FA QR code has a secret value that is used to generate the one-time code. If this secret is known, then anyone can generate the same one-time code, and overcome 2FA:

Conclusions

We are increasingly using these 2FA authenticators, and they have become the root of our identity. Most will now log into systems using these magical codes. But, they are a significant attack vector, and revealing a secret value that you use to authenicate yourself, leaves you open to attack from adversories. Basically, if it’s core security, it needs to be designed properly, otherwise we build on sand.