There’s no better way to protect yourself from the universal scourge of phishing attacks than with a hardware token like a Yubikey, which stymies attackers even if you accidentally hand them your username and password. But while Yubikey manufacturer Yubico describes its product as “unphishable,” a pair of researchers has proven the company wrong, with a technique that allows clever phishers to sidestep even Yubico’s last bastion of login protection.
Two weeks ago, in a little-noticed presentation at the Offensive Con security conference in Berlin, security researchers Markus Vervier and Michele Orrù detailed a method that exploits a new and obscure feature of Google’s Chrome browser to potentially bypass the account protections of any victim using the Yubikey Neo, one of the most popular of the so-called Universal Two-Factor, or U2F, tokens that security experts recommend as the strongest form of protection against phishing attacks.
With a sufficiently convincing phishing site and a feature in Chrome known as WebUSB, a hacker could both trick a victim into typing in their username and password—as with all phishing schemes—and then also send a query directly from their malicious website to the victim’s Yubikey, using the response it provides to unlock that person’s account. (A disclaimer: WIRED partners with Yubico to give free Yubikeys to subscribers. According to Vervier and Orrù, the model WIRED offers is not susceptible to their attack.)
Vervier and Orrù, who work for the security consultancy X41, are careful to note that their technique doesn’t demonstrate a flaw in Yubico’s products so much as a very unintended byproduct of Chrome’s WebUSB feature, which the browser added just last year. “U2F is technically not broken, but it’s still phishable, which many people thought was impossible,” says Vervier. “It’s a great example of how new interfaces allow ways to attack technology that were believed to be unbreakable.”
When WIRED reached out to Google, security product manager Christian Brand responded that the company became aware of the researchers’ attack after their Offensive Con presentation. While Google considers the attack an edge case, the company is working with U2F standards body the FIDO Alliance to fix the problem. “We are always appreciative of researchers’ work to help protect our users,” Brand wrote in a statement. “We will have a short term mitigation in place in the upcoming version of Chrome, and we’re working closely with the FIDO Alliance to develop a longer-term solution as well. We aren’t aware of any evidence that the vulnerability has been exploited.”
Let’s be clear: Vervier and Orrù’s findings don’t change the fact that adding two-factor authentication remains one of the most basic and crucial steps to protecting your sensitive accounts, and a U2F token like a Yubikey is the most secure form of that protection you can use. Even two-factor authentication methods like text messages or Google Authenticator still rely on temporary codes that the user enters when they log in; a convincing phishing site can simply trick you into handing over those codes along with your username and password. A U2F token like the Yubikey instead performs an authentication handshake with a website that not only proves to a website that it’s your unique key, but requires that the website prove its identity too, preventing lookalike sites from stealing credentials.
But a crack in those safeguards may have appeared last year when Chrome added WebUSB, a feature that allows websites to directly connect to USB devices, from VR headsets to 3-D printers. Vervier and Orrù found that they could code a website to connect to the Yubikey Neo with that WebUSB feature, instead of with the usual Chrome API for U2F that it’s designed to use. In doing so, they could circumvent the checks that the browser performs before querying the Yubikey—the checks that confirm that websites are the ones they claimed to be.
That could enable, the researchers warn, a “man-in-the-middle” attack. If a victim logs into a fake Google site, the phishing site passes on their username and password to the real Google login page. Then the spoofed site passes back Google’s request for the user’s U2F token and collects the Yubikey’s unique answer, all via WebUSB. When that answer is then presented to the real Google site, the attackers gain access to the victim’s account.
“The browser developers put a proper API in place that makes careful use of whatever U2F token is in the computer,” says Joern Schneeweisz, a security researcher for Recurity Labs who reviewed Vervier and Orrù’s findings. “And then they put in another feature that subverts all the security they’d put in place.”
A Sophisticated Phish
The attack Vervier and Orrù imagine isn’t exactly easy to pull off, and would likely only be used by sophisticated hackers targeting high-value accounts. Aside from first requiring that a phishing site trick a victim into typing in their username and password as usual, the phishing site would also have to ask the user’s permission to enable WebUSB access to their Yubikey, and then tap the physical button on the key. But all of that could be achieved by phishers who trick users with a prompt requiring them to “update” their U2F token, or some other scam. After all, the only change from the usual login process would be that one added permissions prompt. “You could come up with a pretty plausible pretext,” says Orrù. “The user only has to click once.”
Vervier and Orrù note that their technique would only work with U2F keys that offer protocols for connecting to a browser other than the usual way U2F tokens communicate with a computer, known as the Human Interface Device or HID, which isn’t vulnerable to the attack. The Yubikey Neo, for instance, can also connect via the CCID interface used by smartcard readers, offering another avenue of exploitation, but the Yubikey Nano, 4 Series, and the original, cheaper Yubikey aren’t vulnerable, they say—nor, based on their testing, were the Feitian keys recommended by Google for its locked-down Advanced Protection setting.
“This sounds like an assumption was made by Chrome that all U2F is HID, which doesn’t hold for the Neo, whereas Yubico made an assumption that USB will never be accessible by web pages directly,” explains Jonathan Rudenberg, an independent security researcher who has focused on U2F implementations in the past. The combination of those two assumptions adds up to a significant security vulnerability.
A Larger Problem
A long-term fix could take the form of tweaks to Chrome to block WebUSB connections to certain devices like the Yubikey Neo. But the problem could go much further than Yubikeys alone, potentially exposing a whole new class of devices to unexpected interactions with websites. Vervier and Orrù say they believe smartcard authentication systems could also be vulnerable, for instance, though they haven’t yet tested them.
“Google should have never shipped WebUSB in its current form,” says Rudenberg. “Users cannot be expected to understand the security implications of exposing their USB devices to potentially malicious code…I don’t think this is the last time that we’ll see WebUSB used to break things.” Rudenberg went so far as to quickly code a Chrome extension that disables WebUSB, which he recommends everyone install and use until they have a reason to enable the feature. Rudenberg says there’s no other easy way to disable the feature.
When WIRED reached out to Yubico for comment, spokesperson Ronnie Manning essentially placed the blame on Google’s browser. “Per the U2F protocol, the security key is not responsible for doing that verification” of the origin of authentication requests, Manning said in a statement. “In fact, they cannot do so effectively as they would have to rely on data passed by the browser, and if the browser is not trustworthy, neither is the data.”
Manning also noted that Chrome could give users the option to turn off WebUSB, or blacklist vulnerable devices like the Yubikey Neo. But he adds that “unless such a blacklist is complete and perfect, issues like this are possible with the current WebUSB implementation.”
As for Vervier and Orrù themselves, they say concerned Yubikey users should disable WebUSB, and that IT administrators should even consider setting a policy blocking it for all their employees. And they suggest a simpler solution, too: That users remain wary online, and think twice about where they enter their passwords. Despite Yubico’s “unphishable” marketing, it’s no substitute for some healthy skepticism.