Man-in-the-middle attacks show the perils of certificate pinning.
A recently discovered vulnerability in the mobile apps of several major banks has exposed customers to potential data theft. That’s because a certificate pinning error left those customers susceptible to man-in-the-middle attacks which in turn put their credentials – usernames, passwords, personal information, banking info – at risk of theft.
A man-in-the-middle attack is precisely the kind of thing an SSL certificate is supposed to prevent in the first place. But when key pinning goes wrong, this is what can happen. Vince wrote a great piece on why Key Pinning is dangerous earlier this year. To summarize, pretty much everyone around the industry discourages pinning. For one, it can lock you out of your own site. And it can also expose your visitors to security risks. Even Google has deprecated support for it.
While certificate pinning usually improves security, a tool developed by the researchers to perform semi-automated security-testing of mobile apps found that a flaw in the technology meant standard tests failed to detect attackers trying to take control of a victim’s online banking. As a result, certificate pinning can hide the lack of proper hostname verification, enabling man-in-the-middle attacks.
Man-in-the-middle attacks allow a hacker to position him or herself between a client and a server. The client and server both think they have a direct connection, but all information being exchanged is filtering through the attacker. You can imagine the possibilities this arrangement creates. You can steal credentials, spoof the website the visitor is headed to and phish, you can impersonate the user and cause problems on the server.
The point is, this shouldn’t happen. The pinning error basically allows the attackers to use the anonymity encryption grants to obfuscate their own malicious behavior. It also prevented penetration testing from finding the vulnerabilities sooner. In fact, the Security and Privacy Group actually had to develop a special tool to test for it.
“As this flaw is generally difficult to detect from normal analysis techniques, we have developed a detection tool that is semi-automated and easy to operate. This will help developers and penetration testers ensure their apps are secure against this attack.”
While it’s not known if the vulnerability had been exploited or not, its existence should cause anyone that uses a banking app to pause.
In fact, at the risk of sounding like a borderline technophobe, it’s probably better if you avoid mobile banking apps altogether. Between the issues with public WiFi and some of the other vulnerabilities facing mobile devices, you’re probably better off using a desktop computer where you can verify security certificates and ensure an encrypted connection.
Or you could actually get up and go the bank. Like, in person.
Does anyone still do that?