2013.11.22 - OTPs and platform trust

password grabbing from local machine quite a few times i have heard and/or read that OPTs are secure, because they can be used only once, therefor one can use them everywhere. one of the most astonishing examples i've head of was using them to ssh to remote server from an internet cafe! this is absolutely NOT secure, since OTPs are vulnerable to MitM attacks. in other words – OTPs security relay on inability for side person to obtain plaintext OTP, before it has been used.

when logging in via internet cafe you have no idea of what {soft,hard}ware is running there and cannot assume it can be trusted. when logging to some service, the easiest way to attack is to capture the OTP one just typed and, send different one to the server, to cause “access denied” screen to non-suspecting used (oops – have i made a typo?) while in the background do the actual correct login (attacker now knows OTP!) and having these few seconds delay before user retries login, do whatever you want: install backoor via remote service, changing login password, removing account… you name it.

event if you are logged in “the usual way”, malicious system can still inject data – it is on the same physical machine you're on, after all. if this is a web-based account, it can still send own requests in a background (consider doing “background” money transfer, when user enters next OTP to do own transaction). if this is a shell account, it can execute arbitrary command and if it is done as a part of “logout”, user will not be aware of anything (connection can still remain open in a background).

what all of these attacks have in common? the answer is: platform trust. you need to be aware of what machine are you running and (most commonly) what software is (or can be) installed on it. be aware of types of security measures you take and what do they protect against. learn its weaknesses in order to avoid them. so are OTPs bad? no – they are excellent, when used with care: by a conscious user, on a trusted platform and (preferably) as a one part of a bigger security system (say: two-factor authentication).

i personally never use computers i do not own and administrate for any systems that require me to login anywhere. or short: Life's not fair, but the root password helps

blog/2013/11/22/otps_and_platform_trust.txt · Last modified: 2013/11/22 10:13 by basz
Back to top
Valid CSS Driven by DokuWiki Recent changes RSS feed Valid XHTML 1.0