#HITBGSEC 2016 SG Conference Track D1 - Attacking Software Tokens - Bernhard Mueller

Traditional hardware 2FA tokens are increasingly being replaced by “soft” tokens – software OTP generators packaged into regular smartphone apps that run on iOS or Android. This is more convenient for users but also exposes the tokens to attacks by mobile malware and manual attacks. To compensate for these risks, many software token vendor apply a combination of obfuscation, anti-tampering, and cryptography. The question is, how effective are these measures in protecting the users’ data?

In this talk, I show different kinds of attacks that can be used to reverse engineer OTP algorithms and extract the stored secrets. Techniques range from classical static and dynamic analysis to custom kernel sandboxes and full-system emulation. I demonstrate proof-of-concept exploits for current soft tokens of major vendors, and explain methods of assessing the effectiveness of a given set of obfuscation.

===

Bernhard is an uncertified semi-ethical full-stack hacker with a talent in hacking all kinds of systems. During more than a decade in the industry he has found dozens of zero day flaws in widely used software, published attacks on core Internet protocols, and written award-winning papers. He is also a winner of BlackHat’s “Best Research” Pwnie Award.