[crispyporkbites]

This is the attack:

> If a victim logs into a fake Google site, the phishing site passes on their username and password to the real Google login page. Then the spoofed site passes back Google's request for the user's U2F token and collects the Yubikey's unique answer, all via WebUSB. When that answer is then presented to the real Google site, the attackers gain access to the victim's account.

So basically they are somehow able to trick the yubikey neo into accepting a challenge from a different domain, by using the webusb API.

Reading further:

> The technique would only work with U2F keys that offer protocols for connecting to a browser other than the usual way U2F tokens communicate with a computer, known as the Human Interface Device or HID, which isn't vulnerable to the attack. The Yubikey Neo, for instance, can also connect via the CCID interface used by smartcard readers

> An assumption was made by Chrome that all U2F is HID, which doesn't hold for the Neo, whereas Yubico made an assumption that USB will never be accessible by web pages directly

So:

- Don't use a Yubikey Neo anymore

- Don't use Chrome

- Don't use U2F because FireFox doesn't support it

- Never use your yubikey because hardly anything supports it

Sigh

[mfontani]

> - Don't use U2F because FireFox doesn't support it

It does! Open about:config and switch security.webauth.u2f to true. It'll Just Work.

I've in the recent past modified a barebones Perl webapp to try and understand U2F better, see https://u2fdemo.darkpan.com/

I've been able to log in / use U2F from:

* FF on Windows and OSX

* Chrome on Windows, OSX

* Chrome on Android using either a OTG cable for a U2F USB key, a Bluetooth U2F key, and a NFC U2F key (works if you install Google Authenticator)

* Unfortunately, not FF on Android as I can't find how to enable U2F there yet :/

[mondoshawan]

It works, but only partially, and is still very very broken, which is why it is disabled in the first place. See also this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1065729

[phyzome]

Nonsense. It works fine on Github, Fastmail, Gandi... it doesn't work on Google because Google uses a different spec. That bug is about making Firefox compatible with the variation that Chrome/Google uses.

[uiri]

That bug mentions that Facebook is also broken.

I am kind of surprised that the sites you mention can implement the spec correctly but Facebook and Google can't.

[phyzome]

Google is notorious for not following spec.

In this case, though, what happened is that Google implemented a different, earlier version of the spec than most everyone else. Mozilla is busy implementing that spec as well to bridge the gap.

[Dylan16807]

Google's CardDAV server isn't standards compliant (2014) https://news.ycombinator.com/item?id=16412730

I'm not surprised.

[superdaniel]

Firefox barely supports U2F. It works on Github and Dropbox, but doesn't work on sites like Vanguard and Google. Every time I do a Firefox update I do a search of the bug listing and they seem to have an incomplete implementation of the spec. They're kicking the can until they fully implement the WebAuth API and jump over dealing with whatever earlier spec they were targeting.

Speaking of which, why does Vanguard force you to still have SMS two factor available even when you add a U2F device...

[Shoothe]

> Firefox barely supports U2F.

Haha it's funny you put it this way because actually it's Firefox that implements FIDO U2F standard correctly and Chrome is not. Chrome uses low level API to communicate with their built in extension and the high level shim that they provide is not 100% spec compliant.

Google did not bother to use the U2F correctly on their accounts site, Github for example did it correctly and their 2FA works on any browser (that is FF and Chrome).

[saltcured]

The usual rationale from companies forcing SMS two factor is that you need to have a convenient account-recovery mechanism before you enable something strict and lock yourself out. They don't want the support cost of dealing with these lockouts.

Unfortunately, these same companies often then claim that there is no harm in SMS two factor since "clearly it is stronger than one factor". But they are blind to their own systematic design flaw which is that the same SMS setting to enable two factor also usually enables one-factor password-recovery via this supposedly trusted phone.

Given what we know about SMS security, it is pretty obvious that one-factor SMS is weaker than one-factor good strong password. And if the good strong password can be merrily reset by whomever hijacks your phone, you have really just decreased your security posture while performing this whole security theater around two-factor and hardware tokens.

[Too]

SMS is already 2fa. You need the sim card and the pin code. Hence a hijacked phone could be seen as stronger than a 1fa password.

[tinus_hn]

Unfortunately the network security is kind of a joke so an attacker can intercept your messages if he is near you.

Not to mention that traffic inside the network is not encrypted so a lot of parties have legitimate access to the messages anyway.

I understand your point but SMS should not be used as the only factor for authentication.

[saltcured]

Correct me if I am wrong, but these SMS-based login setups are only sending a message to your phone number. It's about as secure as sending an email to your email address. There is no end-to-end security between the original sender and the subscriber's phone and SIM card to ensure that the message only gets to the correct recipient.

You only need to hijack the victim's phone number so that messages are sent elsewhere. This can be done by technical or social hacks such as porting the subscriber's number to a new provider or pretending a phone was lost and having the phone company register a replacement SIM. There is no need to physically intercept the victim's phone, so it is not in fact a second factor.

[urda]

Google is the one that isn't compliant.

Firefox is compliant.

[phyzome]

Does it actually not work on Vanguard... or is it that Vanguard does user-agent sniffing and says Firefox is not compatible?

[rdtsc]

> It does! Open about:config and switch security.webauth.u2f to true. It'll Just Work.

Unfortunately for a large number of users that effectively means it doesn't work.

[Shoothe]

> Chrome on Android using either a OTG cable for a U2F USB key

Which key did you use? I tried Yubikey 4 (via OTG cable) and 4C (directly) and the U2F flow with Authenticator did not work (just like the key would not be recognized for U2F).

[crispyporkbites]

ok scratch that, use firefox then

but still hardly anything supports U2f :-(

[Slansitartop]

Not everything supports U2F, but plenty of things do, many of them high value services:

http://www.dongleauth.info/

[Sir_Cmpwn]

The existence of WebUSB is awful. Why anyone ever thought it was a good idea to let JavaScript touch your USB devices is beyond me.

[Ajedi32]

It's simple: allowing sandboxed code to request limited access to a USB device is more secure than having users install native, unsandboxed code with access to everything on their PC.

[tedunangst]

Assuming the sandbox works. If the sandbox is porous, the attack surface balloons from apps I choose to install to every link I click.

[Ajedi32]

Not every link you click. Only sites that you grant access to the necessary attack surface. The Web USB API can't be attacked by sites that you haven't granted access to it.

[codedokode]

What if that privileged website has XSS vulnerability?

[Ajedi32]

Then the attacker gets access to that USB device. (And only that USB device.)

What if your unsandboxed native USB utility has an RCE vulnerability?

[Sir_Cmpwn]

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=chromium

[Ajedi32]

As opposed to native desktop apps, which get all the same permissions by default that a web app requires a zero-day sandbox escape vulnerability to achieve?

[Sir_Cmpwn]

Native desktop apps are limited in number are nowhere near the dumpster fire the web is. My desktop isn't routinely downloading and executing payloads from the web. They're clearly different.

[Ajedi32]

This is about the Web USB API, not the entire web in general. Are you routinely granting web pages access to your USB devices? That's not a permission that web apps get by default (unlike with native desktop apps btw).

It comes down to this: if you ever found yourself in a situation where you needed to connect a USB device to a remote service, would you prefer to download that service's unsandboxed native code to your PC and execute it? Or execute some JS in the browser sandbox and grant it limited access to that one specific device?

[blitmap]

Strongly disagree here.

I think WebUSB will enable a lot of cool things, though it will definitely be hard to sandbox.

I want to program an Arduino from a web IDE. I want to control a 3d printer or pen plotter from a web application. I want to store things on a flash drive on my iPhone using a web-based file explorer? This last one sounds strange.

On a tangent, I see application runtimes moving into the browser by default with very few performance-critical applications remaining outside that stack. Photoshop and AAA games might be exceptions. Services like databases and web browsers would not have a need to be in Chrome.

(don't hurt me, I know I'm strange.. ~)

[petee]

Just because its possible, doesn't mean we should!

I see nearly no good reason for any of those uses to be web-based, and certainly not with hardware control! If you want to store files on your flash drive, the browser should handle that, not give out direct usb access...

Hearing this exists was a shock, like when the first Android 'Instant' load app showed up on my phone (apps that you don't install, but run themselves if you goto a website or a physical store, and without asking you)

[heroprotagonist]

Considering your use cases, why not simply require an extra step in the browser to enable it instead of turning it on for all users?

EG, take a few seconds to turn on a flag in configuration, or add a plugin.

[X-Cubed]

There is a permission prompt that appears, websites can't use the WebUSB functionality until you allow them too.

[Skunkleton]

Why do you want to use a Web IDE? I am not trying to cause tension, I am just genuinely curious.

[dgacmu]

For me: teaching!

Getting 400 students up and running with python is painful alone - without USB. For projects, some small fraction of those used USB, and we again had a pretty good chunk of time spent getting them all working.

[avian]

I would think that getting Python up and running is a valuable lesson.

[powvans]

I worked for an online retailer a long long time ago and this would have been nice to have at our packstations. The tech at each station consisted of a Linux desktop, a barcode scanner, a printer, and a scale. The commerce platform was web based and displayed the current weight on the scale on the pack page.

Originally the scale was connected via serial port to the desktop. A little Perl service we called "the scale daemon" exposed the current weight on some localhost port. The backend would constantly poll that service and the web browser would poll the backend to keep the value on the page up to date. It was a nifty solution albeit a bit clumsy and it meant running an extra piece of software on 50+ machines in a warehouse.

At some point our scale vendor stopped selling scales with serial connections or maybe it was that the PC vendor stopped including serial ports. It was 10+ years ago and I can't recall exactly. What I do remember is that the guy that wrote the scale daemon had moved on and I had to figure out how to make it work with USB. It was fun and probably not as hard as it seemed at the time, but wow, being able to get at that scale from inside the browser would have massively simplified things.

[skybrian]

More importantly: "the phishing site would also have to ask the user's permission to enable WebUSB access to their Yubikey, and then tap the physical button on the key."

So don't do that. It would be nice to know exactly what this dialog looks like, but it seems low risk?

[pfg]

Convincing users to grant access to a USB device when they're attempting to log in to a service using said USB device sounds like something that would work more often than not. We wouldn't need phishing-resistant authentication methods if humans were good enough at making those kinds of decisions.

[stevehawk]

I have to admit that in all of my use of my Yubikey Neo in Chrome I don't recall ever being asked for permission to access the device. Firefox hasn't asked either.

[pfg]

I'm not saying that you need to grant any kind of permission in order to use U2F tokens, but rather that a user thinking "I want to login to Google" and "I need to use that USB key thingy to do that" is quite likely to accept a prompt that requests access to the U2F device.

[stevehawk]

Sorry, I guess what I was getting at is that in hindsight I'm surprised no browser ever explicitly asked me for access to the Yubikey or told me why it needed, I've just blindly trusted it because of the few sites I use it with.

On the other hand, it's basically functioning as another keyboard device and not a special USB device so it shouldn't be that surprising, right? (serious question)

[Buge]

>So don't do that.

How about you tell users to simply not enter their password into phishing sites?

When users want to do something (sign in) and there are instructions on the page telling them to do something (enter password or accept usb) then the users will do it.

[m-p-3]

Hopefully better support for U2F devices is on the way at both the browser and website level.

I wish more websites offered the option to use it.

[ilikepi]

Presumably you are referring to WebAuthn[1]. I am optimistic that this will lead to better browser support, and consequently better website support. IIRC it's expected to reach Firefox stable in the May release. Hopefully the various sites that currently only support U2F in Chrone will move to this new standard.

[1]: https://www.w3.org/Webauthn

[ravenstine]

I didn't even realize web USB was a thing now. I remember it being talked about, but I must have missed the HN conversation when Chrome implemented it.

So does Chrome ask for permission to allow USB access? Or maybe there's something about this I'm not getting.

[pfg]

There is a permission prompt, but it's fairly easy to convince users to accept it during a login attempt when they're expecting their USB U2F device to be used.

[Shoothe]

It's surprising that this works. Last time I checked WebUSB the device would have to have a descriptor allowing its use via web page effectively white listing what can be used on the web.

[Ajedi32]

Looks like they changed it: https://wicg.github.io/webusb/#attacking-a-device

While I understand the reasoning behind that move, I'm not sure I fully agree with it. I don't think users will necessarily understand the implications of granting a site access to a device that wasn't designed with attacks from malicious code as part of its threat model. At the very least, the wording on the permissions dialog should be changed to indicate that the user is granting the site _full control_ over the device they're connecting it to.

[SahAssar]

Or disable webusb

[Ajedi32]

Or just don't click "Connect" on the USB access permissions prompt when it pops up.

Unfortunately though, as with any phishing attack, this flaw is most likely to be effective against uninformed users, and those users are the least likely to take proactive measures to protect themselves beforehand.

Fortunately:

> "We will have a short term mitigation in place in the upcoming version of Chrome, and we're working closely with the FIDO Alliance to develop a longer-term solution as well."

[crispyporkbites]

What kind of uniformed user uses a YubiKey?

I supposed you could trick them by saying that the login process has changed and they need to enable WebUSB to let their YubiKey work

[tedunangst]

Uninformed users who have an informed friend looking out for them but not looking over their shoulder every single minute.

[cjcfjrf]

Not parent but great point, thank you.

[jessaustin]

This seems to indicate that DoD uses them. Perhaps it's mostly contractors, but there are probably some liaison-type uniformed people too:

https://www.yubico.com/about/reference-customers/department-...

[Buge]

The purpose of a Yubikey is to prevent users from making mistakes.

This phishing attack removes the benefit that Yubikeys provided.

Sure a smart users can decline the permission prompt. But a smart user can also simply not enter their password into phishing pages.

[x0x0]

tqbf, pinboard, and zeynep are handing them out to journalists.

There is an enormous need for some solution resistant to users who aren't good at identifying legitimate vs phishing sites. U2F as it stands is the only practical and deployed solution to that problem. It's infuriating that chrome broke this security promise to compete with microsoft.

[tyler_larson]

It sounds like the report glossed over a rather important bit of ux:

If, when logging in, you see a big modal dialog asking if you want to grant webusb access to the site, then DONT select your yubikey out of the list of connected USB devices and click "Allow".

As long as you can convince yourself to avoid taking that particular unusual action, it sounds like you're fine.

[tinus_hn]

If the user thinks the site is Google it’s not that strange they’d give them access to the key.

[decko]

You can disable CCID, does that not solve the issue?