Hackers successfully use social engineering attacks against FIDO keys

FIDO keys, a phishing-resistant multi-factor authentication tool designed to replace passwords, may be vulnerable to social engineering attacks that circumvent one of its security protections.

Security software company Expel says it has detected a new type of adversary-in-the-middle (AitM) attack that takes advantage of the “cross-device sign-in” feature for accessing systems that don’t have a passkey to downgrade FIDO key authentication. Expel attributes the attack to the PoisonSeed attack group, known for large-scale phishing campaigns targeting cryptocurrency wallets.

“While we haven’t uncovered a vulnerability in FIDO keys, IT and SecOps folks will want to sit up and take notice – this attack demonstrates how a bad actor could run an end-route around an installed FIDO key,” says the U.S.-based Managed Detection and Response (MDR) provider.

Expel detected the attack after one of its customers reported an incident. Several of its employees received phishing emails directing them to a fake Okta sign-in page. One of the targeted employees entered their username and password on the phishing site.

When a user wants to log in from a new device, a login page will usually show a QR code, which can be scanned with an authentication app on the phone, confirming the identity. In this case, the fake site requested a cross-device sign-in from the real login page, which generated a legitimate QR code. The fraudulent site then showed this real QR code to the employee, who scanned it with their phone’s authentication app, unknowingly giving the hackers access to their account.

Using a FIDO key would normally prevent an attack, as hackers can steal a username and password, but they cannot physically touch a security key. In this case, however, the MFA app used to scan the QR code presented by the hackers is acting as the authenticator, standing in for the function of FIDO MFA.

“This process – while seemingly complicated – effectively neutralizes any protections that a FIDO key grants, and gives the attackers access to the compromised user’s account, including access to any applications, sensitive documents, and tools such access provides,” Expel says in a blog post.

Security experts have provided additional technical clarification related to the attack.

FIDO credentials are designed to more effectively resist and fight off cyber-attacks, including phishing and data breach attacks. Writers of FIDO specifications have anticipated adversary-in-the-middle (AitM) attack techniques, meaning that if the targeted Okta MFA process followed FIDO requirements, the login would have failed, writes Dan Goodin, senior security editor at Ars Technica.

“First, the device providing the hybrid form of authentication would have to be physically close enough to the attacker device logging in for the two to connect over Bluetooth,” says Goodin.

“Second, the challenge the hybrid device would have to sign would be bound to the domain of the fake site (here okta[.]login-request[.]com) and not the genuine Okta.com domain. Even if the hybrid device was in close proximity to the attacker device, the authentication would still fail, since the URLs don’t match,” he continues.

Expel has seemingly encountered an attack that downgrades the FIDO MFA to a weaker MFA form. This downgrade was likely made possible by a deliberate decision from the person who administered the organization’s Okta login page.

“To steer clear of such attacks, admins should think long and hard before allowing their FIDO-protected authentication processes to fall back to other forms,” adds Goodin.

Article Topics

biometric security key  |  biometrics  |  FIDO2  |  multifactor authentication