Security researchers have discovered a critical vulnerability in banking apps that could enable attackers to find a victim's credentials.
According to research carried out by a team at the University of Birmingham, the flaw allowed an attacker, who is connected to the same network as the victim (eg, public Wi-Fi or corporate), to perform a Man in the Middle Attack and retrieve the user's credentials such as username and password/pin code.
The issue was unearthed by a tool developed by researchers at the university to perform semi-automated security testing of mobile phone apps. The tool looked at 400 security critical apps, and was able to identify a critical vulnerability in banking apps; including apps from HSBC, NatWest, Co-op and Bank of America Health.
Researchers said that while banks had put a lot of effort into the security of their apps, one particular technology used - so called “certificate pinning” - which normally improves security, had meant that standard tests failed to detect a serious vulnerability that could let attackers take control of a victim's online banking.
The tests found that apps from some of the largest banks in the world contain this flaw, which if exploited, could have enabled an attacker to decrypt, view and modify network traffic from users of the app. An attacker with this capability could thereby perform any operation which is normally possible on the app.
Other attacks were also found, including “in app phishing attacks” against Santander and Allied Irish bank. These attacks would have let an attacker take over part of the screen while the app is running and use this to phish for the victim's login credentials.
The work led researchers to contacting the banks involved alongside the UK government's National Cyber Security Centre to update all the apps affected by this pinning vulnerability.
The research was carried out by Dr Tom Chothia, Dr Flavio Garcia and PhD candidate Chris McMahon Stone of the Security and Privacy Group at the University of Birmingham.
“In general, the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed” he added “It's impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network,” said Chothia.
Full results will be given in the paper “Spinner: Semi-Automatic Detection of Pinning without Hostname Verification” which will be presented today at the 33rd Annual Computer Security Applications Conference in Orlando.
Amit Sethi, senior principal consultant at Synopsys, told SC Media UK that the issue sounds like it was caused by bad implementations of certificate pinning.
“Certificate pinning is often used by mobile apps to ensure that they are communicating with the right server(s). It enables organisations to avoid some of the issues associated with Public Key Infrastructure where any one of hundreds of certificate authorities can issue certificates for any server,” he says.
“However, implementing certificate pinning requires dealing with cryptography, which is difficult to get right. A poor certificate pinning implementation could result in an application being more vulnerable to man-in-the-middle attacks than if it simply relied on Public Key Infrastructure.”
Sethi added that organisations can ensure that their users' apps are up to date by having their apps send version information to their servers whenever they are started. “They can then choose to deny service to old versions of the apps. This is not a trivial feature to implement however. And, if an attacker can perform a man-in-the-middle attack, then this protection can be bypassed.”
Craig Parkin, associate partner at Citihub Consulting, told SC Media UK that he believes this research isn't about certificate pinning being insecure but that the way it was implemented on certain banking sites mobile platforms.
“I believe the paper was ‘Why Banker Bob (still) Can't get TLS right'. Vulnerabilities were found from banking apps using pinning but misconfigured to trust any certs signed by a configured certificate authority from any domain name. Banking apps were also found to be using less secure methods within the applications to deliver advertisements which could have been manipulated through Man in the Middle attacks,” he said.
“Banks need to ensure they have implemented security correctly across the whole application and all channels it communicates on. Even though advertising is less sensitive, as it contains no user data, to the users of the applications these are perceived to be trusted and could be used to phish for credentials.”