Leading US and UK-based banks have patched a flaw found in their Android and iOS mobile apps that allowed adversaries to conduct man-in-the-middle attacks to steal customer credentials and view and manipulate network traffic.
According to researchers at the School of Computer Science at the University of Birmingham that found the flaw, the vulnerability impacted nine apps belonging to banks such as HSBC and the TunnelBear VPN app.
Researchers outline their findings in an academic paper (PDF) presented this week at the Annual Computer Security Applications Conference in Orlando, Florida. “This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks,” wrote co-authors of the report Chris Stone, Tom Chothia and Flavio Garcia.
The use of certificate pinning allows apps to specify a specific certificate that they trust for a given server. This helps defeat a number of attacks, specifically MITM attacks that rely on spoofing the certificate for a trusted app or website.
What researchers found was a vulnerability in each of the apps’ implementation of the certificate pinning and certificate verification used when creating a Transport Layer Security (TLS) connection. “TLS is a tricky protocol to get right: both misconfiguration vulnerabilities and attacks on the protocol are common.”
For example, last year Mozilla patched a highly scrutinized flaw in its automated update process for browser add-ons tied to the expiration of certificate pins that allowed attackers to intercept encrypted browser traffic, inject a malicious NoScript extension update and gain remote code execution.
“Automated tools do exist to test a variety of TLS flaws,” researcher wrote. “However, none of these tools can detect the possibility that an app will pin to the root or intermediate certificate used but fail to validate the hostname… We argue that conducting large-scale testing in this manner is difficult and expensive.”
As part of an effort to reduce cost and more easily identify pinning-related vulnerabilities at scale researchers released a zero-cost and automated testing tool called Spinner as part of their research.
The Spinner tool allows for more thorough testing of mobile apps, specifically how the apps perform hostname verification. As a result, researchers using Spinner identified ten instances where an app’s certificate pinning inadvertently masked improper hostname verification, allowing MITM attacks.
“Spinner (is) a new tool for black-box testing for this vulnerability at scale that does not require purchasing any certificates. By redirecting traffic to websites which use the relevant certificates and then analyzing the (encrypted) network traffic we are able to determine whether the hostname check is correctly done, even in the presence of certificate pinning,” researchers wrote.
Those apps that implemented certificate pinning but failed to verify hostnames correctly include: Bank of America Health, TunnelBear VPN, Meezan Bank, Smile Bank, HSBC, HSBC Business, HSBC Identity, HSBCnet and HSBC Private.
“The vulnerability identified was resolved in Bank of America’s Health app nearly two years ago in January 2016. The app is no longer available as of June 2017. At no time was customer information impacted,” according a Bank of America statement made to Threatpost.
“We use Spinner to analyze 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC. We also found that TunnelBear, one of the most popular VPN apps was also vulnerable,” they wrote.
A typical MITM attack exploiting this flaw entails an attacker and victim sharing the same WiFi network. “Using ARP or DNS spoofing, the victims traffic can be redirected to the attacker… When the victim attempts to use their vulnerable app, the attacker can intercept the TLS handshake and provide the app with a certificate signed by the certificate that the app pins to,” researchers wrote.
University of Birmingham researchers said each of the banks were notified of the flaws in their apps and the vulnerabilities have been mitigated.