Researcher defeats two-factor iPhone authentication

Many banks, notably in Australia and the US, have been using text message authentication as a means of adding 2FA security to online banking services.

According to Tyrone Miller, a director with Sydney-based Pure Hacking, by remotely compromising an iPhone with malware, it is now possible to remotely monitor the smartphone and route the users' credential keystrokes – which would not normally appear on the phone's screen, Infosecurity notes – to an on-handset SQLlite database.

By using a simple remote telnet application, in this case Putty, Miller claims that the 2FA credentials can be accessed by cybercriminals.

Miller says that he has staged a demonstration of a 2FA iPhone hack and posted a video of the session to YouTube.

As he reports in his latest security blog: "SMS 2-factor authentication has had a major impact in reducing online fraud."

"This is because an attacker must not only capture the victim's username and password to login to their bank account, but they must now also have the victim's phone to receive the SMS 2-factor authentication token", he says.

"This restricts the number of possible attacks dramatically", he adds.

However, he goes on to say, where previously a user would login to their internet banking on their laptop, and then receive the SMS token on their mobile, the attacker may be able to capture the username and password of the victim, but they are unable to capture the SMS token.

"Now we find that users are logging into their internet banking on their smartphone, and then receiving the SMS token on the same device. This means that an attacker who has hacked the victim's smartphone, most likely via a malicious website, is now able to capture the username, password, and SMS token all on the one device", he says.

Detailed examination of Miller's video suggests that his remote telnet session is attaching to the root directory of iOS - using the well-known root/alpine ID/password combination - tapping a methodology similar to the iKeyGuard keylogging app we reported on yesterday, Infosecurity notes.

This hack would require physical access to a users' iPhone for a period of time, to install the malware, but once installed, a remote telnet session would be easy to access using 2G, 3G or WiFi connections.

What’s Hot on Infosecurity Magazine?