Abstract
Time-based One-Time Password (TOTP) is a widely used method for two-factor authentication, whose operation relies on one-time codes generated from the device’s clock and validated using the servers’ clock. By introducing the notion of forward-replay attack, in this paper we underline an obvious (but somewhat overlooked) fact: a secure server’s time reference is not sufficient when an attacker may maliciously set future time instants over the device, collect the relevant TOTPs, and play them back later on, when these time instants will be reached. Through examining viable attack scenarios, we present a concrete proof-of-concept implementation on Android mobile phones and three applications using TOTP, including the widely used TOTP-based Google Authenticator app. Our findings highlight the practicality of such threat and raise concerns about the security of TOTP, suggesting that hardened TOTP-based methods should be explored.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A server may consider valid not only an OTP generated in the latest time stamp but also OTPs generated in past timestamps that are within a given delay window. But in practice, as explicitly recommended in the specification [19], at most one time step is generally allowed.
References
Accessibilityservice. https://developer.android.com/reference/android/accessibilityservice/AccessibilityService
Payment services (PSD 2). Directive 2015/2366/EU of the European parliament and of the council (2015)
Room. https://developer.android.com/jetpack/androidx/releases/room
Aonzo, S., Georgiu, G., Verderame, L., Merlo, A.: Obfuscapk: an open-source black-box obfuscation tool for android apps, vol. 11 (2020). https://doi.org/10.1016/j.softx.2020.100403
De Oliveira Nunes, I., Jakkamsetti, S., Rattanavipanon, N., Tsudik, G.: On the toctou problem in remote attestation. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 2921–2936 (2021)
Deeg, M.: To the future and back: hacking a TOTP hardware token (SYSS-2021-007). https://blog.syss.com/posts/syss-2021-007/
Gilsenan, C., Shakir, F., Alomar, N., Egelman, S.: Security and privacy failures in popular 2FA apps. prepublication. In: USENIX Security 2023 (2023)
Huseynov, E.: TOTP replay attack - yubikey. https://medium.com/@eminhuseynov_37266/totp-replay-attack-yubikey-et-al-adde8e8c62d3
Iovino, V., Vaudenay, S., Vuagnoux, M.: On the effectiveness of time travel to inject COVID-19 alerts. In: Paterson, K.G. (ed.) CT-RSA 2021. LNCS, vol. 12704, pp. 422–443. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75539-3_18
Kraunelis, J., Chen, Y., Ling, Z., Fu, X., Zhao, W.: On malware leveraging the android accessibility framework. In: Stojmenovic, I., Cheng, Z., Guo, S. (eds.) MindCare 2014. LNICST, vol. 131, pp. 512–523. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11569-6_40
Krawczyk, H., Bellare, M., Canetti, R.: RFC2104: HMAC: keyed-hashing for message authentication (1997)
Lau, B., Jang, Y., Song, C., Wang, T., Chung, P.H., Royal, P.: Mactans: injecting malware into iOS devices via malicious chargers. Black Hat USA, vol. 92 (2013)
Malhotra, A., Cohen, I.E., Brakke, E., Goldberg, S.: Attacking the network time protocol. Cryptology ePrint Archive (2015)
Meier, L.C.: On security against time traveling adversaries. Cryptology ePrint Archive (2022)
Meng, W., Lee, W.H., Murali, S., Krishnan, S.: Charging me and i know your secrets! Towards juice filming attacks on smartphones. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, pp. 89–98 (2015)
M’raihi, D., Bellare, M., Hoornaert, F., Naccache, D., Ranen, O.: RFC 4226: HOTP: an HMAC-based one-time password algorithm (2005)
M’Raihi, D., Rydell, J., Bajaj, S., Machani, S., Naccache, D.: RFC 6287: OCRA: oath challenge-response algorithm (2011)
M’Raihi, D., Machani, S., Pei, M., Rydell, J.: RFC 6238: TOTP: time-based one-time password algorithm (2011)
Nohl, K., Lell, J.: Badusb-on accessories that turn evil. Black Hat USA, vol. 1, no. 9, pp. 1–22 (2014)
Ozkan, C., Bicakci, K.: Security analysis of mobile authenticator applications. In: 2020 International Conference on Information Security and Cryptology (ISCTURKEY), pp. 18–30. IEEE (2020)
Park, S., Shaik, A., Borgaonkar, R., Seifert, J.P.: White rabbit in mobile: effect of unsecured clock source in smartphones. In: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 13–21 (2016)
Polleit, P., Spreitzenbarth, M.: Defeating the secrets of OTP apps, pp. 76–88. IEEE (2018)
Salem, A., Paulus, F.F., Pretschner, A.: Repackman: a tool for automatic repackaging of android apps. In: Proceedings of the 1st International Workshop on Advances in Mobile App Analysis, pp. 25–28 (2018)
Selvi, J.: Bypassing http strict transport security. Black Hat Europe, vol. 54 (2014)
Sun, H., Sun, K., Wang, Y., Jing, J.: Trustotp: transforming smartphones into secure one-time password tokens. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 976–988 (2015)
Acknowledgements
We express our gratitude to the anonymous reviewers for their valuable insights and recommendations, including bringing to our attention the online blog posts [7, 9].
This work was partially funded by the project I-Nest (G.A. 101083398 - CUP F63C22000980006) - Italian National hub Enabling and enhancing networked applications and Services for digitally Transforming Small, Medium Enterprises and Public Administration.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Bianchi, G., Valeriani, L. (2023). Time Is on My Side: Forward-Replay Attacks to TOTP Authentication. In: Arief, B., Monreale, A., Sirivianos, M., Li, S. (eds) Security and Privacy in Social Networks and Big Data. SocialSec 2023. Lecture Notes in Computer Science, vol 14097. Springer, Singapore. https://doi.org/10.1007/978-981-99-5177-2_7
Download citation
DOI: https://doi.org/10.1007/978-981-99-5177-2_7
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-5176-5
Online ISBN: 978-981-99-5177-2
eBook Packages: Computer ScienceComputer Science (R0)