HITB GSEC Singapore: Hacking Mobile Tokens

Traditional hardware 2FA tokens are increasingly being replaced by “soft” tokens – software OTP generators packaged into regular smartphone apps that run on iOS or Android. This is more convenient for users but also exposes the tokens to attacks by mobile malware and manual attacks. To compensate for these risks, many software token vendor apply a combination of obfuscation, anti-tampering, and cryptography. The question is, how effective are these measures in protecting the users’ data?

In this talk, Vantage Point's Bernhard Mueller will show different kinds of attacks that can be used to reverse engineer OTP algorithms and extract the stored secrets. Techniques range from classical static and dynamic analysis to custom kernel sandboxes and full-system emulation. He will demonstrate proof-of-concept exploits for current soft tokens of major vendors, and explain methods of assessing the effectiveness of a given set of obfuscation.