Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable)

Christopher McMahon Stone; Tom Chothia; Flavio D. Garcia

doi:10.1145/3134600.3134628

Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable)

Christopher McMahon Stone, Tom Chothia, Flavio D. Garcia

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

6 Citations (Scopus)

299 Downloads (Pure)

Abstract

Certificate verification is a crucial stage in the establishment of a TLS connection. A common security flaw in TLS implementations is the lack of certificate hostname verification but, in general, this is easy to detect. In security-sensitive applications, the usage of certificate pinning is on the rise. This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks. Dynamic (black-box) detection of this vulnerability would typically require the tester to own a high
security certificate from the same issuer (and often same intermediate CA) as the one used by the app. We present Spinner, a new tool for black-box testing for this vulnerability at scale that does not require purchasing any certificates. By redirecting traffic to websites which use the relevant certificates and then analysing the (encrypted) network traffic we are able to determine whether the
hostname check is correctly done, even in the presence of certificate pinning. We use Spinner to analyse 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC. We also found that TunnelBear, one of the most popular VPN apps was also vulnerable. These apps have a joint user base of tens of millions of users.

Original language	English
Title of host publication	Proceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017)
Publisher	Association for Computing Machinery
Pages	176-188
Number of pages	13
ISBN (Print)	978-1-4503-5345-8
DOIs	https://doi.org/10.1145/3134600.3134628
Publication status	Published - 4 Dec 2017
Event	33rd Annual Computer Security Applications Conference (ACSAC 2017) - Orlando, Florida, United States Duration: 4 Dec 2017 → 8 Dec 2017

Conference

Conference	33rd Annual Computer Security Applications Conference (ACSAC 2017)
Country/Territory	United States
City	Orlando, Florida
Period	4/12/17 → 8/12/17

Access to Document

10.1145/3134600.3134628

Spinner
Accepted manuscript to be published on ISBN: 978-1-4503-5345-8 doi>10.1145/3134600.3134628
Accepted author manuscript, 655 KBLicence: None: All rights reserved

Cite this

@inproceedings{1f7272ef0133458b9fa79bcf9c5cae59,

title = "Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable)",

abstract = "Certificate verification is a crucial stage in the establishment of a TLS connection. A common security flaw in TLS implementations is the lack of certificate hostname verification but, in general, this is easy to detect. In security-sensitive applications, the usage of certificate pinning is on the rise. This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks. Dynamic (black-box) detection of this vulnerability would typically require the tester to own a highsecurity certificate from the same issuer (and often same intermediate CA) as the one used by the app. We present Spinner, a new tool for black-box testing for this vulnerability at scale that does not require purchasing any certificates. By redirecting traffic to websites which use the relevant certificates and then analysing the (encrypted) network traffic we are able to determine whether thehostname check is correctly done, even in the presence of certificate pinning. We use Spinner to analyse 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC. We also found that TunnelBear, one of the most popular VPN apps was also vulnerable. These apps have a joint user base of tens of millions of users.",

author = "{McMahon Stone}, Christopher and Tom Chothia and Garcia, {Flavio D.}",

year = "2017",

month = dec,

day = "4",

doi = "10.1145/3134600.3134628",

language = "English",

isbn = "978-1-4503-5345-8",

pages = "176--188",

booktitle = "Proceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017)",

publisher = "Association for Computing Machinery ",

note = "33rd Annual Computer Security Applications Conference (ACSAC 2017) ; Conference date: 04-12-2017 Through 08-12-2017",

}

McMahon Stone, C, Chothia, T & Garcia, FD 2017, Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable). in Proceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017). Association for Computing Machinery , pp. 176-188, 33rd Annual Computer Security Applications Conference (ACSAC 2017), Orlando, Florida, United States, 4/12/17. https://doi.org/10.1145/3134600.3134628

Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable). / McMahon Stone, Christopher; Chothia, Tom ; Garcia, Flavio D.
Proceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017). Association for Computing Machinery , 2017. p. 176-188.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable)

AU - McMahon Stone, Christopher

AU - Chothia, Tom

AU - Garcia, Flavio D.

PY - 2017/12/4

Y1 - 2017/12/4

N2 - Certificate verification is a crucial stage in the establishment of a TLS connection. A common security flaw in TLS implementations is the lack of certificate hostname verification but, in general, this is easy to detect. In security-sensitive applications, the usage of certificate pinning is on the rise. This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks. Dynamic (black-box) detection of this vulnerability would typically require the tester to own a highsecurity certificate from the same issuer (and often same intermediate CA) as the one used by the app. We present Spinner, a new tool for black-box testing for this vulnerability at scale that does not require purchasing any certificates. By redirecting traffic to websites which use the relevant certificates and then analysing the (encrypted) network traffic we are able to determine whether thehostname check is correctly done, even in the presence of certificate pinning. We use Spinner to analyse 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC. We also found that TunnelBear, one of the most popular VPN apps was also vulnerable. These apps have a joint user base of tens of millions of users.

AB - Certificate verification is a crucial stage in the establishment of a TLS connection. A common security flaw in TLS implementations is the lack of certificate hostname verification but, in general, this is easy to detect. In security-sensitive applications, the usage of certificate pinning is on the rise. This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks. Dynamic (black-box) detection of this vulnerability would typically require the tester to own a highsecurity certificate from the same issuer (and often same intermediate CA) as the one used by the app. We present Spinner, a new tool for black-box testing for this vulnerability at scale that does not require purchasing any certificates. By redirecting traffic to websites which use the relevant certificates and then analysing the (encrypted) network traffic we are able to determine whether thehostname check is correctly done, even in the presence of certificate pinning. We use Spinner to analyse 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC. We also found that TunnelBear, one of the most popular VPN apps was also vulnerable. These apps have a joint user base of tens of millions of users.

U2 - 10.1145/3134600.3134628

DO - 10.1145/3134600.3134628

M3 - Conference contribution

SN - 978-1-4503-5345-8

SP - 176

EP - 188

BT - Proceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017)

PB - Association for Computing Machinery

T2 - 33rd Annual Computer Security Applications Conference (ACSAC 2017)

Y2 - 4 December 2017 through 8 December 2017

ER -

Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable)

Abstract

Conference

Access to Document

Fingerprint

Cite this