Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable)

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Standard

Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable). / McMahon Stone, Christopher; Chothia, Tom; Garcia, Flavio D.

Proceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017). Association for Computing Machinery , 2017. p. 176-188.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

McMahon Stone, C, Chothia, T & Garcia, FD 2017, Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable). in Proceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017). Association for Computing Machinery , pp. 176-188, 33rd Annual Computer Security Applications Conference (ACSAC 2017), Orlando, Florida, United States, 4/12/17. https://doi.org/10.1145/3134600.3134628

APA

McMahon Stone, C., Chothia, T., & Garcia, F. D. (2017). Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable). In Proceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017) (pp. 176-188). Association for Computing Machinery . https://doi.org/10.1145/3134600.3134628

Vancouver

McMahon Stone C, Chothia T, Garcia FD. Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable). In Proceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017). Association for Computing Machinery . 2017. p. 176-188 https://doi.org/10.1145/3134600.3134628

Author

McMahon Stone, Christopher ; Chothia, Tom ; Garcia, Flavio D. / Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable). Proceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017). Association for Computing Machinery , 2017. pp. 176-188

Bibtex

@inproceedings{1f7272ef0133458b9fa79bcf9c5cae59,
title = "Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable)",
abstract = "Certificate verification is a crucial stage in the establishment of a TLS connection. A common security flaw in TLS implementations is the lack of certificate hostname verification but, in general, this is easy to detect. In security-sensitive applications, the usage of certificate pinning is on the rise. This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks. Dynamic (black-box) detection of this vulnerability would typically require the tester to own a highsecurity certificate from the same issuer (and often same intermediate CA) as the one used by the app. We present Spinner, a new tool for black-box testing for this vulnerability at scale that does not require purchasing any certificates. By redirecting traffic to websites which use the relevant certificates and then analysing the (encrypted) network traffic we are able to determine whether thehostname check is correctly done, even in the presence of certificate pinning. We use Spinner to analyse 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC. We also found that TunnelBear, one of the most popular VPN apps was also vulnerable. These apps have a joint user base of tens of millions of users.",
author = "{McMahon Stone}, Christopher and Tom Chothia and Garcia, {Flavio D.}",
year = "2017",
month = dec,
day = "4",
doi = "10.1145/3134600.3134628",
language = "English",
isbn = "978-1-4503-5345-8",
pages = "176--188",
booktitle = "Proceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017)",
publisher = "Association for Computing Machinery ",
note = "33rd Annual Computer Security Applications Conference (ACSAC 2017) ; Conference date: 04-12-2017 Through 08-12-2017",

}

RIS

TY - GEN

T1 - Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable)

AU - McMahon Stone, Christopher

AU - Chothia, Tom

AU - Garcia, Flavio D.

PY - 2017/12/4

Y1 - 2017/12/4

N2 - Certificate verification is a crucial stage in the establishment of a TLS connection. A common security flaw in TLS implementations is the lack of certificate hostname verification but, in general, this is easy to detect. In security-sensitive applications, the usage of certificate pinning is on the rise. This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks. Dynamic (black-box) detection of this vulnerability would typically require the tester to own a highsecurity certificate from the same issuer (and often same intermediate CA) as the one used by the app. We present Spinner, a new tool for black-box testing for this vulnerability at scale that does not require purchasing any certificates. By redirecting traffic to websites which use the relevant certificates and then analysing the (encrypted) network traffic we are able to determine whether thehostname check is correctly done, even in the presence of certificate pinning. We use Spinner to analyse 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC. We also found that TunnelBear, one of the most popular VPN apps was also vulnerable. These apps have a joint user base of tens of millions of users.

AB - Certificate verification is a crucial stage in the establishment of a TLS connection. A common security flaw in TLS implementations is the lack of certificate hostname verification but, in general, this is easy to detect. In security-sensitive applications, the usage of certificate pinning is on the rise. This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks. Dynamic (black-box) detection of this vulnerability would typically require the tester to own a highsecurity certificate from the same issuer (and often same intermediate CA) as the one used by the app. We present Spinner, a new tool for black-box testing for this vulnerability at scale that does not require purchasing any certificates. By redirecting traffic to websites which use the relevant certificates and then analysing the (encrypted) network traffic we are able to determine whether thehostname check is correctly done, even in the presence of certificate pinning. We use Spinner to analyse 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC. We also found that TunnelBear, one of the most popular VPN apps was also vulnerable. These apps have a joint user base of tens of millions of users.

U2 - 10.1145/3134600.3134628

DO - 10.1145/3134600.3134628

M3 - Conference contribution

SN - 978-1-4503-5345-8

SP - 176

EP - 188

BT - Proceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017)

PB - Association for Computing Machinery

T2 - 33rd Annual Computer Security Applications Conference (ACSAC 2017)

Y2 - 4 December 2017 through 8 December 2017

ER -