Aaron Turner, President and CSO of HighSide, and Georgia Weidman, CTO of Shevirah, delivered a presentation at RSA 2020 called “Mobile MFA Madness: Mobile Device Hygiene and MFA Integrity Challenges.” The session raised a number of serious challenges to conventional thinking about the value of traditional multi-factor authentication (MFA) on mobile devices.
Turner and Weidman pointed out a basic, but very serious, flaw in relying on mobile devices to run MFA apps. The devices themselves are vulnerable at the kernel level. If a hacker can get a “hook” into the device’s kernel, he or she can then get access to the MFA app’s cryptographic secrets. “They can clone you,” said Turner. “The MFA platform is looking at the device, which looks like you’re using it, but you’re not.”
They backed up this assertion by sharing some startling data on the number of mobile device kernel vulnerabilities that have arisen over the years. For example, iOS had 156 kernel-mode vulnerabilities in 2019, 125 in 2018 and a whopping 387 in 2017. Android was worse, with 414 vulnerabilities in 2019 and 843 in 2017! Thus, the claim that hackers could get inside and “under” the MFA app in the kernel is not far-fetched at all.
Anyhoo… the hacker can turn themselves into any who, so to speak. Your device becomes their device, which looks like your device: anywho. Is there a way out of this identity trap?
Yes. Highside is now offering a Distributed Identity solution. As part of their zero-trust platform, it allows organizations to create high-integrity digital identities on mobile devices. It works by examining multiple identity factors on the device, such as location and time of usage. The solution tracks things like cell tower usage and WiFi connectivity to vet the authenticity of the MFA app and the device itself.
Turner and Weidman also stressed the importance of device hygiene as a countermeasure to MFA weaknesses. For example, they recommend only allowing iOS devices running Version 13 and Android 9 and 10 to install MFA apps. They also encouraged organizations to block out-of-policy mobile operating systems from receiving enterprise email and MFA invitations.