As with keyloggers, Blizzard will not be able to prevent these attacks as they are occuring against the player's PC directly. Getting this out in the open will help raise player awareness that the authenticator is not the end of account compromising security risks, and that players still need to diligently maintain their computers, scan for unwanted programs, and change their passwords regularly.
Now then. Compromising the Blizzard authenticator. It will be hard, but it can be done.
First off, some background on the authenticator. Blizzard appears to have contracted the company Vasco and it's line of security tokens called "Digipass Go6". The Go6 has a non-replaceable battery with an expected lifetime of seven years. Go6 is tamper-resistant and supports the DES, 3DES and AES cryptography algorithms. It can also withstand a 1 meter (~3 foot) drop intact. Blizzard's version will look like this:
It uses a secure key between the authenticator (AKA a"keyfob" or "token"), and the Blizzard login servers. On the image above it is six digits, the Vasco brochure states it can display up to eight. It remains to be seen how many digits will be used but I'm sure we'll find out shortly. Every certain number of seconds, both the token and the server will generate a new one-time code. If the code is not entered within the correct timeframe a new one-time code will be generated and the displayed code will be rendered useless. The details of how all this works is far too complicated for this document, and there are plenty of great websites and books out there that cover it in detail if you really would like to learn more.
So to get into World of Warcraft and in theory Starcraft 2 and Diablo 3 if they code for it, the login will go as thus (click to enlarge):
Ok, easy enough, you can see where the pathing goes. Now, how does someone compromise a token-based login?
Man-In-The-Middle (wiki link)
Technically speaking what I am about to describe is more of a phishing attack than a true MITM, but I feel the terminology still works. These attacks can occur one of two ways. The first way is a simple tried and true spoofed webpage. Old, reliable, works without fail. Create a false website that pretends to be Blizzard's account management site. Have the proper fields to fill out for account name, password and code. Upon clicking submit the user is redirected somewhere else, while their information is forwarded to the attacker.
How does this work if the attacker wants to go to the source, IE the game itself? This method will prove more time consuming and costly as they will have to code up an entire program that mimics the launcher and/or portal login screen. I figure the flowchart for such a program will look like one of these three ideas (click to enlarge):
Complicated Token: | Simplistic Token: |
Token/Non-Token Version: | |
My new ideas came to me after I had originally posted this on 6/30 and I felt I should show how each one will break down. I believe all of these can be considered "Man-In-The-Middle" style attacks.
The simple version is very straightforward. The attacker's program never passes any data to Blizzard, just collecting it until the code is entered. I feel this is the most likely angle of attack, but it assumes the target uses the authenticator. If they are not using one then the program is rendered useless.
The token/non-token version may be the best compromise between the two previous versions. The attacker's program will make one single call to the Blizzard login servers and depending on the reply will either ask for the one-time code or go directly to the notification and termination portion of the program. This version allows the attacker access to player accounts that have not purchased the authenticator, effectively operating as a sophisticated keylogger.
Once everything has been entered the attacker can be notified one of many ways. There are 4-5 ways listed here but I'm sure there could be more options. Once the notification has been sent, the program will generate an error, crash, or both. Either way the user will believe that either there is a problem with Blizzard's servers, their installation of WoW, or possibly even their computer.
It's not known how short the key generation window is, or how long the window will stay open once a user has verified their login and password. RSA SecurID keys have a 60 second key generation and use window, meaning every minute a new key is generated and must be used within that minute or else it is no longer valid. If Blizzard keeps to a 60 second key window and if on average it takes about five seconds for a user to input their key, in this scenario the attacker would have about 50 seconds to log in using your pilfered data.
As it stands no one knows the details of the new login system except for Blizzard and Vasco. We may come to learn a few little things about it in the future, but by and large it the inner workings of the token security system will be unknown.
In summation, token authentication is very secure, however a properly executed attack will still be able to circumvent the latest layer of security. Like I said in the beginning of this post these attacks are not things that Blizzard can control. Please be responsible and as I said in the beginning of this post, diligently maintain your computers. Regularly scan for viruses, trojans, malware, and please change your passwords regularly.
Posts
No comments:
Post a Comment