Popular on TelAve
- Natalie Jean Releases Heartfelt Tribute Single "What They Didn't See" Honoring Late Friend and Lyricist Michael Peloso
- European Tech Startup RoarFun discovers a gap in the U.S. market with a branded racing simulator rental at Atlanta's MRO Americas Aviation Convention
- Premium Domain Name "Feedri.com" Now Available for Acquisition After $8,500 Offer
- Spiritually Transformative Events Based on Bhagavad Gita – Path to a Fulfilling Life
- Carnegie Hall Hosts Theatrical Concert: El Dorado – A Musical Portrait of Edgar Allan Poe
- Sequentex Achieves OMNIA Partners Approval, Empowering Public Sector and other Agencies with Streamlined Technology Procurement
- Q1 2025 Revenue Soars 92% to $1.13M on Strategic Acquisitions, Organic Growth & Breakthroughs in AI Drones & Quantum Tech: ZenaTech Stock Symbol: ZENA
- $10 Million Plan to Acquire Successful Remote Lottery Platform: Expanding Global Footprint into Live Entertainment: Lottery.com (Stock Symbol: LTRY)
- Assent Launches Carbon Border Adjustment Mechanism Solution to Help Manufacturers Meet Regulatory Requirements
- Degrees of Justice: Attorney Frank Walker Charts the Future of Criminal Justice with Ph.D Degree
Similar on TelAve
- Crazy Discount Codes App Transforms Mobile Shopping With Real-Time Deals
- CredHub and All County Property Management Franchise Corp. Partner to Empower Franchisees with Rental Payment Credit Reporting Solutions
- Initial Order Received from Vietnamese Maritime Security and Defense Services for Advanced Video Compression Solution: RMX; Stock Symbol: RMXI
- Work 365 Launches Certified Provider Integration (CPI) Program to Help Distributors and CSPs Navigate Microsoft's Evolving Ecosystem
- 14th CryptoSuper500 Report Releases: Bitcoin's Evolution into a Global Supercomputer
- ASI Accelerates iMIS® Innovation by Acquiring CSI's Product Suite and Expert Team
- Innovative EDM Music Project, "Terms of War," Depicts an A.I. Takeover of Earth
- DivX Enhances AVI Playback Resources; Simplifies Guide to Playing AVI Files with DivX Software
- United States Congressional Candidate Peter Coe Verbica Unveils 25-Point Federal Plan to Help Make California Affordable Again
- D8Averse Launches D8Acapture: Disruptive Mobile-First App Transforms Utility Pole Data Collection
Silent Sector Advises IETF of Major Vulnerability Related to QR Codes Used to Enroll Two-Factor Authentication Processes
TelAve News/10841667
Millions – Perhaps Tens of Millions – of 2FA Credentials at Risk of Exposure. Global Remediation Likely to Cost Billions of Dollars
SCOTTSDALE, Ariz. - TelAve -- A significant exposure related to the use of QR codes in two-factor authentication (2FA) processes has been identified and reported to the Internet Engineering Task Force (IETF) by researchers and analysts at Silent Sector (https://silentsector.com), a cybersecurity services company that specializes in providing tailored risk management solutions to mid-market and emerging companies across various industries, including healthcare, financial services, technology, manufacturing, and defense.
The exploit, discovered by Brian Contario, Principal Cybersecurity Architect at Silent Sector, lies in the fact that the QR codes used for 2FA enrollment contain sensitive information, including a secret key and user identifiers, which can be captured and misused if not properly secured.
"These codes have been present for over a decade, potentially affecting millions of users worldwide. While this vulnerability is not widely recognized, once it becomes more widely known, it will likely emerge as an area of focus for malicious actors," says Contario.
There are a number of ways that bad actors could gain access to the secret key information in the QR codes. Potential caches of the data include email, messaging, or cloud storage repositories where the QR codes or enrollment information have been transmitted or stored.
"Many IT shops, managed service providers (MSPs), as well as other business and technology professionals often store or email these QR codes, leaving them open to discovery. In public places, including airports, cafes and co-working spaces, images of the QR code can be captured simply by using cameras with zoom lenses when QR codes are displayed on screens for enrollment," he says.
More on TelAve News
Scope of the Damage
The potential scale of impact is estimated anywhere from tens to hundreds of millions of affected enrollments. Google Authenticator added support for QR codes approximately 12 years ago.
Millions upon millions of QR code enrollments enabled over the past decade have created a large pool of "data residue" where the digital fingerprints of particular 2FA interactions have been saved and archived.
The enrollment processes were originally designed for hardware security tokens that could securely embed the secret key that were transmitted to physical tokens or other devices.
"However, when this process was adapted for software-based 2FA apps, the secure exchange of the secret key was not properly maintained. As a result, transmitting the QR code can lead to the key being compromised. If attackers gain access to this information, they can potentially use it to bypass the 2FA protection," says Contario. "While the level of awareness of this exploit currently seems to be low – even among IT professionals – the potential for abuse exists," he adds.
Remediation Solution
To address the threat, Silent Sector has developed a fix which involves changing the enrollment process to use a QR code that is paired with a dynamic, one-time URL that directs the authenticator app to retrieve the secret key from a secure server.
"This ensures that the secret key is only sent to the authenticator app, making it more secure. To execute the fix, technology vendors and enterprises that use QR enrollment for multi-factor authentication will need to re-enroll in their 2FA processes using new, secure QR codes," explains Contario.
This way, the secret key is no longer statically embedded in the QR code, but dynamically provided to the authenticator app in a secure manner, preventing the compromise of secure data through the QR code alone.
More on TelAve News
Deploying Remediation at Scale
The biggest remediation challenge revolves around the massive scale of the problem, the risk of exploitation once disclosed and the difficulties in properly notifying and coordinating with all the potentially affected parties.
The issue affects a large number of vendors and systems that have implemented two-factor authentication using QR codes. It is estimated that this issue could affect over a dozen common authenticator apps on the client side. On the server side, there could be hundreds of vendors that need to update their code to address the compromised data.
"There could be millions, tens of millions, or even hundreds of millions of these QR codes out in the wild, making it extremely difficult to notify all affected parties in advance. What's more, existing users who have already enrolled in 2FA using the compromised QR code process must be re-enrolled using the new, more secure process," says Contario.
Economics of Remediation
While the technical fix is not overly complex, the labor-intensive user re-enrollment process across enterprises will be a significant undertaking and involve considerable costs.
Vendors that provide the two-factor authentication software and services will have to take the lead in updating their codes to proactively address the exposure.
For end-user organizations, the major cost will be in the labor required for IT departments to notify and walk users through the process of re-enrolling in two-factor authentication.
"This is likely to be very time-consuming for large organizations and could add up to billions of dollars in enterprise expenditures globally, based on the average hourly rate for IT staff multiplied by the number of individuals that would need to be re-enrolled across many organizations," concludes Contario.
To learn more, please visit: https://datatracker.ietf.org/doc/html/draft-contario-totp-secure-enrollment or Silent Sector's page here, https://silentsector.com/2fa.
The exploit, discovered by Brian Contario, Principal Cybersecurity Architect at Silent Sector, lies in the fact that the QR codes used for 2FA enrollment contain sensitive information, including a secret key and user identifiers, which can be captured and misused if not properly secured.
"These codes have been present for over a decade, potentially affecting millions of users worldwide. While this vulnerability is not widely recognized, once it becomes more widely known, it will likely emerge as an area of focus for malicious actors," says Contario.
There are a number of ways that bad actors could gain access to the secret key information in the QR codes. Potential caches of the data include email, messaging, or cloud storage repositories where the QR codes or enrollment information have been transmitted or stored.
"Many IT shops, managed service providers (MSPs), as well as other business and technology professionals often store or email these QR codes, leaving them open to discovery. In public places, including airports, cafes and co-working spaces, images of the QR code can be captured simply by using cameras with zoom lenses when QR codes are displayed on screens for enrollment," he says.
More on TelAve News
- purelyIV Launches Mobile Iron Infusion Therapy for Patients with Iron Deficiency Anemia
- Smile Makers Dental Care Introduces FP1: East Bay's First Robotic-Assisted Full-Arch Implant Solution for Natural, Fixed Smiles
- DCAS College opens new Representative Office in Malaysian Capital Kuala Lumpur
- Fibrecross Unveils Next-Generation 800G Optical Transceiver
- GMO Miner: Creating a simple, efficient and reliable new cloud mining experience
Scope of the Damage
The potential scale of impact is estimated anywhere from tens to hundreds of millions of affected enrollments. Google Authenticator added support for QR codes approximately 12 years ago.
Millions upon millions of QR code enrollments enabled over the past decade have created a large pool of "data residue" where the digital fingerprints of particular 2FA interactions have been saved and archived.
The enrollment processes were originally designed for hardware security tokens that could securely embed the secret key that were transmitted to physical tokens or other devices.
"However, when this process was adapted for software-based 2FA apps, the secure exchange of the secret key was not properly maintained. As a result, transmitting the QR code can lead to the key being compromised. If attackers gain access to this information, they can potentially use it to bypass the 2FA protection," says Contario. "While the level of awareness of this exploit currently seems to be low – even among IT professionals – the potential for abuse exists," he adds.
Remediation Solution
To address the threat, Silent Sector has developed a fix which involves changing the enrollment process to use a QR code that is paired with a dynamic, one-time URL that directs the authenticator app to retrieve the secret key from a secure server.
"This ensures that the secret key is only sent to the authenticator app, making it more secure. To execute the fix, technology vendors and enterprises that use QR enrollment for multi-factor authentication will need to re-enroll in their 2FA processes using new, secure QR codes," explains Contario.
This way, the secret key is no longer statically embedded in the QR code, but dynamically provided to the authenticator app in a secure manner, preventing the compromise of secure data through the QR code alone.
More on TelAve News
- DOT Miners launches a new cloud mining platform: low threshold, high transparency, and helps promote the inclusion of global digital assets
- Fray Fitness and Truemed Partner to Enable HSA/FSA-Funded Fitness Equipment Purchases
- Crazy Discount Codes App Transforms Mobile Shopping With Real-Time Deals
- Sploot Vets and DeepScan Launch Exclusive Regional U.S. Partnership to Bring Breakthrough Pet DNA Test to Market
- As Sober.Buzz Community Explodes It's Growth Globally it is Announcing "Spreading the Good BUZZ" Podcast Hosted by Josh Case Debuting July 7th
Deploying Remediation at Scale
The biggest remediation challenge revolves around the massive scale of the problem, the risk of exploitation once disclosed and the difficulties in properly notifying and coordinating with all the potentially affected parties.
The issue affects a large number of vendors and systems that have implemented two-factor authentication using QR codes. It is estimated that this issue could affect over a dozen common authenticator apps on the client side. On the server side, there could be hundreds of vendors that need to update their code to address the compromised data.
"There could be millions, tens of millions, or even hundreds of millions of these QR codes out in the wild, making it extremely difficult to notify all affected parties in advance. What's more, existing users who have already enrolled in 2FA using the compromised QR code process must be re-enrolled using the new, more secure process," says Contario.
Economics of Remediation
While the technical fix is not overly complex, the labor-intensive user re-enrollment process across enterprises will be a significant undertaking and involve considerable costs.
Vendors that provide the two-factor authentication software and services will have to take the lead in updating their codes to proactively address the exposure.
For end-user organizations, the major cost will be in the labor required for IT departments to notify and walk users through the process of re-enrolling in two-factor authentication.
"This is likely to be very time-consuming for large organizations and could add up to billions of dollars in enterprise expenditures globally, based on the average hourly rate for IT staff multiplied by the number of individuals that would need to be re-enrolled across many organizations," concludes Contario.
To learn more, please visit: https://datatracker.ietf.org/doc/html/draft-contario-totp-secure-enrollment or Silent Sector's page here, https://silentsector.com/2fa.
Source: Silent Sector
Filed Under: Technology, Information Technology
0 Comments
Latest on TelAve News
- Female Motorsports Sponsorship & Expansion; Acquisition Agreement of UAE-Based Sports Incubator by Online Lottery & Sports Game Provider: Lottery.com
- The internet home telephone services and tv channels
- Global Court Momentum Builds Against Forced Psychiatry; CCHR Urges U.S. Reform
- Integris Composites Joins Paris Air Show at USA Pavilion
- Cheryl Hines' Trailer PROWLING to Sardinia
- Honoring Black History, Culture, and Community in Fall River
- Token-Operated Sake Service Opens at Tobu Nikko Station
- Innovative EDM Music Project, "Terms of War," Depicts an A.I. Takeover of Earth
- DivX Enhances AVI Playback Resources; Simplifies Guide to Playing AVI Files with DivX Software
- Patrick Aloni Joins Historic Gold and Copper Discovery in Argentina with Multimillion-Dollar Stake
- Edtech Startup Young Commanders Launches 'Visionaries Without Sight' Collection Celebrating Blind and Visually Impaired Historical Figures
- Goldstar Rehabilitation Celebrates 15 Years of Early Intervention Across Southeastern PA
- United States Congressional Candidate Peter Coe Verbica Unveils 25-Point Federal Plan to Help Make California Affordable Again
- D8Averse Launches D8Acapture: Disruptive Mobile-First App Transforms Utility Pole Data Collection
- Experience Trembling Firsthand with the New AgeMan® Tremor Simulator
- Mauro Schnaidman named as Managing Director in Miami, Florida
- Continued Streak of Recognitions with Multiple Chambers and Partners Rankings
- Anern Shines at SOLAR AFRICA Kenya with Solar Lithium Battery Storage Technology
- Last Call - Submit Your Proposal for the 2025 OpenSSL Conference in Prague
- Robert Michael & Co. Launches New Real Estate Website to Serve Central Florida Homebuyers and Sellers