mailing list archives
Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System
From: Patrick Hof <release () redteam-pentesting de>
Date: Tue, 24 Nov 2009 15:47:56 +0100
Sorry list if this arrives twice, I got stuck in the moderation queue because I
used the wrong email address.
Thierry Zoller <Thierry () Zoller lu> wrote:
MITM is used rather vaguely in this paper. Are the proposed
techniques working in an MITM situation - where an attacker is in the
middle of a network stream ? Say on a network over arp cache poisening?
The paper afaik applies to systems that are already compromised
by an attacker, i.e where malware has been installed.
Exactly, the paper states that
"The assumption is made that the users’ computers are infected with a
specialised malware ('Trojan'), which is able to read and manipulate all data
If this is the case what rights (Account acl) does the malware require
in order to perform the mentioned attacks ?
What we did in a demonstration for German TV was to exploit the victim's PC with
a malicious PDF (JBIG2Decode exploit), install our own root CAs in IE for the
banks and set our own IP in C:\windows\system32\drivers\etc\hosts for the
banking sites. This was of course only a PoC and required administrative
You can of course also do a "real" MitM attack if the user does not verify the
SSL certificate or rather does not check for SSL at all. If you're in the middle
of the network stream, you could use something like sslstrip for example. We
are always making the assumption that SSL is used, because I don't know of any
bank letting customers do online banking over a plaintext connection.
However, most of the attacks today focus on installing malware on the user's
system (e.g. those against iTAN) I think. When we showed the PoC, we wanted to
make sure people understand that a lock in the upper corner of their browser and
a certificate for mybankingsite.com does not mean they're secure. If you write a
malicious Firefox extension or IE browser helper object, verifying the SSL
certificate doesn't help anyway, because I can access the plaintext data and
don't need to worry about using my own certificate. This would also only need
user privileges, as far as I know.
This brings me to an interesting more general discussion,
can one define malware infected workstations and the attacks they
perform locally as MITM ? Technically they inject themselves between
the client and the server, however they need to be installed prior to
be able to do so. Furthermore they have access to a lot more
information and possibilities then an attacker that is, say in the
middle of a network connection.
For sake of allowing proper risk assessment by technically less
trained persons - one should coin a better term than classical mitm -
but maybe I am mistaken? what about MITMa (man in the machine)
I agree that the terminology is rather vague, maybe we should have explained
that a bit more in the paper. We chose the term MitM because you can still do
the attack if you have not compromised the bank customer's host, you just can't
show a "valid" certificate to the user.
RedTeam Pentesting GmbH Tel.: +49 241 963-1300
Dennewartstr. 25-27 Fax : +49 241 963-1304
52068 Aachen http://www.redteam-pentesting.de/
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/