Silent Sector Advises IETF of Major Vulnerability Related to QR Codes Used to Enroll Two-Factor Authentication Processes

A significant exposure related to the use of QR codes in two-factor authentication (2FA) processes has been identified and reported to the Internet Engineering Task Force (IETF) by researchers and analysts at Silent Sector (https://silentsector.com), a cybersecurity services company that specializes in providing tailored risk management solutions to mid-market and emerging companies across various industries, including healthcare, financial services, technology, manufacturing, and defense.

Brian Contario, Principal Cybersecurity Architect at Silent Sector

The exploit, discovered by Brian Contario, Principal Cybersecurity Architect at Silent Sector, lies in the fact that the QR codes used for 2FA enrollment contain sensitive information, including a secret key and user identifiers, which can be captured and misused if not properly secured.

"These codes have been present for over a decade, potentially affecting millions of users worldwide. While this vulnerability is not widely recognized, once it becomes more widely known, it will likely emerge as an area of focus for malicious actors," says Contario.

There are a number of ways that bad actors could gain access to the secret key information in the QR codes. Potential caches of the data include email, messaging, or cloud storage repositories where the QR codes or enrollment information have been transmitted or stored.

"Many IT shops, managed service providers (MSPs), as well as other business and technology professionals often store or email these QR codes, leaving them open to discovery. In public places, including airports, cafes and co-working spaces, images of the QR code can be captured simply by using cameras with zoom lenses when QR codes are displayed on screens for enrollment," he says.


Scope of the Damage

The potential scale of impact is estimated anywhere from tens to hundreds of millions of affected enrollments. Google Authenticator added support for QR codes approximately 12 years ago.

Millions upon millions of QR code enrollments enabled over the past decade have created a large pool of "data residue" where the digital fingerprints of particular 2FA interactions have been saved and archived.

The enrollment processes were originally designed for hardware security tokens that could securely embed the secret key that were transmitted to physical tokens or other devices.

"However, when this process was adapted for software-based 2FA apps, the secure exchange of the secret key was not properly maintained. As a result, transmitting the QR code can lead to the key being compromised. If attackers gain access to this information, they can potentially use it to bypass the 2FA protection," says Contario. "While the level of awareness of this exploit currently seems to be low – even among IT professionals – the potential for abuse exists," he adds.

Remediation Solution

To address the threat, Silent Sector has developed a fix which involves changing the enrollment process to use a QR code that is paired with a dynamic, one-time URL that directs the authenticator app to retrieve the secret key from a secure server.

"This ensures that the secret key is only sent to the authenticator app, making it more secure. To execute the fix, technology vendors and enterprises that use QR enrollment for multi-factor authentication will need to re-enroll in their 2FA processes using new, secure QR codes," explains Contario.

This way, the secret key is no longer statically embedded in the QR code, but dynamically provided to the authenticator app in a secure manner, preventing the compromise of secure data through the QR code alone.

Deploying Remediation at Scale

The biggest remediation challenge revolves around the massive scale of the problem, the risk of exploitation once disclosed and the difficulties in properly notifying and coordinating with all the potentially affected parties.

The issue affects a large number of vendors and systems that have implemented two-factor authentication using QR codes. It is estimated that this issue could affect over a dozen common authenticator apps on the client side. On the server side, there could be hundreds of vendors that need to update their code to address the compromised data.

"There could be millions, tens of millions, or even hundreds of millions of these QR codes out in the wild, making it extremely difficult to notify all affected parties in advance. What's more, existing users who have already enrolled in 2FA using the compromised QR code process must be re-enrolled using the new, more secure process," says Contario.

Economics of Remediation

While the technical fix is not overly complex, the labor-intensive user re-enrollment process across enterprises will be a significant undertaking and involve considerable costs.

Vendors that provide the two-factor authentication software and services will have to take the lead in updating their codes to proactively address the exposure.

For end-user organizations, the major cost will be in the labor required for IT departments to notify and walk users through the process of re-enrolling in two-factor authentication.

"This is likely to be very time-consuming for large organizations and could add up to billions of dollars in enterprise expenditures globally, based on the average hourly rate for IT staff multiplied by the number of individuals that would need to be re-enrolled across many organizations," concludes Contario.

To learn more, please visit: https://datatracker.ietf.org/doc/html/draft-contario-totp-secure-enrollment or Silent Sector's page here, https://silentsector.com/2fa.

Editor's PickStaff Reports