Fake SSL certificates in the wild for Facebook, Google and Apple's iTunes store create a grave risk of fraud for people who bank online using their smartphones.
Analysis outfit Netcraft said it has found "dozens” of fake SSL certificates impersonating banks, ecommerce sites, ISPs and social networks. The counterfeit credentials create a ready means for attackers to run man-in-the-middle attacks against the customers of affected companies.
"Successful attacks would allow criminals to decrypt legitimate online banking traffic before re-encrypting it and forwarding it to the bank," writes Paul Mutton, a security researcher at Netcraft. "This would leave both parties unaware that the attacker may have captured the customer's authentication credentials, or manipulated the amount or recipient of a money transfer."
The certificates are not signed by trusted certificate authorities, so none will be regarded as valid by mainstream web browsers. But that doesn't mean that the phoney credentials can be dismissed as posing no threat, the security testing and web services firm warns.
"An increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates," Mutton adds.
Netcraft's blog post summarised previous research by third party researchers that highlights the potential for harm from fake certificates, even in cases where they are unsigned by a certificate authority.
Researchers from Stanford University and The University of Texas at Austin found broken SSL certificate validation in Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, integrated shopping carts such as osCommerce and ZenCart, and AdMob code used by mobile websites (research PDF here). A lack of certificate checks within the popular Steam gaming platform also allowed consumer PayPal payments to be undetectably intercepted for at least 3 months before eventually being fixed.
Online banking apps for mobile devices are tempting targets for man-in-the-middle attacks, as SSL certificate validation is far from trivial, and mobile applications often fall short of the standard of validation performed by web browsers. 40% of iOS-based banking apps tested by IOActive are vulnerable to such attacks because they fail to validate the authenticity of SSL certificates presented by the server.
41% of selected Android apps were found to be vulnerable in manual tests by Leibniz University of Hannover and Philipps University of Marburg in Germany (research PDF here). Both apps and browsers may also be vulnerable if a user can be tricked into installing rogue root certificates through social engineering or malware attacks, although this kind of attack is far from trivial on an iPhone.
Examples of fake certificates cited by Netcraft include a dodgy certificate issued in the name of Russia's second largest bank and a certificate that impersonates GoDaddy's POP mail server. Apple iTunes store, a popular phishing target, is also honoured with a dodgy "doppelgänger" certificate.
Even if armed with fake certificates, a hacker would still need to eavesdrop on network traffic flowing between the victim's mobile device and the servers it communicates with. Setting up a rogue wireless access point is one of the easiest ways for an individual to carry out such attacks. ®