Skip to main content
SpringerLink
Log in

Time Is on My Side: Forward-Replay Attacks to TOTP Authentication

  • Conference paper
  • First Online:
Security and Privacy in Social Networks and Big Data (SocialSec 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14097))

  • 349 Accesses

Abstract

Time-based One-Time Password (TOTP) is a widely used method for two-factor authentication, whose operation relies on one-time codes generated from the device’s clock and validated using the servers’ clock. By introducing the notion of forward-replay attack, in this paper we underline an obvious (but somewhat overlooked) fact: a secure server’s time reference is not sufficient when an attacker may maliciously set future time instants over the device, collect the relevant TOTPs, and play them back later on, when these time instants will be reached. Through examining viable attack scenarios, we present a concrete proof-of-concept implementation on Android mobile phones and three applications using TOTP, including the widely used TOTP-based Google Authenticator app. Our findings highlight the practicality of such threat and raise concerns about the security of TOTP, suggesting that hardened TOTP-based methods should be explored.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    A server may consider valid not only an OTP generated in the latest time stamp but also OTPs generated in past timestamps that are within a given delay window. But in practice, as explicitly recommended in the specification [19], at most one time step is generally allowed.

References

  1. Accessibilityservice. https://developer.android.com/reference/android/accessibilityservice/AccessibilityService

  2. https://github.com/jselvi/delorean

  3. Payment services (PSD 2). Directive 2015/2366/EU of the European parliament and of the council (2015)

    Google Scholar 

  4. Room. https://developer.android.com/jetpack/androidx/releases/room

  5. Aonzo, S., Georgiu, G., Verderame, L., Merlo, A.: Obfuscapk: an open-source black-box obfuscation tool for android apps, vol. 11 (2020). https://doi.org/10.1016/j.softx.2020.100403

  6. De Oliveira Nunes, I., Jakkamsetti, S., Rattanavipanon, N., Tsudik, G.: On the toctou problem in remote attestation. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 2921–2936 (2021)

    Google Scholar 

  7. Deeg, M.: To the future and back: hacking a TOTP hardware token (SYSS-2021-007). https://blog.syss.com/posts/syss-2021-007/

  8. Gilsenan, C., Shakir, F., Alomar, N., Egelman, S.: Security and privacy failures in popular 2FA apps. prepublication. In: USENIX Security 2023 (2023)

    Google Scholar 

  9. Huseynov, E.: TOTP replay attack - yubikey. https://medium.com/@eminhuseynov_37266/totp-replay-attack-yubikey-et-al-adde8e8c62d3

  10. Iovino, V., Vaudenay, S., Vuagnoux, M.: On the effectiveness of time travel to inject COVID-19 alerts. In: Paterson, K.G. (ed.) CT-RSA 2021. LNCS, vol. 12704, pp. 422–443. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75539-3_18

    Chapter  Google Scholar 

  11. Kraunelis, J., Chen, Y., Ling, Z., Fu, X., Zhao, W.: On malware leveraging the android accessibility framework. In: Stojmenovic, I., Cheng, Z., Guo, S. (eds.) MindCare 2014. LNICST, vol. 131, pp. 512–523. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11569-6_40

    Chapter  Google Scholar 

  12. Krawczyk, H., Bellare, M., Canetti, R.: RFC2104: HMAC: keyed-hashing for message authentication (1997)

    Google Scholar 

  13. Lau, B., Jang, Y., Song, C., Wang, T., Chung, P.H., Royal, P.: Mactans: injecting malware into iOS devices via malicious chargers. Black Hat USA, vol. 92 (2013)

    Google Scholar 

  14. Malhotra, A., Cohen, I.E., Brakke, E., Goldberg, S.: Attacking the network time protocol. Cryptology ePrint Archive (2015)

    Google Scholar 

  15. Meier, L.C.: On security against time traveling adversaries. Cryptology ePrint Archive (2022)

    Google Scholar 

  16. Meng, W., Lee, W.H., Murali, S., Krishnan, S.: Charging me and i know your secrets! Towards juice filming attacks on smartphones. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, pp. 89–98 (2015)

    Google Scholar 

  17. M’raihi, D., Bellare, M., Hoornaert, F., Naccache, D., Ranen, O.: RFC 4226: HOTP: an HMAC-based one-time password algorithm (2005)

    Google Scholar 

  18. M’Raihi, D., Rydell, J., Bajaj, S., Machani, S., Naccache, D.: RFC 6287: OCRA: oath challenge-response algorithm (2011)

    Google Scholar 

  19. M’Raihi, D., Machani, S., Pei, M., Rydell, J.: RFC 6238: TOTP: time-based one-time password algorithm (2011)

    Google Scholar 

  20. Nohl, K., Lell, J.: Badusb-on accessories that turn evil. Black Hat USA, vol. 1, no. 9, pp. 1–22 (2014)

    Google Scholar 

  21. Ozkan, C., Bicakci, K.: Security analysis of mobile authenticator applications. In: 2020 International Conference on Information Security and Cryptology (ISCTURKEY), pp. 18–30. IEEE (2020)

    Google Scholar 

  22. Park, S., Shaik, A., Borgaonkar, R., Seifert, J.P.: White rabbit in mobile: effect of unsecured clock source in smartphones. In: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 13–21 (2016)

    Google Scholar 

  23. Polleit, P., Spreitzenbarth, M.: Defeating the secrets of OTP apps, pp. 76–88. IEEE (2018)

    Google Scholar 

  24. Salem, A., Paulus, F.F., Pretschner, A.: Repackman: a tool for automatic repackaging of android apps. In: Proceedings of the 1st International Workshop on Advances in Mobile App Analysis, pp. 25–28 (2018)

    Google Scholar 

  25. Selvi, J.: Bypassing http strict transport security. Black Hat Europe, vol. 54 (2014)

    Google Scholar 

  26. Sun, H., Sun, K., Wang, Y., Jing, J.: Trustotp: transforming smartphones into secure one-time password tokens. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 976–988 (2015)

    Google Scholar 

Download references

Acknowledgements

We express our gratitude to the anonymous reviewers for their valuable insights and recommendations, including bringing to our attention the online blog posts [7, 9].

This work was partially funded by the project I-Nest (G.A. 101083398 - CUP F63C22000980006) - Italian National hub Enabling and enhancing networked applications and Services for digitally Transforming Small, Medium Enterprises and Public Administration.

Author information

Authors and Affiliations

  1. University of Rome Tor Vergata, Rome, Italy

    Giuseppe Bianchi & Lorenzo Valeriani

  2. CNIT National Laboratory of Network Assessment, Assurance and Monitoring, Rome, Italy

    Giuseppe Bianchi & Lorenzo Valeriani

Authors
  1. Giuseppe Bianchi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lorenzo Valeriani
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lorenzo Valeriani .

Editor information

Editors and Affiliations

  1. University of Kent, Canterbury, UK

    Budi Arief

  2. University of Pisa, Pisa, Italy

    Anna Monreale

  3. Cyprus University of Technology, Limassol, Cyprus

    Michael Sirivianos

  4. University of Kent, Canterbury, UK

    Shujun Li

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bianchi, G., Valeriani, L. (2023). Time Is on My Side: Forward-Replay Attacks to TOTP Authentication. In: Arief, B., Monreale, A., Sirivianos, M., Li, S. (eds) Security and Privacy in Social Networks and Big Data. SocialSec 2023. Lecture Notes in Computer Science, vol 14097. Springer, Singapore. https://doi.org/10.1007/978-981-99-5177-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-5177-2_7

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-5176-5

  • Online ISBN: 978-981-99-5177-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation