We present a novel attack named â??Authenticator Rebinding Attack,â? which aims at the Fast IDentity Online (FIDO) Universal\nAuthentication Framework (UAF) protocol implemented on mobile devices. The presented Authenticator Rebinding Attack\nrebinds the victimâ??s identity to the attackerâ??s authenticator rather than the victimâ??s authenticator being verified by the service in\nthe UAF protocol, allowing the attacker to bypass the UAF protocol local authentication mechanism by imitating the victim to\nperform sensitive operations such as transfer and payment. The lack of effective authentication between entities in the\nimplementations of the UAF protocol used in the actual system causes the vulnerability to the Authenticator Rebinding Attack.\nIn this paper, we implement this attack on the Android platform and evaluate its implementability, where results show that the\nproposed attack is implementable in the actual system and Android applications using the UAF protocol are prone to such\nattack. We also discuss the possible countermeasures against the threats posed by Authenticator Rebinding Attack for different\nstakeholders implementing UAF on the Android platform.
Loading....