Internet Identity Lack Of Security

I wonder if this has already been exploited: My NNS is out of control,Please help me

1 Like

I know a lot of people refusing to stake their ICP in the NNS because of this risk. If several other cases like the one linked by @lastmjs, the word will spread very quickly. An article against Dfinity or ICP could be dramatic, and even if the problem was solved once the article written. It would take a lot of time to heal of this. We have to stop underestimate this problem. ICP can’t be associated with such irreversible hack whereas it says « tamperproof » everywhere. People will tolerate hack, but not definitive hack. This problem could concern every each one of us. @zire

If a hacker obtains physical access to the laptop AND the yubikey (which enables changing seed phrase), there is no measure by any institution in the world that can be deployed to prevent this identity from being stolen, whether it’s CIA, FBI, NSA, or DFINITY. This is very likely the case for @xiaobing .

It’s very unfortunate that this has happened to Xiaobing.

4 Likes

I don’t agree, there is one : just make impossible to remove the seedphrase without having to enter the seedphrase in the first place to do it.

I can’t understand why this simple function is not installed, it would prevent against any definitive loss of Identity and neuron.

If this was set, sooner or later, anybody could take control back, cause the hacker or stealer would never have removed the seedphrase, given the fact he would not know the seedphrase to enter in order to remove it.

8 Likes

Forget the yubikey, just think of someone having installed iPhone or Mac as devices, in one instant, it can be stolen, and the stealer can remove the seedphrase. So, yes, you did not have other reports yet, but a lors of people are not using ICP on their phone, cause they know about this security lack.

Just set the necessity of entering the seedphrase before removing it, and the whole problem disappears ! For example, I could use ICP on my phone, cause in the worst case scenario, I would lose temporarily control on my identity and my neuron, but as my icp are staked, the hacker could not steal it, and I just would have to enter my seedphrase to take control back and remove his devices.

3 Likes

Hi Roman. I’ve been trying to understand your concern/request and I think I’m following your logic now.

I think the scenario your describing is:

  1. The attacker has compromised a physical authentication device (laptop, yubikey, etc.) somehow.

  2. The attacker used that authentication device to clear out all other authentication methods, to include the generation of a new seed phrase and removal of the old seed phrase.

What you are requesting is that II should only allow an existing seed phrase to be removed if the previous seed phrase is entered correctly first. By doing this you are giving the original owner the ability to recover the account even if one of their other authentication devices was compromised? Is that correct?

This would of course assume the user has not stored their recovery key in a digital form that has been exposed to the attacker. But I think I still see value in your recommendation given the prior issue linked by @lastmjs.

12 Likes

EXACTLY !!! Sorry for my English my friends. @lastmjs @zire, @LightningLad91 expresses better than me my opinion, read this :point_up_2:

1 Like

You have perfectly synthesized my opinion.

I have been recommending this for months now.

1 Like

Thank you @LightningLad91 for paraphrasing the suggestion from @Roman . I understand your suggestion now.

Have you guys seen such security measure being deployed in any other L1/L2 blockchain? I’m curious to know how others in the industry are tackling this issue. A few examples would be helpful.

2 Likes

I only saw the radical no removability of seedphrase, like Ledger does with their hardwallet for example.

I think that if it is not possible to set, if we have to choose between :

  • changeability of the seedphrase too easily (so, without having to previously enter the original seedphrase before removing it)
  • impossibility to remove it, we would have to choose impossibility to remove it.

We should choose the second one.

@nmattia ?

2 Likes

Unfortunately, I am relatively new to the blockchain world (the IC was my first exposure) so I would not be able to reference any services on other networks. Perhaps @lastmjs knows of a few.

IMO, It does seem like it would make sense for the seed phrase to be protected in this manner. Unlike centralized Web2 accounts, these accounts cannot be recovered by proving my identity to a help desk technician. Requiring an existing seed phrase to be entered before replacing it seems like a logical protection if you’re working under the assumption (like I am) that the seed phrase is put in cold storage for disaster recovery and not being used to login frequently. This still puts the onus on the user to store their seed phrase offline (in my case a safe).

That being said, I’m not an II expert, and I’m confident Dfinity can come up with an adequate solution.

Edit: I realized I made a logical leap regarding my web2 reference. To clarify, I’ve used several Web2 services that required me to authenticate with an existing device, enter an existing password, or recover via email/text in order to change a security setting on my account. In Web2, if these authentication method are compromised your only real option is to prove your identity to the company/organization that operates the service and has authority to manage your account directly. You typically prove this with a SSN (if you’re in the U.S) or some other unique identifier that the user is expected to protect. There is no equivalent out-of-band recovery method with the II and I see the seed phrase as being a potential solution. But that does not work if an attacker has compromised an authentication device and is capable of resetting the existing seed phrase.

5 Likes

If you produce seed phrase key shares out of the seed phrase ( look at GitHub - icdev2dev/bachao: Social Recovery of Internet Identity for a prototype) and distribute those key shares to friends and family, you have,essentially, an out-of-band recovery. Now you would need to call your friends and family for social recovery of seed phrase.

In that above context, having a seed phrase that is locked(i.e. cannot be changed by ANY other authentication means except knowing the seed phrase), completes the picture beautifully.

Incidentally existing means to authenticate/recover should always be 2FA; even in the current context. This can be accomplished by ledger-nano acting as FIDO device; for example (because you need both the device, ledger-nano, in this case & the pass code to the ledger nano)

5 Likes

And with the ability of canisters to hold ICP, it is now possible , I think, to have this mechanism be built into the IC for your friends and family to act as " the company that provides that service of recovery". I will write this up.

5 Likes

I’m all for social recovery. I look forward to the day this is possible.

I agree that having a locked seed phrase would compliment the social recovery mechanism. Otherwise, the attacker can just remove all of your approved contacts.

6 Likes

When I started using Yubikey last June, I was prompted for my Yubikey PIN every time I wanted to login in my NNS, which I loved. Then, after a NNS upgrade, it stopped asking for my PIN. Was it only a coincidence or a change in the upgrade?

According to Yubico, the PIN request is controlled by the service provider (then the NNS).
If this is the case, can we have this back?

  • FIDO2 is made up of two components - WebAuthn on the service provider end, and CTAP2 on the YubiKey end.
  • PIN prompts are a result of a WebAuthn setting known as User Verification. This setting is controlled by each service provider.
  • If a service provider does not specify a setting for User Verification, most modern browsers will default setting it to Preferred (as per the WebAuthn spec), which may result in a PIN prompt.
  • If you prefer not to be prompted for a PIN, try disabling the YubiKey’s FIDO2 function, and see if that eliminates the PIN prompt, while still allowing you to sign in. Note that FIDO2 is required for certain services (e.g. personal Microsoft accounts), so disabling the function on the YubiKey will cause it to not work or not be recognized by those services.
2 Likes

My friends @mparikh, @LightningLad91, before any complex social recovery, I think that just by making necessary to enter the seedphrase before being able to remove it would be enough to quickly and strongly secure things. Afterwhat, we could think more sophisticated ways for recovery, but once secured with the most immediate and then simplest solution. I scare that proposing system more complex, we never adopt any system of security before a long long time. If not possible to make necessary to enter the seedphrase before being able to remove it, let make the seedphrase no removable. But let’s change something quickly !

7 Likes

Yes, locking the seed phrase is the very basis of securing other more complex recovery mechanisms.

6 Likes

So agree my goodfriend, and so happy for having eventually been understood by you and @LightningLad91.

4 Likes

I totally disagree with non suppressible seed phrase. I do not use seed phrase. Everything that appear on the screen can be recorded easily. Imagine if someone have access to your seed phrase and it is not suppressible. Then the hacker would have access to your account forever.
The seed is a 1 way authentication only. This is not good.
We should always have a 2FA system. Now, the only 2FA device is Nano Ledger, which I use. So you need the Nano in your hand and need to know the PIN.
I am hoping the Yubikey can be configure to ask the PIN as well.

1 Like