Cybersecurity is the field that studies the protection of Internet-connected systems, including software, data and hardware, from malicious attacks over the Internet. The cybersecurity research group at the Department of Information Engineering within the Faculty of Engineering focuses mainly on security problems present in systems and platforms that are in use today, with a current emphasis on single sign-on (SSO) and mobile payment technologies. The research work done in this group has had a great impact – not only for system vendors but also for the general public.

SSO is the process by which a single username and password can be used to sign in to and access a variety of distributed services. For instance, IT giants like Google, Facebook and Tencent have all adopted the SSO framework, allowing users to access ecosystems consisting of services offered by them and by third-party vendors. A 2015 Gigya/OnePoll survey found that 88% of consumers already had experience of using SSO and that 65% of respondents often or always used SSO when dealing with third-party web services and mobile applications.

However, if not dealt with carefully, SSO adoption can lead to insecure implementations and corresponding vulnerabilities, putting users at risk of privacy data leakage, identity theft or even monetary loss. The root causes of the problem include:
1) the inherent technical challenges and intricacies in realising foolproof security for multiple, distributed heterogeneous parties;
2) numerous ‘home-brewed’, platform-specific extensions and modifications of SSO standards by different providers;
3) the large number of third-party developers who lack the technical resources or business incentives to implement applications and services that are compatible yet secure across different platforms; and
4) commercial concerns about alienating third-party merchants and developers if a platform’s security-vetting process for third-party apps and services is too conservative.

To tackle these problems, over the last five years or so, Profs. Wing Cheong Lau and Kehuan Zhang, together with their students, have developed a series of new techniques and publicly available software tools to enable large-scale, systematic security testing [1,4,5] and code analysis [2,3,4,6] to discover critical vulnerabilities in SSO and mobile payment systems. Specifically, they have released OAuthTester [1] and MoSSOT [5] – two adaptive, model-based security testing tools – and have successfully applied them to automate the large-scale black-box testing and discovery of vulnerabilities related to SSO and mobile payments in real-world web-based services [1] and mobile applications [2,5], respectively. They have also developed S3KVetter [4] to analyse the API design and logical correctness of the implementation code in popular SSO and mobile payment software development kits (SDKs). A publicly available repository of these tools can be found here: https://github.com/cuhk-mobitec.

The following is a partial list of the impact that these platforms have had on identifying vulnerabilities:
a) Discovering and neutralising a threat in the QR code generation and scanning process at mobile payment points of sale that allowed the hijacking of the security-critical token of a top-tier cashier service [3].
b) Discovering the BadBluetooth vulnerability/attack when an affected Android-based Bluetooth peripheral was involved in the end-to-end authentication and authorisation process in a number of mobile/pervasive-computing use cases.
c) Exposing the vulnerabilities of 75 popular apps (whose total downloads exceed 2.4 billion) to remote app-account hijacking, through which attackers can steal sensitive information including victims’ travel itineraries, private messaging archives, financial records, photos and viewing/shopping history. Within five days of the disclosure, the company involved notified all of its third-party application developers about this critical vulnerability and the recommended fixes.
d) Discovering seven classes of critical vulnerabilities, using the software S3KVetter, and informing the affected platform providers and vendors, who subsequently fixed their SDKs.
e) Discovering an inadvertent yet critical leakage of at least 10,000 valid merchant payment secret-keys from 170,000 Android APKs and 20,000 public GitHub repositories. Using these leaked secret-keys, attackers could access mobile payment transaction details and authorise illicit payment transfers or refunds to arbitrary users. Some of the affected merchants and apps included the official online tax payment app/service for a province with a population of over 80 million; the medical bill payment app/service for a major hospital; and an online social networking app with 8.6 million paying customers.
f) Discovering a new class of ‘synchronized token lifting and spending’ attacks that affected some popular point-of-sale mobile payment systems. Six days after receiving our report, a large merchant announced the termination and replacement of the vulnerable service.

In recognition of its vulnerability testing research in cybersecurity:
a) Sina granted the group the maximum allowable award from its bug-bounty programme and placed it on its 2016 Top 10 Whitehat list.
b) Google inducted the group into its Bughunter Hall of Fame.
c) The group’s work served as a reference for a major priority action item in the upcoming OASIS Open Data Protocol (OData) standards to add specific guidance on implementing OAuth and OpenID for mobile devices.
d) Facebook awarded the group the 2018 Facebook/USENIX Internet Defense Prize (third place). Quoting the Award Committee: ‘This work takes a critical look at the implementation of single sign-on code. Single sign-on provides a partial solution to the internet’s over-reliance on passwords. This code is widely used, and ensuring its safety has direct implications for user safety online.’

The technical depth and quality of the aforementioned research have been demonstrated via publications and presentations at premier academic and industrial conferences, including the USENIX Security Symposium, NDSS, AsiaCCS and Black Hat. The group’s work has also received broad media coverage (e.g. by Forbes, International Business Times, and Phoenix TV), raising public awareness about the security and privacy pitfalls of the applications and services concerned. Above all, the team’s discoveries have directly resulted in the elimination of security vulnerabilities, with far-reaching, critical impacts. To quote one tech giant : ‘Had these vulnerabilities and security issues not been discovered and fixed, they would have affected the overall integrity of the authentication and authorization process of many large-scale online social platforms like ours, which collectively, are serving billions of monthly active users. … CUHK security team have made the online ecosystem a safer place for billions of netizens world-wide.’

Prof. Wing Cheong Lau
Prof. Kehuan Zhang
Department of Information Engineering

References

[1] Ronghai Yang, Guanchen Li, Wing Cheong Lau, Kehuan Zhang and Pili Hu, ‘Model-based Security Testing: An Empirical Study on OAuth 2.0 Implementations,’ ACM AsiaCCS, Xi’an, China, May 2016.

[2] Ronghai Yang, Wing Cheong Lau and Tianyu Liu, ‘Signing into One Billion Mobile App Accounts Effortlessly with OAuth2.0,’ Black Hat Europe, London, November 2016. (An extended version of this work entitled ‘Breaking and Fixing Mobile App Authentication with OAuth2.0-based Protocols,’ by Ronghai Yang, Wing Cheong Lau and Shangcheng Shi, appeared at the 15th International Conference on Applied Cryptography and Network Security (ACNS), Osaka, Japan, August 2017.

[3] Xiaolong Bai, Zhe Zhou, XiaoFeng Wang, Zhou Li, Xianghang Mi, Nan Zhang, Tongxin Li, Shi-Min Hu and Kehuan Zhang, “Picking up My Tab: Understanding and Mitigating Synchronized Token Lifting and Spending in Mobile Payment,” The 26th USENIX Security Symposium, Vancouver, Canada, August 2017. (This work was also presented as a Black Hat briefing under the title: “All your Payment Tokens are Mine: Vulnerabilities of Mobile Payment Systems,” by Zhe Zhou in Black Hat Asia, Singapore, Mar 2018.) "

[4] Ronghai Yang, Wing Cheong Lau, Jiongyi Chen, Kehuan Zhang, ‘Vetting Single-Sign-On SDK Implementations via Symbolic Reasoning,’ the 27th USENIX Security Symposium, Baltimore, Maryland, US, August 2018.

[5] Shangcheng Shi, Xianbo Wang, Wing Cheong Lau, ‘MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile Applications,’ ACM AsiaCCS, Auckland, New Zealand, July 2019.

[6] Fenghao Xu, Wenrui Diao, Zhou Li, Jiongyi Chen, Kehuan Zhang, ‘BadBluetooth: Breaking Android Security Mechanisms via Malicious Bluetooth Peripherals,’ the 26th Annual Network and Distributed System Security Symposium (NDSS), San Diego, California, US, February 2019.