The Uber Hack of 2022
It’s 2AM on September 15th, 2022, and a Lapsus$-affiliated hacker is about to successfully break through Uber’s multifactor authentication system. The hacker spams one of the rideshare service’s engineers with a deluge of MFA requests, while at the same time sending text messages via WhatsApp claiming to be an Uber IT employee stating that the MFA system was malfunctioning and that hitting an “Accept” button would stop the notifications. Falling prey to this form of manipulation commonly referred to as social engineering, the Uber employee is eventually convinced that the hacker’s incessant MFA requests are sincere, letting the hacker into the system no questions asked.
Soon enough, the hacker “pretty much [has] full access to Uber” (to quote NYTimes’ interview with Sam Curry, a security engineer who had a chance to speak with the individual responsible after the fact) and thus Uber’s new sovereign proceeds to impose his will: He posts screenshots of Uber’s internal systems to demonstrate his control; he uploads an explicit photo to Uber’s international information page for employees; he makes a public announcement that he was able to break in because Uber’s security was just that weak; he sends a message via Uber’s Slack channel demanding that Uber drivers should receive higher pay. Quite the modern Robin Hood.
Why social engineering is authentication’s thorniest problem
A fairly famous case in cybersecurity circles, the 2022 Uber hack pinpoints an extremely sensitive pain point in authentication today. Rather than targeting technical vulnerabilities, the Uber 2022 hacker preys on human psychology to trick an individual into providing what is necessary to compromise a system. In other words, human gullibility/vulnerability, not necessarily the technology, was what ultimately broke Uber’s security dam. In the cybersecurity world, this is known as social engineering. And in Uber’s case, all it took was one action from one employee.
Social engineering tactics are extremely hard to solve because, in order to do so, one must find some way of solving the human disposition to make errors. So, to better understand the techniques used to compromise one of the world’s most famous unicorn companies—and, in turn, understand the delicate and ineffective nature of the current authentication method—let’s first unpack the attack step by step. Notice the stark effectiveness of these simple strategies.
How social engineering works
Step 1: MFA fatigue
I helped build an entire training platform company to help bolster security awareness, and MFA is a frequent topic of conversation with our customers. Everybody seems to find MFA important, yet every user dislikes it and attacks bypassing it are rampant. So, what’s going on?
Well, just ask yourself: Do you enjoy MFA? No? – Hackers know about this natural aversion to submitting authentication forms, and will take advantage of it as often as possible.
The situation
Using compromised user credentials, perhaps through a Single Sign-On (SSO) portal, the hacker repeatedly sends log-in attempts to bomb the legitimate user with a barrage of MFA notifications. The real user questions themselves why they are getting so many messages, noting it as odd but is unsure of how to act. It is, after all, the security system prompting so many authentication requests, and we are programmed not to question authority.
How MFA fatigue is exploited
The attacker’s explicit goal is to spam a system user to a point of frustration and annoyance that eventually gives way to complacency and a diminished sense of company vigilance. By design, MFA fatigue exploitation uses employees’ trust in authentication against them—think reverse psychology, but for hacking. The hacker puppets the voice of security, prompting any employee of any organization to think, “if the security system is asking me to authenticate, I should probably do so.”
But if that doesn’t work, if the employee has the foresight to see through the ruse, then the hacker will deploy a second, far more convincing strategy. The plot thickens.
Step 2: Persona hacking
The situation
Next, the hacker contacts the legitimate user directly via WhatsApp, claiming to be one of Uber’s IT personnel and claiming the system is malfunctioning. The employee thinks, “oh, this explains the strange amount of authentication requests I received,” and without a second thought lets the hacker in. Classic social engineering.
What happens during persona hacking?
Personal hacking, or disguising oneself as trustworthy personnel, takes MFA fatigue’s puppeteering a step further by manipulating the user’s confidence, and is often used in tandem with MFA fatigue in order to break a targeted user after they’ve been bombarded with authentication notifications. Together, these psychological manipulation and deception techniques are used by attackers to exploit human trust, power structures, naivety, and other vulnerabilities in order to gain unauthorized access to sensitive data.
What is the best countermeasure against social engineering?
At this point, the hacker is in and having his way with Uber’s systems. His ridiculously simple strategy creates an effect that bulldozes what would have otherwise been a normal day for Uber. C-suite and security officials scramble to address what is already a hopeless situation. An entire workday’s operations are interrupted, replaced with the burdensome effort of protecting what sensitive data they can. And finally, the driver responsible for letting the attack occur (whose position has nothing to do with cybersecurity) experiences undue shame and guilt as a result.
To avoid such disruption, some authentication services and/or cybersecurity professionals will recommend a failsafe or backup strategy should your MFA system fail, usually paired with annual cybersecurity training for employees. But these recommendations are nothing but a temporary splint for an all too pervasive and vulnerable gap in cybersecurity. As long as there are humans on the other side of authentication systems, hackers will continue to take advantage of human psychology’s predisposition to primal trust and error. We believe an effective solution to combating these tactics should start at the human level.
Cryptographically attested keystrokes are a one-stop method for fighting social engineering
Let’s reiterate: Social engineering exploits human psychology and trust, compromising authentication systems and granting unauthorized access to sensitive data. Addressing these challenges requires a comprehensive approach that goes beyond traditional authentication methods: a single failed step by an employee was enough to thwart Uber’s security.
Cryptographically attested, keystroke-based continuous authentication offers a promising solution by providing a dynamic and proactive security measure that mitigates hacker’s appetite for taking advantage of human psychology. By assigning cryptographic signatures to each keystroke, this technology continuously verifies the authenticity of users throughout their sessions, freeing employees to only worry about work-related issues over cybersecurity threats.
Unlike traditional authentication methods that rely on repetitive prompts and notifications, key-stroke based continuous authentication operates seamlessly in the background. Even if an employee gives into MFA fatigue, or if the hacker’s feigned IT persona is convincing enough to bring him access, an attempt to move laterally throughout the organization’s system is instantly thwarted: the rogue keystrokes are not being physically typed on an authorized computer. With cryptographically attested keystrokes, the hacker cannot attempt to sneakily break the system without being completely exposed, giving administrators a chance to promptly freeze him out.
The concept we’re suggesting here is simple—authentication should support employee integrity and promote company vigilance. Authenticated interactions should be able to instantly detect anomalies and suspicious activity, and do so without asking employees to develop a keen sense of paranoia about every email, text, or request that comes through. Security should just be built in, shouldn’t it?
What does it mean if a “kid” can social engineer with reckless abandon?
Sam Curry, the security engineer who actually spoke with the Uber hacker, described him as “ . . . this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life,” implying that the attack’s threat level was essentially that of a practical joke. But this has a second, much darker implication: If a “kid” can infiltrate a large organization such as Uber with simple tactics like MFA fatigue and persona hacking, what does that mean about the current state of security? And what happens if a hacker operating with hyper-focused malintent gets into such a system?
The Marriott International, Twitter, and Solar Winds hacks of 2020 are prime examples of severe security breaches that could have been avoided with a more powerful approach to authentication. Their damages surpass the 2022 Uber hack by a longshot, and prove that MFA backup plans or flimsy cybersecurity training courses aren’t going to cut it when engineering tomorrow’s approach to cybersecurity. Software Bill of Materials and other reactions are worthy initiatives, but they do not get to the core of the problem: that impersonation gets you full privileges. The right solution, however, is simple and all-encompassing, and that journey starts here.