Device Code Phishing
This isn’t new, but it’s increasingly popular:
The technique is known as device code phishing. It exploits “device code flow,” a form of authentication formalized in the industry-wide OAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts. These devices typically don’t support browsers, making it difficult to sign in using more standard forms of authentication, such as entering user names, passwords, and two-factor mechanisms.
Rather than authenticating the user directly, the input-constrained device displays an alphabetic or alphanumeric device code along with a link associated with the user account. The user opens the link on a computer or other device that’s easier to sign in with and enters the code. The remote server then sends a token to the input-constrained device that logs it into the account.
Device authorization relies on two paths: one from an app or code running on the input-constrained device seeking permission to log in and the other from the browser of the device the user normally uses for signing in.
Subscribe to comments on this entry
Clive Robinson • February 19, 2025 5:19 PM
From the article we see,
May cause people to think,
“Why, are they poor attacks?”
The attacks work and as noted elsewhere in the article they are very effective…
So why have other “Nation-State Actors” not used them?
It’s because in less hostile times the NatState agencies much prefer to not be seen or heard by the persons/entities of interest they are targeting. It’s part of the “Advanced Persistent Threat”(APT) thinking where “discretion” and not “tipping off” are key to longterm success.
However in hostile times they will in effect be playing “Capture the flag” or to obtain an objective as quickly as expedient.
So in non hostile times you in effect want to,
1, “Watch from cover” (being discreet).
2, “not walk up and give them your number” (not potentially ‘tipping them off’).
For APT you would ideally not want to go inside a person/entity of interests systems or network. Because if they go looking or have hidden instrumentation then you will be seen and action against you taken.
Also the thing about the Internet is it’s mostly not anonymous that is you can not setup some kind of interaction with an entity without,
1, Leaving a trail that can be followed.
2, Alerting the entity that you are interested in them in some way.
Thus if the entity of interest gets “curious” and back tracks your communications they will fairly quickly find there is something odd or does not add up. At which point things unravel and not only is the entity “tipped off” there is a real probability they will be able to identify you.
Thus in less hostile times, you would get access to an “up-stream router” beyond the entity of interests “scope” and “tee-off” any and all traffic knowing that the entity of interest can not see you doing this.
Then you would use “traffic analysis” to build up a “Communications & Connectivity Profile” to establish “base lines” to work “Deltas” against.
If you need to go after “plaintext” then you would find some way for getting KeyMat to be leaked via some form of side channel (all early AES implementations had horrendous “time based” side channels that spewed the KeyMat far and wide). Another way is to abuse CA PubKey systems by tampering with the supply chain of updates in browsers and the like, just dropping in a fake CA Cert has been and still is used as a “magic key” backdoor in many places in the world.