Improve BOINC security : Account keys!

[skcin]

Issue by grctest Tuesday Apr 11, 2017 at 21:29 GMT Originally opened as https://github.com/Erkan-Yilmaz/Gridcoin-tasks/issues/106

---

Improving BOINC security: Account Keys!

What are account keys?

Account keys enable your BOINC client to continue crunching with your account regardless of email or password changes. You can also log into an individual BOINC project account given the user's account key.

Whilst account keys are handy for users with many computers (saves time logging into each machine) or handy for project admins (no computation downtime due to users changing passwords), they pose an extreme security risk within the BOINC community.

Why are account keys risky?

• Changing your username, email and password has no effect on the account key. It can't easily be changed without the project admin manually changing it.
• You can log into the BOINC project web server with an user's individual project account key.
• Considering the account key never changes, once you have it you've established a permanent account compromise.

Who knows my email address?

• Account manager admins
• Individual project admins
• Your team's founder for each BOINC project.

PSA: Do you know who your team founder is? Have you hidden your email yet?

Within the Gridcoin team 99% of users have not hidden their email, this is potentially the same case across the entire BOINC community.

Who/what has access to my account keys?

• BOINC Account managers: Boincstats, Gridrepublic, potentially Gridcoin pools (needs further confirmation).
• If you're logged into the BOINC manager with username+password (instead of weak auth)
  • Anyone with physical access to your unlocked machine can rummage the local files for the account key.
  • Anyone that has remotely compromised your computer in the past could have exfiltrated your accountkey.
• An attacker who has successfully phished one BOINC account password -> If you use boincstats the attacker can gain access to your other BOINC accounts (same email) and grab the account key.
• Malicious project admins (project password -> identical Boincstats password -> external projects (w/ same pass) -> account keys for each project.
• Anyone that manages to hack an account manager or a BOINC project.
• Anyone that registered using your email address. If you continue to use this account after changing the password, you're still using a permanently compromised account.

Why care about permanent account compromise?

• Someone could impersonate you in private messages, targeting your peers.
• Your private messages could be made public.
• You can be inconvenienced by your account profile changing against your will.
• Malicious/Illegal forum posts could be made with your account, potentially landing yourself in trouble.
• Your computation schedule could be manipulated to crunch 24/7, increasing your electricity bill or posing a fire risk.
• Subtle changes could be made to reduce your RAC.
• Potential squatting of unclaimed CPID for cryptocurrency earnings.

There are many reasons, it's not a good thing.

How can I minimize risk?

• Don't use an account manager.
• Attach BOINC hosts using your weak auth key instead of username+password. This prevents the account key being created locally (physical/remote account compromise protection).
• Enable any 2FA options offered by BOINC projects.
• Don't let anyone know your BOINC email address. Strongly consider using a unique email for BOINC use.
• Don't use the same email for Gridcoin pools that you would use for your BOINC registration.
• Has anyone previously gained access to your account? Did someone else create your BOINC account? Consider creating a new BOINC account.
• Hide your email address within your individual BOINC project privacy options, otherwise your team founder has access to your email address (for most projects).
• Consider creating a seperate BOINC account with a different email address for projects you do not 100% trust.
• Consider running BOINC in containers, sandboxing project work units from one another.
• Aid in core BOINC development.

---

Thoughts?

IMO, the complete removal of account keys would be desirable. We shouldn't expose this large a risk so that a few have an easier time maintaining their BOINC environments.

[skcin]

Comment by grctest Tuesday Apr 11, 2017 at 21:41 GMT

---

Relevant security issues: https://github.com/Erkan-Yilmaz/Gridcoin-tasks/issues/78 https://github.com/Erkan-Yilmaz/Gridcoin-tasks/issues/102 https://github.com/Erkan-Yilmaz/Gridcoin-tasks/issues/105 https://github.com/BOINC/boinc/issues/1644

[skcin]

Comment by Erkan-Yilmaz Sunday May 14, 2017 at 15:41 GMT

---

We talked about the email validation by the BOINC server also in our 8th interview (series: "talking with BOINC admins"), see the 2nd part of the interview.

[grctest]

https://github.com/marius311/boinc/commit/2c2ace80fcc850ced90342e328cfac880e2bc00b

Marius from cosmology@home began working on this, we can safely remove the account-key web authentication mechanism and implement a replacement email password recovery mechanism.