What de.fac2? Attacking an opensource U2F device in 30 minutes or less
Event Information
De.fac2 is a Common Criteria (CC) and FIDO certified FIDO U2F Java Card applet developed and certified by Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik). This solutions gives a unique opportunity to look at the internals of a FIDO U2F token as well as certification claims and product security features.
The presentation introduces the process of identification of the design flaw in the product in under an hour as well as the testing of a vulnerability without access to the actual physical device.
The vulnerability was disclosed to the Bundesamt für Sicherheit in der Informationstechnik and addressed in the updated commit https://github.com/BSI-Bund/de.fac2
The acknowledged bug was addressed by the developer with the following statement:
The following attack scenario was reported to us by Sergei Volokitin: A reset command send by the reader to the card circumvents the user presence check. For example, malware on the host PC / smartphone could send a reset command to the reader programmatically. It is not possible for the card to distinguish if the reader sent a reset command or if it was physically removed from the reader. With reference to this scenario, the Guidance Documentation (AGD) and the Security Target (ST) were updated in July 2022 in a "Assurance Maintenance".