Attacking an Open Source U2F Device in 30 Minutes or Less

Explore the security features and vulnerabilities of FIDO U2F tokens in this 29-minute conference talk from media.ccc.de. Delve into the open-source implementation of a FIDO U2F token developed and certified by the Federal Office for Information Security (BSI). Examine the unique opportunity provided by access to both source code and certification documents. Learn about a design flaw (CVE-2022-33172) in the de.fac2 Java Card applet and understand how an attacker could potentially bypass user presence checks to execute unauthorized operations. Discover the process of identifying and testing this vulnerability without physical access to the device, and learn about the subsequent disclosure and mitigation efforts by the BSI.