Making a U2F Authentication Man-in-the-Middle Attack
2017-06-05 -  3:17
FIDO Universal Second Factor (U2F) security tokens are perhaps one of my favorite forms of Two-Factor Authentication in use today. It utilizes a Challenge/Response system where the user sends a request (usually a login request) to a service, then the service sends a challenge to the user and the U2F security token creates a mathematical response that the user sends back to the service.
Because a U2F security token is just a USB Human Interface Device (HID), it trusts the client when the client sends the U2F device data. If the client sends data to the U2F device that it can work with, it will accept that data and process it. The U2F device trusts that the client is working under the user's intentions. This means a fake client that sends different but useable data can be made and the U2F device won't find anything suspicious.
A solution could be having a display that shows the AppID of the U2F challenge, but that requires the user to verify the AppID is correct, which quickly turns this problem into an awareness based psychology problem.
I need to do more research to figure out how difficult it would be to impersonate the U2F client built into Google Chrome. If I had to make an educated guess based on what I know about security and programming in general, I would say it would likely be quite complicated and impractical. The proof-of-concept I am presenting at my presentation on the 8th of June impersonates a command line based U2F client. Authenticating over a password (for instance, using sudo in macOS, Linux, and *BSD) can be configured to require a U2F key as an added security measure. Because of this, my proof-of-concept fake client temporarily pretends to be the sudo and /usr/bin/sudo commands and ends up authenticating to a U2F enabled demo website when the user taps their U2F device rather than authenticate their sudo command.
The U2F demo website is available at https://github.com/ViGrey/u2f-demo and the U2F proof-of-concept fake client code will be available in the future, after I make the code work more consistently with different systems. At the moment, I can only say that the proof-of-concept and the demo website work on my systems and that this was only a research project to see if this could be accomplished. This research also is what started my work on the Root Phisher exploit, which I talked about in another blog post, which is linked below.