Breaching Security Keys without Root: FIDO2 Deception Attacks via Overlays exploiting Limited Display Authenticators

Breaching Security Keys without Root: FIDO2 Deception Attacks via Overlays exploiting Limited Display Authenticators

연구 분야: Strategies

학회: CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security

Two-factor authentication (2FA) systems aim to secure user accounts, provided that either the password or the second factor device remains uncompromised. However, in this research, we challenge this perception and analyze the security of FIDO2 hardware security keys, which are increasingly used in 2FA and passwordless systems. Specifically, we develop an attack framework, analyze the underlying protocols of FIDO2, and examine the associated OS-level security. Through practical demonstrations, we illustrate how adversaries can exploit this framework and OS-level security measures to execute our designed attack, known as FIDOLA (<u>FI</u>DO2 <u>D</u>eception Attack via <u>O</u>verlays exploiting <u>L</u>imited Display <u>A</u>uthenticators). Our attack framework injects hidden login sessions, either into the same service the user intends to authenticate with or into a different service. It deceives users into approving the attackers request using the limited display of authenticators. This cross-service attack raises concerns about compromising more sensitive accounts (e.g., financial) when users log into less sensitive ones. Our attack poses a practical and fundamental threat not addressed in the FIDO specification or prior research. Unlike prior research, our demonstration exposes FIDO2 authenticator vulnerabilities in real-world 2FA and passwordless setups, where OS-level security mitigates traditional concurrent attacks (simultaneous authentication attempts by the attacker). To assess our attacks effectiveness, we conducted a user study, revealing that users approved approximately 95.55% of cross-service attacks when presented with a screen overlay.