Markus Vervier and Michele Orrù

Oh No, Where's FIDO? - A Journey into Novel Web-Technology and U2F Exploitation


The current state of web security and phishing protection is not state of the art: some might even say this is an understatement. Still, there are continuous efforts to improve the situation. Technologies such as [1] FIDO U2F (Universal 2nd Factor Authentication), although not widely used, aim to make classic attacks like phishing theoretically impossible. Additionally, hardened sandboxes are difficult to escape, even for experienced professionals.

This talk is about subverting such well-thought mitigations by abusing novel web-technologies like WebUSB, WebBluetooth and WebAssembly.

We will show [2] novel ways of attacking U2F tokens such as the YubiKey by breaking the security models they rely on. Moreover, we will present how to use and abuse features, design, and implementation flaws of WebUSB/Bluetooth.

What about remotely upgrading your USB device's firmware? Many USB devices were not designed with such scenario in mind.

By exploiting browser bugs or using classic social engineering tricks, it is possible to abuse WebUSB/Bluetooth to steal sensitive data, cryptographic secrets, and much more depending on the device.

Tricking a user into allowing your web origin to communicate whith its keyboard (or any other USB device) might end up in unexpected ways (for the user). After an in-depth analysis of the attack vectors and threats that WebUSB/Bluetooth may introduce, some of those unexpected ways will be demoed.



Markus Vervier is Head of Research at X41. Software security is his main focus of work. During the last 15 years he collected professional experience in offensive IT security working as a security researcher and penetration tester. He likes to do review code, reverse engineer the unknown, and to discover vulnerability in applications on various platforms and architectures. Examples include: 

  • Reverse engineering and security analysis of embedded firmware for mobile devices (Android device baseband firmware).
  • Discovery of the first vulnerabilities in the Signal Private Messenger (with JP Aumasson).
  • Finding a remote vulnerability in libOTR (2016).

Michele is a security consultant with over nine years of experience in penetration testing, source code auditing and DevOps. During the last five years his focus has been on phishing and client-side exploitation:

  • Co-author of **The Browser Hacker's Handbook**
  • Lead core developer of the **Browser Exploitation Framework Project(BeEF)** and **PhishLulz**
  • Co-organizer of WarCon, a private offensive-security conference in Poland
  • Speaker at KiwiCon, RuxCon, ZeroNights, OWASP AppSec, HackPra AllStars and InsomniHack security conferences about browser security.