Sergei Volokitin
Sergei Volokitin is a security analyst at Riscure in the Netherlands where his work is mostly focused on security evaluation of embedded systems and security testing of mobile devices. He has a number of publications on Java Card platform attacks and conference presentations on hardware security.
Session
Hardware FIDO U2F tokens are security devices which are meant to defend user second factor keys from physical and remote attacks.
In this presentation different security features and implemented by FIDO U2F tokens and how they are meant to protect a user from various attack scenarios.
We will focus on the open source implementation of FIDO U2F token developed and Common Criteria certified by Federal Office for Information Security (BSI).
Having access not only to the source code of the token applet, but the certification documents as well gives a unique opportunity of
Finally, a design flaw in the solution is discussed (CVE-2022-33172) and an attack on hardware token security feature will be presented, which could allow an attacker in control of user PC to fake user presence and execute a number of unauthorized sensitive operations.