How to Protect Against WebUSB U2F Phishing

OffensiveCon
Markus Vervier and antisnatchor (co-author of the BeEF framework) presented new research about advanced client-side attacks (https://www.offensivecon.org/speakers/2018/markus-and-michele.html) at Offensive Con in Berlin. In particular, attacks against U2F have drawn public attention, and they were featured in an article by wired.com.

What is the problem?

U2F devices have extra layers of protection against phishing. When a website requires U2F authentication, the browser ensures that the domain is correct and part of the authentication process. For example, this effectively means a malicious site hosted at maliciousphishing.com could not acquire valid authentication tokens for gmail.com.

In 2017, a new API was introduced for Google Chrome that allows direct access to USB devices from websites. If a user confirms a permission dialog, direct access to a U2F device can be acquired.

This allows to emulate the browser and generate authentication responses for any website registered at the U2F device.

This has been confirmed to work as a proof-of-concept for the YubiKey NEO.

What can you do about this?

Users should be aware that giving access to USB devices and, in particular, U2F devices can expose all information stored on them, even for other sites where they are used.

When using U2F in Chrome, a permissions dialog asking for explicit access to U2F devices will never appear. The devices should just work.

In addition, users should turn off APIs such as WebUSB and WebBluetooth if they are not needed. WebBluetooth can be disabled using a GPO as described in support documentation provided by Google. There seems to be no current way to turn off WebUSB via a browser configuration switch in recent Chrome versions.

Get in touch!

If you have questions about advanced attacks, security audits, or other security research, please get in touch with us.