Evaluating the exploitability of cryptographic vulnerabilities in FIDO2 USB authenticators

The FIDO2 standard provides cryptographic protocols that can perform a phishing-resistant and passwordless authentication. However, implementations of such protocols have been shown to be vulnerable to side-channel attacks whose effectiveness has been demonstrated across various scenarios. Prior research has successfully extracted private keys from several categories of hardware devices such as smartcards. In this thesis, we investigate the feasibility of executing timing side-channel attacks on FIDO2 hardware authenticators under different threat models. Our evaluation is based on a Nordic nRF52840 board running OpenSK, an open-source CTAP2 implementation. We first modify OpenSK to introduce a timing side-channel vulnerability, and then we attempt to exploit it using different methods for timing collection. These range from using an unprivileged program running in the host's user space to a specialized hardware capable of intercepting USB traffic. The collected timing traces are used to build a heuristic lattice-based attack aimed at recovering the private key used for the authentication process. Since such attacks can be computationally demanding, we also explore a GPU-accelerated approach to assess how parallelism can reduce the effort required. Overall, our results show that FIDO2 authenticators are not immune to timing attacks and that these can be carried out even by unprivileged attackers, underscoring the need for constant-time cryptographic implementations.