The current state of web security and phishing protection is not state of the art: some might even say this is an understatement. Still, there are continuous efforts to improve the situation. Technologies such as [1] FIDO U2F (Universal 2nd Factor Authentication), although not widely used, aim to make classic attacks like phishing theoretically impossible. Additionally, hardened sandboxes are difficult to escape, even for experienced professionals.
This talk is about subverting such well-thought mitigations by abusing novel web-technologies like WebUSB, WebBluetooth and WebAssembly.
We will show [2] novel ways of attacking U2F tokens such as the YubiKey by breaking the security models they rely on. Moreover, we will present how to use and abuse features, design, and implementation flaws of WebUSB/Bluetooth.
What about remotely upgrading your USB device's firmware? Many USB devices were not designed with such scenario in mind.
By exploiting browser bugs or using classic social engineering tricks, it is possible to abuse WebUSB/Bluetooth to steal sensitive data, cryptographic secrets, and much more depending on the device.
Tricking a user into allowing your web origin to communicate whith its keyboard (or any other USB device) might end up in unexpected ways (for the user). After an in-depth analysis of the attack vectors and threats that WebUSB/Bluetooth may introduce, some of those unexpected ways will be demoed.