Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

CTRAPS: CTAP Client Impersonation and API Confusion on FIDO2

Marco Casagrande, Daniele Antonioli

TL;DR

This work uncovers CTAP Authenticator API as a critical yet under-examined attack surface in FIDO2, introducing two classes of protocol-level attacks (CI and AC) that yield eleven concrete exploits. It provides the CTRAPS toolkit and demonstrates practical feasibility across six authenticators and ten relying parties, independent of transport. The authors propose eight backward-compatible countermeasures to fix root causes and discuss deficiencies in the FIDO threat model revealed by their findings. The study emphasizes the need for stronger API authentication, safer destructive operations, and credential-management policies to preserve security and privacy in passwordless ecosystems.

Abstract

FIDO2 is the standard technology for single-factor and second-factor authentication. It is specified in an open standard, including the WebAuthn and CTAP application layer protocols. We focus on CTAP, which allows FIDO2 clients and hardware authenticators to communicate. No prior work has explored the CTAP Authenticator API, a critical protocol-level attack surface. We address this gap by presenting the first security and privacy evaluation of the CTAP Authenticator API. We uncover two classes of protocol-level attacks on CTAP that we call CTRAPS. The client impersonation (CI) attacks exploit the lack of client authentication to tamper with FIDO2 authenticators. They include zero-click attacks capable of deleting FIDO2 credentials, including passkeys, without user interaction. The API confusion (AC) attacks abuse the lack of protocol API enforcements and confound FIDO2 authenticators, clients, and unaware users into calling unwanted CTAP APIs while thinking they are calling legitimate ones. The presented eleven attacks are conducted either in proximity or remotely and are effective regardless of the underlying CTAP transport. We detail the eight vulnerabilities in the CTAP specification, enabling the CTRAPS attacks. Six are novel and include unauthenticated CTAP clients and trackable FIDO2 credentials. We release CTRAPS, an original toolkit, to analyze CTAP and conduct the CTRAPS attacks. We confirm the attacks practicality on a large scale by exploiting six popular authenticators, including a FIPS-certified one from Yubico, Feitian, SoloKeys, and Google, and ten widely used relying parties, such as Microsoft, Apple, GitHub, and Facebook. We present eight practical and backward-compliant countermeasures to fix the attacks and their root causes. We responsibly disclosed our findings to the FIDO alliance and the affected vendors.

CTRAPS: CTAP Client Impersonation and API Confusion on FIDO2

TL;DR

This work uncovers CTAP Authenticator API as a critical yet under-examined attack surface in FIDO2, introducing two classes of protocol-level attacks (CI and AC) that yield eleven concrete exploits. It provides the CTRAPS toolkit and demonstrates practical feasibility across six authenticators and ten relying parties, independent of transport. The authors propose eight backward-compatible countermeasures to fix root causes and discuss deficiencies in the FIDO threat model revealed by their findings. The study emphasizes the need for stronger API authentication, safer destructive operations, and credential-management policies to preserve security and privacy in passwordless ecosystems.

Abstract

FIDO2 is the standard technology for single-factor and second-factor authentication. It is specified in an open standard, including the WebAuthn and CTAP application layer protocols. We focus on CTAP, which allows FIDO2 clients and hardware authenticators to communicate. No prior work has explored the CTAP Authenticator API, a critical protocol-level attack surface. We address this gap by presenting the first security and privacy evaluation of the CTAP Authenticator API. We uncover two classes of protocol-level attacks on CTAP that we call CTRAPS. The client impersonation (CI) attacks exploit the lack of client authentication to tamper with FIDO2 authenticators. They include zero-click attacks capable of deleting FIDO2 credentials, including passkeys, without user interaction. The API confusion (AC) attacks abuse the lack of protocol API enforcements and confound FIDO2 authenticators, clients, and unaware users into calling unwanted CTAP APIs while thinking they are calling legitimate ones. The presented eleven attacks are conducted either in proximity or remotely and are effective regardless of the underlying CTAP transport. We detail the eight vulnerabilities in the CTAP specification, enabling the CTRAPS attacks. Six are novel and include unauthenticated CTAP clients and trackable FIDO2 credentials. We release CTRAPS, an original toolkit, to analyze CTAP and conduct the CTRAPS attacks. We confirm the attacks practicality on a large scale by exploiting six popular authenticators, including a FIPS-certified one from Yubico, Feitian, SoloKeys, and Google, and ten widely used relying parties, such as Microsoft, Apple, GitHub, and Facebook. We present eight practical and backward-compliant countermeasures to fix the attacks and their root causes. We responsibly disclosed our findings to the FIDO alliance and the affected vendors.

Paper Structure

This paper contains 30 sections, 4 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Background and System Model
  3. FIDO2
  4. CTAP
  5. System Model
  6. CTRAPS Client Impersonation Attacks
  7. CI Attacker Model
  8. CI Attacks Description
  9. CTRAPS API Confusion Attacks
  10. AC Attacker Model
  11. AC Technique and Combinations
  12. AC Attacks Description
  13. CTRAPS Vulnerabilities and Impact
  14. Vulnerabilities
  15. Impact
  16. ...and 15 more sections

Figures (4)

  • Figure 1: CTRAPS threat model. The user authenticates to the relying party using a client (e.g., browser) and an authenticator (hardware dongle). The user when needed grants UP by pressing a button on to the authenticator and UV by submitting a PIN to the client. We study two attacker models: (i) a client impersonation attacker targeting the authenticator over CTAP (left), (ii) a MitM attacker in the CTAP channel between the authenticator and the client.
  • Figure 2: CI$_{1}$ attack. Factory reset authenticator via Reset. While in NFC range, the attacker calls the Reset API. Over NFC, the authenticator skips UP and instantly factory resets, deleting all of its discoverable and non-discoverable credentials.
  • Figure 3: CI$_{2}$ attack. Track user from credentials via GetAssertion. The attacker connects to the authenticator and calls the GetAssertion API (GA in the figure). They skip UV by targeting relying parties using the weak and default CredProtect default policy and skip UP by passing up=false. The authenticator returns a list of credential and user identifiers, used by the attacker to fingerprint the authenticator and track the user.
  • Figure 4: AC$_{1}$ attack. Delete discoverable credentials attack with proximity. The user intends to call API A, requiring UV but not necessarily UP. For example, GetAssertion, ClientPin, or MakeCred. The attacker obtains UV from the unsuspecting user. Instead of API A, they call CredMgmt (CM in the figure). They execute four CredMgmt subcommands which list and then delete all discoverable credentials on the authenticator.