Abstract
Passkey is an authentication method to supplement passwords and leverages the open standard fast identity online (FIDO) and public key cryptography technology to ensure security. In this study, we uncover vulnerabilities within the Passkey registration process by employing the FIDO client to authenticator protocol (CTAP) method using a PC and an authenticator. We emphasize the risks of unauthorized individuals exploiting vulnerabilities in Chromium-based browsers to initiate concurrent registration processes, register their own Passkeys instead of legitimate users’, and the lack of registration success acknowledgment from the server to the authenticator. Considering these vulnerabilities, we implement a session replication attack, which is a local attack, through QR code sniffing during Passkey CTAP registration, and employed physical proximity and Wi-Fi jamming attacks within the Passkey registration process. We elucidate methods that enable these attacks and categorize the attack scenarios based on the smartphone of the victim. Our experimental results indicate a notable success rate for attackers, exceeding 87% for victims with Android phones and more than 67% success for victims with iPhones. We disclosed the vulnerabilities identified in Chromium-based browsers to Google.
Supported by the Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No. 2021-0-00511, Robust AI and Distributed Attack Detection for Edge AI Security and No. 2021-0-00565, Development of User identity certification and management technology for self-sovereign identity applications).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Android Source: Mac randomization behavior. https://source.android.com/docs/core/connect/wifi-mac-randomization-behavior
Apple Developer: Meet passkeys - wwdc22. https://developer.apple.com/videos/play
Apple Developer: Passkeys. https://developer.apple.com/passkeys/
Apple Developer: Question about passkey fido ctap protocol. https://developer.apple.com/forums/thread/727059
Hardwear.io: Bluetooth le link layer relay attacks (2022). https://hardwear.io/netherlands-2022/presentation/bluetooth-LE-link-layer-relay-attacks.pdf
Martin, J., et al.: A study of mac address randomization in mobile devices and when it fails. arXiv preprint arXiv:1703.02874 (2017)
Milliken, J., Selis, V., Yap, K.M., Marshall, A.: Impact of metric selection on wireless deauthentication dos attack performance. IEEE Wireless Commu. Lett. 2(5), 571–574 (2013)
Papapanagiotou, I., Nahum, E.M., Pappas, V.: Smartphones vs. laptops: comparing web browsing behavior and the implications for caching. In: Proceedings of the 12th ACM SIGMETRICS/PERFORMANCE Joint International Conference on Measurement and Modeling of Computer Systems, pp. 423–424 (2012)
Pearman, S., et al.: Let’s go in for a closer look: observing passwords in their natural habitat. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 295–310. CCS 2017, Association for Computing Machinery, New York, NY, USA (2017). https://doi.org/10.1145/3133956.3133973
Qian, C., Koo, H., Oh, C., Kim, T., Lee, W.: Slimium: debloating the chromium browser with feature subsetting. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 461–476. CCS 2020, Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3372297.3417866
Staat, P., Jansen, K., Zenger, C., Elders-Boll, H., Paar, C.: Analog physical-layer relay attacks with application to bluetooth and phase-based ranging. In: Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 60–72 (2022)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kim, D., Kim, S., Ryu, G., Choi, D. (2024). Session Replication Attack Through QR Code Sniffing in Passkey CTAP Registration. In: Pitropakis, N., Katsikas, S., Furnell, S., Markantonakis, K. (eds) ICT Systems Security and Privacy Protection. SEC 2024. IFIP Advances in Information and Communication Technology, vol 710. Springer, Cham. https://doi.org/10.1007/978-3-031-65175-5_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-65175-5_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-65174-8
Online ISBN: 978-3-031-65175-5
eBook Packages: Computer ScienceComputer Science (R0)
