I recently received an interview about a passwordless login. It became a topic about the realization method of FIDO2. I explained the classification of hardware FIDO2 and software FIDO2. In addition, I explained that the method using smartphones is quite low in security due to the vulnerability of smartphones. There was a question from the interviewer as to whether there were cases of cyber attacks. It will take a little longer before we can present crime cases. So, at least I have investigated the vulnerabilities of smart fans, so I would like to introduce them here.
Hardware FIDO2
For FIDO2 login, the authentication information of FIDO2 Security Key such as ENSURITY ThinC-AUTH is isolated that is completely physically separated from the PC terminal, and all registration data and processing related to fingerprint authentication are also performed within USB dongle. It is performed in the USB dongle, so it is the hardware FIDO2. On the other hand, the face authentication-based FIDO2 method is software FIDO2, in which face data is acquired using a camera, data registration and authentication processing are performed on a personal computer using a personal computer program.
Check Point Research
It was discovered by Check Point Research, a research and development department at Technologies, over a four-month research period. This time, Check Point Research broke through QSEE using a method called “fuzzing” that inputs a large amount of data and observes system behavior one by one. They found vulnerabilities for each company's devices.
Using discovered vulnerabilities, criminals can run trusted applications, load patched trusted applications into secure areas, bypass Qualcomm's trust chain, or load trusted applications extracted from other devices. The Qualcomm chip vulnerability discovered this time affects not only smartphone devices but also IoT devices. Check Point Research has reported the results to the companies, and Qualcomm, Samsung, and LG have already released patches.
(Qualcomm Chip Flaws Let Hackers Steal Private Data From Android Devices", https://thehackernews.com/hehackernews.com/2019/11/qualcomm-android-hacking.html)
