FIDO2 is the standard technology for single-factor and second-factor authentication. It is specified in an open standard, including the WebAuthn and CTAP application layer protocols. We focus on CTAP, which allows FIDO2 clients and hardware authenticators to communicate. No prior work has explored the CTAP Authenticator API, a critical protocol-level attack surface. We address this gap by presenting the first security and privacy evaluation of the CTAP Authenticator API. We uncover two classes of protocol-level attacks on CTAP that we call CTRAPS. The client impersonation (CI) attacks exploit the lack of client authentication to tamper with FIDO2 authenticators. They include zero-click attacks capable of deleting FIDO2 credentials, including passkeys, without user interaction. The API confusion (AC) attacks abuse the lack of protocol API enforcements and confound FIDO2 authenticators, clients, and unaware users into calling unwanted CTAP APIs while thinking they are calling legitimate ones. The presented eleven attacks are conducted either in proximity or remotely and are effective regardless of the underlying CTAP transport. We detail the eight vulnerabilities in the CTAP specification, enabling the CTRAPS attacks. Six are novel and include unauthenticated CTAP clients and trackable FIDO2 credentials. We release CTRAPS, an original toolkit, to analyze CTAP and conduct the CTRAPS attacks. We confirm the attacks practicality on a large scale by exploiting six popular authenticators, including a FIPS-certified one from Yubico, Feitian, SoloKeys, and Google, and ten widely used relying parties, such as Microsoft, Apple, GitHub, and Facebook. We present eight practical and backward-compliant countermeasures to fix the attacks and their root causes. We responsibly disclosed our findings to the FIDO alliance and the affected vendors.

翻译：FIDO2是单因素与第二因素身份验证的标准技术，其规范基于开放标准，包含WebAuthn与CTAP应用层协议。本研究聚焦于CTAP协议，该协议使FIDO2客户端与硬件认证器得以通信。此前尚未有研究深入探讨CTAP认证器API这一关键协议层攻击面。为此，我们首次对CTAP认证器API进行安全性与隐私性评估，填补了这一空白。我们发现了CTAP协议层面的两类攻击，命名为CTRAPS。客户端模拟攻击利用客户端身份验证缺失篡改FIDO2认证器，包括无需用户交互即可删除FIDO2凭证（含通行密钥）的零点击攻击。API混淆攻击则滥用协议API执行机制缺失，诱使FIDO2认证器、客户端及未察觉用户在误认为调用合法API时执行恶意CTAP API。所揭示的11种攻击可在近场或远程实施，且不受底层CTAP传输方式影响。我们详细阐述了CTAP规范中导致CTRAPS攻击的8个漏洞，其中6个为新发现漏洞，包括未认证CTAP客户端与可追踪FIDO2凭证。我们发布了原创工具包CTRAPS用于分析CTAP协议并执行CTRAPS攻击。通过测试6款主流认证器（含Yubico、Feitian、SoloKeys及谷歌的FIPS认证产品）及10家广泛依赖方（如微软、苹果、GitHub与Facebook），我们在大规模实践中验证了攻击可行性。针对攻击及其根源，我们提出8项实用且向后兼容的防御措施，并向FIDO联盟及相关厂商进行了负责任的漏洞披露。