Threat model
Assuming any adversary can:
- Control any computer the token gets plugged into
- Gain physical access to the U2F token
That adversary will not be able to glean any secret information or be able to duplicate the key. If the key is to be stolen, however, then obviously he could use the U2F token to maliciously pose as someone else. So the threat model is similar to a modern car key in that it cannot be duplicated but could physically be stolen.
Implementation
There are 3 main requirements that are implemented:
- Cryptographic acceleration
- Tamper resistance
- Good random number generation
These requirements are implemented with the ATECC508 chip by Atmel. It's a security peripheral that handles 256 bit ECC operations over the full key life cycle, all implemented in hardware. It has an on chip true random number generator (TRNG) and atomic counters. It also includes voltage and temperature sensors to detect tampering. All secret keys are write only -- keys can only be generated on chip using the internal TRNG which ensures that no one will know any secret key used.
Side channels
Despite having a perfect, "to-spec" implementation, embedded systems can leak secrets through other side channels. Particularly, differential power analysis and fault injection methods have been able to recover keys from embedded systems. This typically requires high end equipment, training, and physical access to the target embedded system. So TL;DR if you potentially could be targeted by well sponsored adversaries, then you should be wary of the security of any embedded system. Side channels are largely an unsolved problem.