New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys


Hardware security keys—such as those through Google and Yubico—are considered the most secure means to protect balances from phishing and takeover attacks.

But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded inside it.

The vulnerability (tracked as CVE-2021-3011 ) allows the bad acting professional to extract the encryption essential or the ECDSA private key connected to a victim’s account through a FIDO Universal 2nd Element (U2F) device like Google Titan Key or YubiKey, thus totally undermining the 2FA protections.

“The adversary can indication in to the victim’s program account without the U2F gadget, minus the victim noticing, ” NinjaLab researchers Victor Lomne and Thomas Roche mentioned in a 60-page analysis.

“In other words, the foe created a clone of the particular U2F device for the victim’s application account. This clone will give access to the application account as long as the genuine user does not revoke its second factor authentication credentials. inch

The whole checklist of products impacted by the particular flaw includes all versions associated with Google Titan Security Key (all versions), Yubico Yubikey Neo, Feitian FIDO NFC USB-A / CANINE, Feitian MultiPass FIDO / K13, Feitian ePass FIDO USB-C and K21, and Feitian FIDO NFC USB-C / K40.

Besides the security keys, the attack can also be transported out on NXP JavaCard potato chips, including NXP J3D081_M59_DF, NXP J3A081, NXP J2E081_M64, NXP J3D145_M59, NXP J3D081_M59, NXP J3E145_M64, and NXP J3E081_M64_DF, and their respective variants.

The key-recovery assault, while doubtless severe, needs to meet a number of prerequisites in order to be productive.

An actor will certainly have first to steal the target’s login and password of an account secured by the physical key, then stealthily gain access to Titan Security Crucial in question, not to mention acquire expensive equipment costing north of $12, 000, and possess enough expertise to build custom made software to extract the key linked to the account.

“It is still more secure to use your Google Titan Security Key or other affected products as a FIDO U2F two-factor authentication token to register to applications rather than not using one, ” the researchers said.

To replicated the U2F key, the experts set about the task by tearing the device down using a hot air gun to remove your invisalign aligner casing and expose the particular two microcontrollers soldered in it — a secure enclave (NXP A700X chip) that’s used to perform the cryptographic operations and a general-purpose chip that provides a router between the USB/NFC interfaces as well as the authentication microcontroller.

Once this is achieved, the researchers say it’s possible in order to glean the ECDSA encryption key via a side-channel attack simply by observing the electromagnetic radiations arriving off the NXP chip throughout ECDSA signatures, the core cryptographic operation of the FIDO U2F protocol that’s performed when an U2F key is registered for the first time to work along with a new account.

A side-channel strike typically works based on information gained from the implementation associated with a personal computer, rather than exploiting a weakness within the software. Often, this kind of attacks leverage timing information, energy consumption, electromagnetic leaks, and acoustic signals being a source of data leakage.

By obtaining 6, 000 such side-channel remnants of the U2F authentication request commands over a six-hour time period, the researchers said they had been able to recover the ECDSA personal key linked to a RUFFIE U2F account created for the experiment using an unsupervised device learning model.

Although the security of an equipment security key isn’t diminished by the above attack due to the limitations involved, any exploitation in the wild is not inconceivable.

“Nevertheless, this work shows that the Search engines Titan Security Key (or some other impacted products) would not prevent [an] unnoticed safety breach by attackers willing in order to put enough effort into it, inch the researchers concluded. “Users that will face such a threat need to probably switch to other RUFFIE U2F hardware security keys, where no vulnerability has yet been discovered. ”