Security News > 2021 > January > New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys
The vulnerability allows the bad actor to extract the encryption key or the ECDSA private key linked to a victim's account from a FIDO Universal 2nd Factor device like Google Titan Key or YubiKey, thus completely undermining the 2FA protections.
An actor will have first to steal the target's login and password of an account secured by the physical key, then stealthily gain access to Titan Security Key in question, not to mention acquire expensive equipment costing north of $12,000, and have enough expertise to build custom software to extract the key linked to the account.
To clone the U2F key, the researchers set about the task by tearing the device down using a hot air gun to remove the plastic casing and expose the two microcontrollers soldered in it - a secure enclave that's used to perform the cryptographic operations and a general-purpose chip that acts as a router between the USB/NFC interfaces and the authentication microcontroller.
Once this is achieved, the researchers say it's possible to glean the ECDSA encryption key via a side-channel attack by observing the electromagnetic radiations coming off the NXP chip during ECDSA signatures, the core cryptographic operation of the FIDO U2F protocol that's performed when a U2F key is registered for the first time to work with a new account.
Although the security of a hardware security key isn't diminished by the above attack due to the limitations involved, a potential exploitation in the wild is not inconceivable.
"Nevertheless, this work shows that the Google Titan Security Key would not avoid [an] unnoticed security breach by attackers willing to put enough effort into it," the researchers concluded.
News URL
Related news
- Google fixes Android kernel zero-day exploited in targeted attacks (source)
- Critical Security Flaw in WhatsUp Gold Under Active Attack - Patch Now (source)
- 18-year-old security flaw in Firefox and Chrome exploited in attacks (source)
- Hackers leak 2.7 billion data records with Social Security numbers (source)
- Hackers posing as Ukraine’s Security Service infect 100 govt PCs (source)
- Google raps Iran's APT42 for raining down spear-phishing attacks (source)
- Google to Remove App that Made Google Pixel Devices Vulnerable to Attacks (source)
- Most Ransomware Attacks Occur When Security Staff Are Asleep, Study Finds (source)
- Hacker locks Unicoin staff out of Google accounts for 4 days (source)
- Google fixes ninth Chrome zero-day exploited in attacks this year (source)