Security News > 2021 > January > Researchers Show Google's Titan Security Keys Can Be Cloned
Researchers have found a way to clone Google's Titan Security Keys through a side-channel attack, but conducting an attack requires physical access to a device for several hours, as well as technical skills, custom software, and relatively expensive equipment.
A new attack method against such devices was described by researchers from NinjaLab, a France-based company that specializes in the security of cryptographic implementations.
According to NinjaLab, in addition to Titan devices and NXP Java Card chips, the attack also works against a Yubico Yubikey model that is no longer offered for sale - newer Yubico products do not appear to be impacted - and Feitian-branded security keys.
First of all, the attacker would need to obtain the victim's security key for several hours without raising suspicion - the victim could change the password or take other steps to secure their account if they notice that their security key is missing and they suspect that an attack on their account is imminent.
The attacker then needs to open the Titan Security Key casing without damaging the chip, perform the EM radiation analysis, and create a clone of the security key.
"Nevertheless, this work shows that the Google Titan Security Key would not avoid unnoticed security breach by attackers willing to put enough effort into it. Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered."
News URL
Related news
- Google Chrome gets a mind of its own for some security fixes (source)
- Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks (source)
- Researchers Uncover Major Security Vulnerabilities in Industrial MMS Protocol Libraries (source)
- WeChat devs introduced security flaws when they modded TLS, say researchers (source)
- Researchers Discover Severe Security Flaws in Major E2EE Cloud Storage Providers (source)
- Apple Opens PCC Source Code for Researchers to Identify Bugs in Cloud AI Security (source)