Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Researchers Show Google’s Titan Security Keys Can Be Cloned

Researchers have found a way to clone Google’s Titan Security Keys through a side-channel attack, but conducting an attack requires physical access to a device for several hours, as well as technical skills, custom software, and relatively expensive equipment.

Researchers have found a way to clone Google’s Titan Security Keys through a side-channel attack, but conducting an attack requires physical access to a device for several hours, as well as technical skills, custom software, and relatively expensive equipment.

Security key devices are considered highly efficient when it comes to protecting accounts against takeover attempts and, unlike other types of two-factor authentication (2FA) systems, they are much more difficult to compromise. They are recommended for securing very important accounts as they make it very difficult for attackers to access the targeted user’s account even if they have phished their credentials and compromised their mobile phone, which is often used as part of the multi-factor authentication process.

Titan security key

A new attack method against such devices was described by researchers from NinjaLab, a France-based company that specializes in the security of cryptographic implementations. They conducted experiments on the Google Titan Security Key’s secure element, namely the NXP A700X chip, and Rhea, an NXP J3D081 Java Card that is freely available on the web and which uses the same cryptographic library.

The method was validated in the summer of 2020 and it was reported to Google and Dutch-American semiconductor manufacturer NXP in early October. Google has acknowledged the research, but determined that it does not qualify for a bug bounty due to the fact that the vulnerability exists in the NXP product.

According to NinjaLab, in addition to Titan devices and NXP Java Card chips, the attack also works against a Yubico Yubikey model that is no longer offered for sale — newer Yubico products do not appear to be impacted — and Feitian-branded security keys. Feitian is the company that makes Google’s Titan key, but it also sells them under its own brand.

Conducting an attack involves acquiring electromagnetic (EM) radiations from the NXP chip during ECDSA (Elliptic Curve Digital Signature Algorithm) signatures, which is the core crypto operation of the FIDO U2F protocol. The attack leverages what researchers described as a side-channel vulnerability in the ECDSA signature implementation (CVE-2021-3011).

The researchers said it took 4 hours to acquire 4,000 side-channel traces of the U2F authentication request command on the Rhea device, and 6 hours to monitor 6,000 operations on the Titan, which allowed them to extract the ECDSA private key linked to an account.

The obtained encryption key can allow an attacker to clone the device and use it to log in to the targeted user’s account, assuming that they have also obtained the account username and password.

However, the researchers pointed out that an attack is not easy to conduct. First of all, the attacker would need to obtain the victim’s security key for several hours without raising suspicion — the victim could change the password or take other steps to secure their account if they notice that their security key is missing and they suspect that an attack on their account is imminent.

The attacker then needs to open the Titan Security Key casing without damaging the chip, perform the EM radiation analysis (which takes several hours), and create a clone of the security key. The researchers also highlighted that the equipment needed to conduct the analysis costs roughly €10,000 ($12,000), and the attacker would also need to have the technical skills to develop custom software and conduct an attack.

“Thus it is still clearly far safer to use your Google Titan Security Key (or other impacted products) as FIDO U2F two-factor authentication token to sign in to applications like your Google account rather than not using one,” the researchers explained in their paper. “Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid unnoticed security breach by attackers willing to put enough effort into it. Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.”

Related: Google Announces New Additions to Advanced Protection Program

Related: Google Open Sources Code for Security Key Devices

Related: Google’s Titan Security Keys Vulnerable to Bluetooth Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.