Researchers have found a way to clone Google’s Titan Security Keys through a side-channel attack, but conducting an attack requires physical access to a device for several hours, as well as technical skills, custom software, and relatively expensive equipment.
Security key devices are considered highly efficient when it comes to protecting accounts against takeover attempts and, unlike other types of two-factor authentication (2FA) systems, they are much more difficult to compromise. They are recommended for securing very important accounts as they make it very difficult for attackers to access the targeted user’s account even if they have phished their credentials and compromised their mobile phone, which is often used as part of the multi-factor authentication process.
A new attack method against such devices was described by researchers from NinjaLab, a France-based company that specializes in the security of cryptographic implementations. They conducted experiments on the Google Titan Security Key’s secure element, namely the NXP A700X chip, and Rhea, an NXP J3D081 Java Card that is freely available on the web and which uses the same cryptographic library.
The method was validated in the summer of 2020 and it was reported to Google and Dutch-American semiconductor manufacturer NXP in early October. Google has acknowledged the research, but determined that it does not qualify for a bug bounty due to the fact that the vulnerability exists in the NXP product.
According to NinjaLab, in addition to Titan devices and NXP Java Card chips, the attack also works against a Yubico Yubikey model that is no longer offered for sale — newer Yubico products do not appear to be impacted — and Feitian-branded security keys. Feitian is the company that makes Google’s Titan key, but it also sells them under its own brand.
Conducting an attack involves acquiring electromagnetic (EM) radiations from the NXP chip during ECDSA (Elliptic Curve Digital Signature Algorithm) signatures, which is the core crypto operation of the FIDO U2F protocol. The attack leverages what researchers described as a side-channel vulnerability in the ECDSA signature implementation (CVE-2021-3011).
The researchers said it took 4 hours to acquire 4,000 side-channel traces of the U2F authentication request command on the Rhea device, and 6 hours to monitor 6,000 operations on the Titan, which allowed them to extract the ECDSA private key linked to an account.
The obtained encryption key can allow an attacker to clone the device and use it to log in to the targeted user’s account, assuming that they have also obtained the account username and password.
However, the researchers pointed out that an attack is not easy to conduct. First of all, the attacker would need to obtain the victim’s security key for several hours without raising suspicion — the victim could change the password or take other steps to secure their account if they notice that their security key is missing and they suspect that an attack on their account is imminent.
The attacker then needs to open the Titan Security Key casing without damaging the chip, perform the EM radiation analysis (which takes several hours), and create a clone of the security key. The researchers also highlighted that the equipment needed to conduct the analysis costs roughly €10,000 ($12,000), and the attacker would also need to have the technical skills to develop custom software and conduct an attack.
“Thus it is still clearly far safer to use your Google Titan Security Key (or other impacted products) as FIDO U2F two-factor authentication token to sign in to applications like your Google account rather than not using one,” the researchers explained in their paper. “Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid unnoticed security breach by attackers willing to put enough effort into it. Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.”
Related: Google Announces New Additions to Advanced Protection Program
Related: Google Open Sources Code for Security Key Devices
Related: Google’s Titan Security Keys Vulnerable to Bluetooth Attacks