Posted on January 9, 2021 at 2:28 PM
Researchers at NinjaLab have discovered that threat actors with hardware security keys can clone them by exploiting an electromagnetic side-channel in the embedded chip.
The research has raised concerns that hardware security keys from Yubico and Google Titan, considered the most secure, may not be completely secure after all.
The researchers said the vulnerability, known as CVE-2021-3011, enables threat actors to collect the ECDSA private key and the encryption key of the target’s account from a FIDO Universal device. Once the key is extracted, it could allow hackers to bypass the two-factor (2FA) protection.
“The adversary can sign in to the victim’s application account without the U2F device, and without the victim noticing,” the researchers noted.
Although the chip is not directly susceptible to attack, a threat actor can extract the key indirectly through a “side-channel attack.”
There is a general knowledge among security researchers and experts that 2FA keys offer the best protection against attack from threat actors. But the discovery by the researchers shows how threat actors in possession of a Google Titan key can clone it.
Any successful cloning requires sophistication
Before an attack is successful, the threat actors must have to go through certain hurdles. They would first need to have possession of the target’s physical kay as well as the account password for a respectable amount of time.
They also need to use expensive custom software to make cloning possible. So, the cloning requirements make it difficult to be carried out by many hackers. Both those with enough resources at their disposal, such as state-sponsored hackers, can make the hacking possible.
But the discovery shows that Google Titan Security Key may not be able to stop any consistent attack from hackers who are serious about breaching the security.
The researchers warned that users who may be exposed can move to FIDO U2F hardware security keys, as there is vulnerability has not been discovered there yet.
Two-factor authentication is used to make systems more difficult to hack or infiltrate. While password-only protection is there to make sure someone doesn’t have authorized access, the 2FA security system is even more secure as it adds an extra layer of security. 2FA protocol usually asks for a second factor, which could be a fingerprint verification, possession of a physical object, or a one-time password.
And physical keys have been used widely as the most secure forms of 2FA since they store long-term secrets that enable them to work internally. Besides, it’s also not possible to phish the secret. Another reason why most would prefer a physical key is the level of convenience, as it can work on major operating systems.
But some hackers are using sophisticated tools to bypass such security measures, although the process itself is still secure.
Cloning also takes time
Cloning the device also takes time, which may be discouraging to some threat actors who may want to exploit the vulnerability. The cloning is done by exposing the NXP A700X chip by removing the key casing using a scalpel and a hot air gun.
After exposing the chip, the attacker can measure after connecting the chip to the hardware. After completing the measurement, the threat actor seals the cheap and return it to the victim.
The entire process of extracting and resealing the chip takes approximately five hours, according to the researchers But the threat actors still need to spend another 6 hours for measurement-taking.
So, the attacker may need to be with the device for more than 10 hours before successfully cloning it. The NinjaLabs research team thinks such a rigorous process will rule out ordinary hackers. But state-backed hackers looking for specific targets could still attempt the whole exercise.
Other hardware keys from firms like Yubivo and Feitan that utilizes similar security chip may be vulnerable as well.
Both Yubico and NXP have been informed about the researchers’ claims, and neither of them denies there is vulnerability.
The recently discovered Titan vulnerability is one of the weaknesses to be seen in the mainstream 2FA key.
But the NinjaLab researchers are still stressing that despite the vulnerability, it is still a safer option to use the keys to sign in to accounts than not using any security key.