Hackers Can Clone Google Titan 2FA Keys Using Side Channel In NXP Chips

There is a large consensus among security experts that physical two-factor authentication keys offer the most effective protection against account takeovers. The research released today doesn’t change that, but it does show how malicious attackers in physical possession of a Google Titan key can clone it.

There are a few hurdles to overcome for an attack to be successful. A hacker would first have to steal a target’s account password and gain secret possession of the physical key for 10 hours. Cloning also requires up to $ 12,000 in equipment, custom software, and advanced training in electrical engineering and cryptography. This means that key cloning – if it ever happened in the wild – would likely only be done by a nation-state pursuing its most important goals.

“Nevertheless, this work shows that the Google Titan security key (or other relevant products) would not avoid [an] a security breach unnoticed by attackers willing to put enough effort into it, ”researchers from security firm NinjaLab wrote in a research article published Thursday. “Users facing such a threat should probably switch to other FIDO U2F hardware security keys, for which no vulnerabilities have yet been discovered.”

The 2FA gold standard

Two-factor authentication, or 2FA, is a method that makes account counting much more difficult. Instead of only using a password to prove that a person is authorized to access an account, 2FA requires a second factor, such as a one-time password, possession of a physical object, fingerprint or other biometric element.

Physical keys are part of – otherwise the– Most secure forms of 2FA because they store the long-term secret that makes them work internally and only produce non-reusable values. The secret is also impossible to phish. Physical keys are also more convenient, as they work on all major operating systems and hardware.

The Titan vulnerability is one of the only weaknesses ever found in a consumer 2FA key. As unlikely as it is, a successful real-world exploit would completely undermine the security guarantees provided by thumb-sized devices. NinjaLab researchers are quick to point out that despite the weakness, it’s still safer to use a Titan passkey or other assigned authentication device to log into accounts than not to.

Attack of the clones

Cloning works by using a heat gun and scalpel to remove the plastic key casing and expose the NXP A700X chip, which acts as a secure element that stores cryptographic secrets. Then, an attacker connects the chip to the hardware and software which takes steps while registering it to work with a new account. Once the measurement is complete, the attacker seals the chip in a new case and returns it to the victim.

Extraction and resealing of the chip takes about four hours. It takes another six hours to take action for each account the attacker wants to hack. In other words, the process would take 10 hours to clone the key for one account, 16 hours to clone a key for two accounts, and 22 hours for three accounts.

By observing the local electromagnetic radiation as the chip generates the digital signatures, the researchers are exploiting a secondary channel vulnerability in the NXP chip. The exploit allows an attacker to obtain the long run
Designated elliptical curve digital signal algorithm private key for a given account. With the cryptographic key in hand, the attacker can then create their own key, which will work for each targeted account.

Paul Kocher, an independent crypto expert with no involvement in the research, said that while the actual risk of an attack is low, the discovery of the secondary channel is nonetheless important, given the class of users: dissidents, lawyers, journalists and other high-value targets – who depend on them and the possibility of attacks will improve over time.

“The work is remarkable because it is a successful attack against a well-hardened target designed for high security applications, and clearly breaks the security characteristics of the product,” he wrote in an email. “A real adversary may well be able to fine-tune the attack (eg, shorten data collection time and / or remove the need to physically open the device). For example, the attack can be extended to a token left in a hotel gym locker for an hour. “

Do the impossible

This is because the Google Titan, like other security keys that use the FIDO U2F standard, is supposed to make it impossible to transfer cryptographic keys and signatures out of the device, as NinjaLab researchers noted:

As we have seen, the FIDO U2F protocol is very simple, the only way to interact with the U2F device is through registration or authentication requests. The registration phase will generate a new ECDSA key pair and output the public key. The authentication will mainly perform an ECDSA signature operation where we can choose the input message and get the output signature.

Therefore, even for a legitimate user, there is no way to know the ECDSA secret key of a given application account. This is a limitation of the protocol which, for example, makes [it] Unable to transfer user credentials from one security key to another. If a user wishes to switch to a new hardware security key, a new registration phase must be performed for each application account. This will create new ECDSA key pairs and revoke the old ones.

This functionality limitation is a strength from a security point of view: by design, it is not possible to create a clone. It is also an obstacle to side channel reverse engineering. Without any control over the secret key, it is hardly possible to understand the details (let alone attack) a highly secure implementation. We’ll have to find a workaround to look at the security of the implementation in a more practical setting.

Risk assessment

Although it describes a way to compromise the security of a key sold by Google, the search will not receive payment under Google’s bug bounty program, which offers rewards to hackers who discover security holes. in Google products or services and privately report them to the company. A Google spokeswoman said attacks that require physical possession are outside the scope of the company’s security key threat model. She also noted the difficulty and expense of carrying out an attack.

While the researchers carried out their attack on the Google Titan, they believe other hardware using the A700X, or chips based on the A700X, may also be vulnerable. If true, that would include Yubico’s YubiKey NEO and several 2FA keys made by Feitian.

In an email, Yubico spokeswoman Ashton Miller said the company was aware of the research and believed its findings to be correct. “While researchers note that access to physical devices, expensive equipment, custom software, and technical skills are required for this type of attack, Yubico recommends revoking access for a lost, stolen, or misplaced YubiKey NEO. to mitigate risk, ”she writes.

Representatives for chipmaker NXP and Feitian were not immediately available for comment.

A countermeasure that may partially mitigate the attack is for service providers who offer key-based 2FA to use a feature built into the U2F standard that counts the number of interactions a key has had with servers. from the supplier. If a key reports a number that does not match what is stored on the server, the vendor will have good reason to believe that the key is a clone. A Google spokesperson said the company has the feature.

The research – conducted by Ninjalab co-founders Victor Lomné and Thomas Roche in Montpellier, France – is impressive, and over time it will likely lead to the correction of the secondary channel vulnerability. In the meantime, the vast majority of people using an affected key should continue to do so, or at most switch to a key with no known vulnerability. The worst outcome of this research would be that people would stop using physical security keys altogether.