There is broad consensus among security experts that physical two-factor authentication keys provide the most effective protection against account takeovers. Research published today doesn’t change that thinking, but it does show how malicious attackers with physical possession of a Google Titan key can clone it.
There are some steep hurdles to overcome for an attack to be successful. A hacker would first have to steal a target’s account password and also secretly obtain the physical key for 10 hours. Cloning also requires up to $12,000 in equipment and custom software, plus an advanced background in electrical engineering and cryptography. That means the most important cloning — if it ever happened in the wild — would likely only be done by a nation-state pursuing its most valuable goals.
Nevertheless, this work shows that the Google Titan security key (or other affected products) could not be avoided [an] undetected security breach by attackers willing to put in the effort,” researchers at security firm NinjaLab wrote in a research paper published Thursday. “Users facing such a threat will likely need to switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.”
The 2FA gold standard
Two-factor authentication, or 2FA, is a method that makes taking over accounts much more difficult. Rather than just using a password to prove that someone is authorized to access an account, 2FA requires a second factor, such as a one-time password, possession of a physical object or a fingerprint or other biometric data.
Physical keys are among the – if not – the-the most secure forms of 2FA because they store the long-term secret that makes them work internally, outputting only non-reusable values. The secret is also impossible to phishing. Physical keys are also more convenient, as they work on all major operating systems and hardware.
The Titan vulnerability is one of the few weaknesses ever found in a regular 2FA key. Unlikely as it may be, a successful real-world exploit would completely undermine the security guarantees offered by the thumb-sized devices. The NinjaLab researchers are quick to point out that despite the weakness, it is still safer to use a Titan security key or other compromised authentication device to log into accounts than not.
Attack of the Clones
The cloning works by using a heat gun and scalpel to remove the plastic key case and expose the NXP A700X chip, which acts as a secure element that stores the cryptographic secrets. An attacker then connects the chip to hardware and software that take measurements while using the key to authenticate to an existing account. Once the measurement is complete, the attacker seals the chip in a new case and returns it to the victim.
Unpacking and later resealing the chip takes approximately four hours. It takes another six hours to perform measurements for each account the attacker wants to hack. In other words, the process would take 10 hours to clone the key for one account, 16 hours to clone a key for two accounts, and 22 hours for three accounts.
By observing the local electromagnetic radiation as the chip generates the digital signatures, the researchers exploit a side channel vulnerability in the NXP chip. The exploit allows an attacker to obtain the private key of the long-term digital signal elliptic curve algorithm destined for a particular account. With the crypto key in hand, the attacker can then create her own key, which works for whatever account she targets.
Paul Kocher, an independent cryptography expert who was not involved in the investigation, said that while the real risk of the attack is low, the discovery of side channels is nonetheless important given the class of users — dissidents, lawyers, journalists and other high-profile users. targets – that rely on them and the possibility that attacks will improve over time.
“The work is notable for being a successful attack on a well-tempered target designed for high-security applications, clearly breaking the security features of the product,” he wrote in an email. “A real adversary might be able to fine-tune the attack (for example, reducing the time to collect data and/or removing the need to physically open the device). For example, the attack could be extended to a token that sits in a hotel gym locker for an hour.”
Do the impossible
Indeed, the Google Titan, like other security keys that use the FIDO U2F standard, would make it impossible to transfer crypto keys and signatures from the device, as the NinjaLab researchers noted:
As we have seen, the FIDO U2F protocol is very simple, the only way to communicate with the U2F device is through registration or authentication requests. The registration phase generates a new ECDSA key pair and issues the public key. The authentication will mainly perform an ECDSA signature operation where we can choose the input message and get the output signature.
Therefore, even for a legitimate user, there is no way to know the secret ECDSA key of a particular application account. This is a limitation of the protocol which means, for example: [it] impossible to transfer the user credentials from one security key to another. If a user wants to move to a new hardware security key, each application account must go through a new registration phase. This creates new ECDSA key pairs and revokes the old ones.
This limitation in functionality is a strength from a security point of view: by design it is not possible to create a clone. It is also an obstacle to side-channel reverse engineering. Without some control over the secret key, it’s hardly possible to understand (let alone attack) the details of a highly secure implementation. We will have to find a solution to study the security of the implementation in a more convenient framework.
Despite describing a way to compromise the security of a key Google sells, the study receives no payment under Google’s bug bounty program, which offers rewards to hackers who discover security flaws in Google products or services and report it privately to the company. A Google spokeswoman said attacks that require physical possession are beyond the scope of the company’s security model. She also pointed out the difficulty and cost of executing an attack.
As the researchers launched their attack on the Google Titan, they believe that other hardware using the A700X, or chips based on the A700X, may also be vulnerable. If true, that would include Yubico’s YubiKey NEO and several of Feitian’s 2FA keys.
In an email, Yubico spokeswoman Ashton Miller said the company is aware of the investigation and believes the findings are correct. “While the researchers note that physical access to devices, expensive equipment, custom software, and technical skills are required for this type of attack, Yubico recommends revoking access for a lost, stolen, or misplaced YubiKey NEO to reduce the risk,” she wrote.
In a statement, NXP officials wrote:
NXP is aware of the report and appreciates the cooperation of the researchers. Since October 2020, we have actively communicated with the majority of potentially affected customers and given them the opportunity to discuss with our security experts. This effort is nearly complete. We encourage customers to complete their own risk assessment for their systems and applications using the affected products. The root cause cannot be resolved in the affected products. However, there are use cases where countermeasures can be taken at the system level. Newer generations of these products with additional countermeasures are available.
Representatives for Feitian were not immediately available for comment.
A countermeasure that may partially mitigate the attack is that service providers offering key-based 2FA use a feature built into the U2F standard that counts the number of interactions a key has had with the provider’s servers. If a key reports a number that does not match what is stored on the server, then the provider has good reason to believe that the key is a clone. A spokeswoman for Google said the company has this feature.
The research – from Ninjalab co-founders Victor Lomné and Thomas Roche in Montpellier, France – is impressive and will likely lead to the side channel vulnerability being fixed in due course. In the meantime, the vast majority of people using an affected key should continue to do so, or at the most switch to a key with no known vulnerabilities. The worst outcome of this research would be that people would stop using physical security keys altogether.
Post updated to add comments from NXP.