Side channel Attacks strike again! Hackers can clone Google Titan 2FA keys using a side channel in NXP chips

[Pickles von Brine]

Quote

Yubico and Feitian keys that use the same chip are likely susceptible, too.

There’s wide consensus among security experts that physical two-factor authentication keys provide the most effective protection against account takeovers. Research published today doesn’t change that, but it does show how malicious attackers with physical possession of a Google Titan key can clone it.

There are some steep hurdles to clear for an attack to be successful. A hacker would first have to steal a target’s account password and to also gain covert possession of the physical key for as many as 10 hours. The cloning also requires up to $12,000 worth of equipment, custom software, and an advanced background in electrical engineering and cryptography. That means the key cloning—were it ever to happen in the wild—would likely be done only by a nation-state pursuing its highest-value targets.

“Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid [an] unnoticed security breach by attackers willing to put enough effort into it,” researchers from security firm NinjaLab wrote in a research paper published Thursday. “Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.”

Source
Okay. I clickbaited a bit. The "good" thing here is the fact the attack requires a bit of work and pretty much a nation-state actor.  It is really nuts when you think about "Who in the heck figures this shit out?". And if someone did do it, it would be something out of a james bond movie. Rather wild. 

[Fasterthannothing]

Click bait a little is a big understatement. If someone has that level of physical access you have bigger problems. If they managed to get all that information and access to your stuff in the first place your completely screwed anyway no matter what security you have. 

[Pickles von Brine]

3 minutes ago, Shorty88jr said:

Click bait a little is a big understatement. If someone has that level of physical access you have bigger problems. If they managed to get all that information and access to your stuff in the first place your completely screwed anyway no matter what security you have. 

Agreed. 

[StDragon]

15 minutes ago, Shorty88jr said:

Click bait a little is a big understatement. If someone has that level of physical access you have bigger problems. If they managed to get all that information and access to your stuff in the first place your completely screwed anyway no matter what security you have. 

Dead man's switch - If you're not able to authenticate (biometric) within a timely manner scheduled every so often, the physically key should fry itself from an on-board capacitor discharge.  

[jagdtigger]

20 minutes ago, StDragon said:

If you're not able to authenticate (biometric) within a timely manner

Biometrics (fingerprint, blood, etc) can be easily obtained and/or faked so that wont help.....  Maybe a retina scan would withstand faking but thats like going after a sparrow with a cannon....

[StDragon]

12 minutes ago, jagdtigger said:

but thats like going after a sparrow with a cannon....

You can never do an overkill of a solution  Because when you have to be absolutely sure, paranoia is an asset 

[wanderingfool2]

38 minutes ago, StDragon said:

Dead man's switch - If you're not able to authenticate (biometric) within a timely manner scheduled every so often, the physically key should fry itself from an on-board capacitor discharge.  

For a second I read it as fry himself, and was like...woah, that's a bit harsh for not authenticating.

 

To the topic

Overall, it's a super sensationalist click-baiting title really...given that you need the physical access to the key, the password, and super expensive equipment.  This would only ever be practical on high-valued targets, and there are likely easier ways of getting the data you need.  (Given such a high level target would likely be following the protocols to change their password every month, so unless you have already compromised something of theirs it doesn't really seem practical)

[rcmaehl]

As a cyber security enthusiast, if you have physical access to <insert component>, it might as well be considered pwnd. Good to know I'll need to update my fobs but I still don't plan to let them out of my possession.

[AnonymousGuy]

At that point you know what also works?  Put a gun to the head of the guy whose account you're trying to access.

[colonel_mortis]

These attacks are certainly academically very interesting, and I suspect Google will be releasing a new hardened variant of it in due course. However, once you have the physical security key for a day to exploit it, you may as well just use it to log into their account then, without going to the effort of exploiting a side channel attack. Obviously there are cases where you might not want (or be able) to access the account now, but do want to later, but it's limited to the absolutely most high profile targets by nation state attackers.

[Hassan170]

14 hours ago, AnonymousGuy said:

At that point you know what also works?  Put a gun to the head of the guy whose account you're trying to access.

$12000, 10 hours and a degree in cryptography and engineering. yeah there are much more easier ways to get that info

[Commodus]

Reminds me of how there was supposedly a major issue with Touch ID because you could fake a fingerprint using a gel model. If the people trying to get into your phone are that skilled and determined, you have far bigger problems than whether or not they can see your text messages.

[Sir Asvald]

I was planning to get YubiKey key for our PKI Datacenter.. seems that is out of the window....

[StDragon]

6 hours ago, Hassan170 said:

$12000, 10 hours and a degree in cryptography and engineering. yeah there are much more easier ways to get that info

 

[jagdtigger]

43 minutes ago, Sir Asvald said:

I was planning to get YubiKey key for our PKI Datacenter.. seems that is out of the window....

Did you even read it? Physical access for several hours is pretty hard (borderline impossible) to pull off unnoticed....

[Sir Asvald]

9 minutes ago, jagdtigger said:

Did you even read it? Physical access for several hours is pretty hard (borderline impossible) to pull off unnoticed....

Yes I did..for my line of work. Anything that has a vulnerability no matter how long it takes is still to crack it and not worth the risk.

[jagdtigger]

1 hour ago, Sir Asvald said:

Yes I did..for my line of work. Anything that has a vulnerability no matter how long it takes is still to crack it and not worth the risk.

Then that line of work is a catch-22. You cant use anything with vulnerability but everything has (at least) one so cant use anything......

[soldier_ph]

Yea good luck getting into any of my accounts: I've got full Disk encryption setup on the Notebook/PC, I use LastPass to store all of my Passwords and Secrets with the Yubico Yubikey 5Ci as it's 2FA method, all other important Passwords to access my Devices, the LastPass and my main Google account are stored in my Head. Each Password of every account is the maximum allowed length long which usually is between 72 and 99 characters and it gets changed every 6 Months. The Yubikey is also used as the 2FA method wherever they give you the option to setup that.

 

Yea like at this point you may as well just point an RPG at my Head n' stuff. 

[Guest willies leg]

It's really easy to get at any cloud stuff in full, just have an insider clone the virtual machine, even while it's running. That, along with the disk blocks, will let you get past any encryption since you'll have everything. And there's no artifacts left in the original instance, you didn't even touch that.

 

[jagdtigger]

1 hour ago, willies leg said:

That, along with the disk blocks, will let you get past any encryption since you'll have everything.

Unless the VM uses full disk encryption, cant clone RAM -> SOL......

[Guest willies leg]

On 1/10/2021 at 1:28 PM, jagdtigger said:

Unless the VM uses full disk encryption, cant clone RAM -> SOL......

Actually you can.

Snapshot the VM's RAM, you've got the key. The hypervisor has full access to the RAM.