There is a broad consensus among security experts that physical two-factor authentication keys provide the most effective protection against account hacks. The research published today does not change that, but it does show how malicious attackers with the physical possession of a Google Titan key can clone it.
There are some steep obstacles to overcome for an attack to be successful. A hacker would first have to steal a target’s account password and also obtain secret possession of the physical key for up to 10 hours. Cloning also requires up to $ 12,000 worth of equipment, custom software and advanced knowledge in electrical engineering and encryption. This means that key cloning – if it ever happened in the wild – would probably be done only by a nation-state in search of its most valuable targets.
“However, this work shows that Google’s Titan security key (or other affected products) would not prevent [an] security breach unnoticed by attackers willing to put enough effort into it, ”wrote researchers at security company NinjaLab in a research article published on Thursday. “Users facing such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerabilities have yet been discovered.”
The 2FA gold standard
Two-factor authentication, or 2FA, is a method that makes account control much more difficult to perform. Instead of just using a password to prove that someone is authorized to access an account, 2FA requires a second factor, such as a one-time password, possession of a physical object or a fingerprint or other biometrics.
The physical keys are between – if not The– the safest forms of 2FA because they store the long-term secret that makes them work internally and only produce non-reusable values. The secret is also impossible to phish. Physical keys are also more convenient, as they work on all major operating systems and hardware.
Titan’s vulnerability is one of the only weaknesses found in a conventional 2FA key. As unlikely as it may be, successful exploration in the real world would completely undermine the security guarantees that thumb-sized devices provide. NinjaLab researchers are quick to point out that, despite the weakness, it is still safer to use a Titan security key or other affected authentication device to log into accounts than not.
Attack of the clones
Cloning works using a hot air gun and a scalpel to remove the plastic casing from the key and expose the NXP A700X chip, which acts as a secure element that stores cryptographic secrets. An attacker then connects the chip to the hardware and software that takes measurements as it is registered to work with a new account. Once the measurement is complete, the attacker seals the chip in a new wrapper and returns it to the victim.
-
The extracted Titan printed circuit board and part of the box.
-
Front of a Titan PCB.
-
Titan PCB back side.
-
“First we protect the PCB by gluing a little aluminum tape around it and cut a square just above the NXP A7005a packaging. mold appears. “This figure shows the result.
-
The lateral channel analysis platform used in this study.
-
The spatial position of the EM probe above the Titan NXP A7005a matrix.
The extraction and subsequent sealing of the chip takes about four hours. It takes another six hours to make measurements for each account that the attacker wants to hack. In other words, the process would take 10 hours to clone the key for a single account, 16 hours for cloning a key for two accounts and 22 hours for three accounts.
By observing local electromagnetic radiation as the chip generates digital signatures, the researchers exploit a side channel vulnerability in the NXP chip. Exploitation allows an attacker to obtain long-term
Private key of the elliptical curve digital signal algorithm assigned to a given account. With the cryptographic key in hand, the attacker can create his own key, which will work for each account he has targeted.
Paul Kocher, an independent cryptography expert with no involvement in the research, said that while the risk of attack in the real world is low, the discovery of the side channel is important, given the class of users – dissidents, lawyers, journalists and other targets of high value – that count on them and the possibility of attacks improving over time.
“The work is notable because it is a successful attack against a well-enforced target designed for high security applications and clearly breaks the security features of the product,” he wrote in an email. “A true opponent may well be able to refine the attack (for example, by shortening the data collection time and / or removing the need to physically open the device). For example, the attack can extend to a token left in a hotel gym locker for an hour. “
Doing the impossible
In fact, Google Titan, like other security keys that use the FIDO U2F standard, should make it impossible to transfer cryptographic keys and signatures off the device, as the NinjaLab researchers noted:
As we have seen, the FIDO U2F protocol is very simple, the only way to interact with the U2F device is through registration or authentication requests. The registration phase will generate a new ECDSA key pair and produce the public key. The authentication will mainly perform an ECDSA signature operation, where we can choose the incoming message and obtain the outgoing signature.
Therefore, even for a legitimate user, there is no way to know the ECDSA secret key for a given application account. This is a limitation of the protocol that, for example, makes [it] impossible to transfer user credentials from one security key to another. If a user wants to switch to a new hardware security key, a new registration phase must be made for each application account. This will create new ECDSA key pairs and revoke the old ones.
This limitation of functionality is a strong point from the point of view of security: by design, it is not possible to create a clone. In addition, it is an obstacle to reverse engineering of the side channel. Without any control over the secret key, it is almost impossible to understand the details (let alone attack) of a highly secure implementation. We will have to find an alternative solution to study the security of the implementation in a more convenient configuration.
Risk assessment
Despite describing a way to compromise the security of a key that Google sells, the search will not receive a payment under Google’s bug reward program, which offers rewards for hackers who discover security holes in Google products or services and report them privately to the company. A Google spokeswoman said attacks that require physical possession are outside the scope of the company’s security key threat model. She also noted the difficulty and cost of carrying out an attack.
While the researchers carried out their attack on Google’s Titan, they believe that other hardware that uses the A700X, or chips based on the A700X, may also be vulnerable. If true, that would include Yubico’s YubiKey NEO and several 2FA keys made by Feitian.
In an email, Yubico spokeswoman Ashton Miller said the company is aware of the research and believes its findings are accurate. “Although researchers note that access to physical devices, expensive equipment, custom software and technical skills are necessary for this type of attack, Yubico recommends revoking access to a lost, stolen or lost YubiKey NEO to mitigate the risk,” she wrote. .
Representatives of chip maker NXP and Feitian were not immediately available for comment.
A countermeasure that can partially mitigate the attack is that service providers that offer key-based 2FA use a feature built into the U2F standard that counts the number of interactions a key has had with the provider’s servers. If a key reports a number that does not match what is stored on the server, the provider will have a good reason to believe that the key is a clone. A Google spokeswoman said the company has this feature.
The research – by Ninjalab co-founders, Victor Lomné and Thomas Roche in Montpellier, France – is impressive and, over time, is likely to result in correcting the vulnerability of the lateral canal. In the meantime, the vast majority of people who use an affected key must continue to do so or, at most, switch to a key with no known vulnerabilities. The worst result of this research would be for people to stop using physical security keys.