Google is urging Chromebook users to update devices to fix a critical vulnerability in an experimental Chrome OS feature that handles two-factor authentication procedures.
The vulnerability impacts the Chrome OS feature known as the "built-in security key." The feature works by allowing users to use a Chromebook device similar to a hardware-based USB/NFC/Bluetooth security key.
The feature can be used when registering or logging into a website. Users can press the Chromebook power button, which will send a cryptographic token to the website, similar to how a classic hardware key would normally work. The difference is that the user is using his Chromebook as proof of ownership and identity, instead of a small USB, NFC, or Bluetooth-based key.
Vulnerability found in H1 chip firmware
But earlier this year, Google engineers discovered a vulnerability in the firmware of H1 chips, which are used to process the cryptographic operations part of the "built-in security key" feature.
Google found that the chip's firmware was mishandling some operations, and accidentally cutting the length of some cryptographic signatures, making them easier to break. Google's technical explanation is below:
We discovered a vulnerability in the H1 security chip firmware concerning ECDSA signature generation. The firmware code used incompatible transfer instructions when passing a critical secret value to the cryptographic hardware block, resulting in generating secret values of a specific structure and having a significant loss of entropy in the secret value (64 bits instead of 256 bits). We confirmed that the incorrect generation of the secret value allows it to be recovered, which in turn allows the the underlying ECC private key to be obtained. Thus, attackers that have a single pair of signature and signed data can effectively compute the private key, breaking any functionality or protocols that use the key pair in question.
As a result, Google says that attackers who obtain "a single pair of signature and signed data" can fake the user's security key without having access to the user's Chrome OS device.
Slight chance of abuse
Pairs of signatures and signed data are exchanged between Chrome OS devices and websites, during the process of registering or logging into an account.
"We don't expect the vulnerable signatures to have been exposed broadly as they will usually be passed across HTTPS connections," Google said, about the chances of attackers intercepting the data needed for attacks while in transit across the internet.
"However, since the signature is not considered sensitive in the U2F [Universal 2nd Factor] protocols, it would be inadequate to assume that no signatures have been observed or logged / stored in locations where they still may be retrieved from," Google also added.
"As such, the built-in U2F authenticator feature that has generated vulnerable signatures using the vulnerable H1 firmware must be considered cryptographically broken."
But Google also adds that this is not a reason to panic. First, even if attackers obtain signatures and obtain the private key to create other signatures, they would have only broken the second factor in the classic two-factor authentication process.
Attackers would still need to know or have a user's password to break into accounts.
Furthermore, Google says that even a weakened U2F solution is still way out of the reach of most attackers, most of which engage in phishing operations and don't have the technical acumen to attack the second factor. So in theory, most Chromebook users should be safe.
"Nevertheless, we recommend users to take remediation steps as described below to avoid the risk of running with a cryptographically weakened U2F authenticator," Google said.
Firmware fix available
"Full remediation requires both a firmware fix and retiring key pairs that have generated vulnerable signatures," the company added. The full steps are below.
Update to Chrome OS 75 or later to receive a fix for the H1 chip firmware. Production H1 firmware versions with a version number of 0.3.14 and earlier contain the vulnerability. Versions 0.3.15 and later are not vulnerable. The H1 firmware version is listed on the chrome://system page under cr50_version, specifically the RW line.
Make a list of your accounts on websites where you have registered a security key generated by Chrome OS' built-in security key feature.
Unregister the Chrome OS built-in security key from all these services. Exact instructions vary by service, but typically there are "account settings" or "security settings" that list registered security keys and give you the option to remove / unregister security keys. There is no need to change passwords or other account security settings.
(optional) Review recent successful logins to services to determine whether there's anything suspicious.
In case you received a "Internal security key requires reset" notification, click "Reset" on the notification to prevent it from showing again.
Impacted Chromebook models
Google said that only Chromebook versions that support the H1 chip and the built-in security key feature are impacted. However, if users never used the feature, they aren't impacted.
Nevertheless, Google recommends updating devices to Chrome OS 75 and above, as a precaution, in case they decide to use the feature in the future. Users can visit the Chrome OS chrome://version page to see what model/codename their device has, and compare it the list below.
Google released Chrome OS 75 in late June. The company disclosed the U2F ECDSA vulnerability impacting H1 chips in early July. The only criticism is that the company didn't broadly advertise the issue, only publishing an advisory on the Chromium OS security advisories page.
Starting with Chrome OS 76, Google also started showing an alert, asking Chromebook users to reset their built-in security key, to remove any older keys that had been generated via the older H1 chip firmware.