New side-channel attack can recover encryption keys from Google Titan security keys
A duo of French security researchers has discovered a vulnerability impacting chips used inside Google Titan and YubiKey hardware security keys.
The vulnerability allows threat actors to recover the encryption key used by the hardware security key to generate cryptographic tokens for two-factor authentication (2FA) operations.
Once obtained, the two security researchers say the ECDSA private key would allow threat actors to clone Titan, YubiKey, and other keys to bypass 2FA procedures.
Attack requires physical access
However, while the attack sounds disastrous for Google and Yubico security key owners, its severity is not what it seems.
In a 60-page PDF report, Victor Lomne and Thomas Roche, researchers with Montpellier-based NinjaLab, explain the intricacies of the attack, also tracked as CVE-2021-3011.
For starters, the attack won't work remotely against a device, over the internet, or over a local network. To exploit any Google Titan or Yubico security key, an attacker would first need to get their hands on a security key in the first place.
Temporarily stealing and then returning a security key isn't impossible and is not out of the threat model of many of today's government workers or high profile executives, which means this attack can't be entirely ruled out or ignored.
Titan casing is hard to open, leaves marks
However, Lomne and Roche argue that there are other unexpected protections that come with Google Titan keys, in the form of the key's casing.
"The plastic casing is made of two parts which are strongly glued together, and it is not easy to separate them with a knife, cutter or scalpel," the researchers said.
"We used a hot air gun to soften the white plastic,and to be able to easily separate the two casing parts with a scalpel. The procedure is easy toperform and, done carefully, allows to keep the Printed Circuit Board (PCB) safe," the two added.
However, Lomne and Roche also point out that "one part of the casing, soften[ed] due to the application of hot air," and usually permanently deforms, leaving attackers in the position of being unable to put the security key back together once they've obtained the encryption key — unless they come prepared with a 3D-printed casing model to replace the original.
A side-channel attack using electromagnetic radiations
But once the casing has been opened and the attackers have access to the security key's chip, researchers say they can then perform a "side-channel attack."
The term, which is specific to the cyber-security world, describes an attack where threat actors observe a computer system from the outside, record its activity, and then use their observations on how the device activity fluctuates to infer details about what's going on inside.
In this case, for their side-channel attack, the NinjaLab researchers analyzed electromagnetic radiations coming off the chip while processing cryptographic operations.
Researchers said that by studying around 6,000 operations taking place on NXP A7005a microcontroller, the chip used inside Google Titan security keys, they were able to reconstruct the primary ECDSA encryption key used in signing every cryptographic token ever generated on the device.
The good news for Titan and YubiKey owners is that this process usually takes hours to execute, requires expensive gear, and custom software. In addition, one ECDSA key per online service can be recovered with this procedure. The more keys an attacker wants, the more time the attack takes.
Normally, this type of attack would be out of the reach of regular hackers, but security researchers warn that certain threat actors, such as three-letter intelligence agencies, usually have the capabilities to pull this off.
"Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered," Lemne and Roche said.
What's vulnerable?
As for what's vulnerable, the researchers said they tested their attack on the NXP A7005a chip, which is currently used for the following security key models:
- Google Titan Security Key (all versions)
- Yubico Yubikey Neo
- Feitian FIDO NFC USB-A / K9
- Feitian MultiPass FIDO / K13
- Feitian ePass FIDO USB-C / K21
- Feitian FIDO NFC USB-C / K40
In addition, the attack also works on NXP JavaCard chips, usually employed for smartcards, such as J3A081, J2A081, J3A041, J3D145_M59, J2D145_M59, J3D120_M60, J3D082_M60, J2D120_M60, J2D082_M60, J3D081_M59, J2D081_M59, J3D081_M61, J2D081_M61, J3D081_M59_DF, J3D081_M61_DF, J3E081_M64, J3E081_M66, J2E081_M64, J3E041_M66, J3E016_M66, J3E016_M64, J3E041_M64, J3E145_M64, J3E120_M65, J3E082_M65, J2E145_M64, J2E120_M65, J2E082_M65, J3E081_M64_DF, J3E081_M66_DF, J3E041_M66_DF, J3E016_M66_DF, J3E041_M64_DF, and J3E016_M64_DF.
Contacted via email, Google echoed the research team's findings, namely that this attack is hard to pull off in normal circumstances.
In addition, Google also added that its security keys service is also capable of detecting clones using a server-side feature called FIDO U2F counters, which the NinjaLab team also recommended as a good countermeasure for their attack in their paper. However, the research team also points out that even if counters are used, there is a short time span after the clone has been created when it still could be used.
Nonetheless, as a closing note, the French security researchers also urged users to continue using hardware-based FIDO U2F security keys, such as Titan and YubiKey, despite the findings of their report. Instead, users should take precautions to safeguard devices if they believe they might be targets of interest to advanced threat actors.
Article updated on January 8 to highlight that attacks must be repeated multiple times for each service the key has been synced with.