Hardware security keys, such as the Google Titan, have become a cornerstone of enterprise security, adding a much-needed layer of protection on top of the password. But researchers have now shown that it is possible to clone keys -- given the key, a few hours, and thousands of dollars.
Researchers from security firm NinjaLab have managed to make a clone of a Google Titan 2FA security key. The process makes use of a side-channel vulnerability in the NXP A700X chip.
Must read: Best security keys in 2021: Hardware-based two-factor authentication for online protection
YubiKey 5C NFC: The world’s first security key to feature dual USB-C and NFC connections
I'll let you read up on this, but basically, the process requires having physical access to the key, take hours, involves trashing the casing to get at the chip, thousands of dollars of equipment, custom software, and a lot of know-how.
Oh, and the attacker also needs the target's account password.
The idea is that after the cloning process, the original key is put back into a new shell and given back to the rightful owner.
This will, as you might expect, be worrying for organizations that rely on 2FA keys. That said, the amount of information, along with free time an attacker needs to accomplish this is high. I mean, needing both the key and the password are themselves high hurdles.
On top of that, getting at the key involves trashing the casing of the original. This means that the replacement needs to be convincing, and in my experience keys take on a distinctive battering after very little use.
So, what can you do to mitigate this attack?
- Have strong passwords.
- Treat your 2FA keys the same way you'd treat your car or house keys -- keep them with you at all times.
- Make your keys distinctive -- I know someone who puts a spot of glittery nail polish on their key, leaves it to dry, and takes a photo of the unique glittery blob.
- If you believe that your key has been compromised, inform your IT department (or, if that's you, remove the offending key from your accounts).
- Google can detect cloned keys using its FIDO U2F counters feature.
I expect that this will result in better, more tamper-resistant keys in the future. I use 2FA keys, and I am surprised how little tamper-resistance Google's Titan Bluetooth key has -- the shell snaps off easily to expose the innards.
Inside a Google Titan Bluetooth security key
Still, the ingenuity of this attack should be applauded. It's a very impressive hack.