Several times on Edge9 we have stressed the importance of securing access to systems through two-factor authentication ( 2FA ), which offers an additional layer of security: even if an attacker manages to identify or steal the password , would not have access to the system without knowing the OTP (One Time Password) code generated by the app or, even better, by hardware keys. The latter are on paper one of the most effective protection methods, but recently Ninjalab researchers found a vulnerability in the A 700 X used by Google Titan keys, as well as those of manufacturers such as YubiKey and Feitian .

Vulnerable 2FA keys: to breach the protection you need to get hold of the device

NinjaLab researchers recently published research showing potential vulnerabilities in 2Does Google Titan keys. Fortunately, the attack is quite complicated to launch and, very importantly, requires you to have the USB key. This aspect will make those who rely on these secure authentication methods sleep more peacefully: as long as the key is in their hands, they can consider themselves safe .

The attack is objectively complicated to carry out: an attacker should in fact be able to steal the key, possess particular technical skills and invest a non-negligible amount, approximately 12. 000 EUR. Not only that: it should return the key to the owner without his noticing after having “cloned” it. An extremely complex scenario, in short, certainly not within the reach of a novice hacker. Precisely for this reason the NinjaLab researchers do not want to spread panic, claiming that these devices are reasonably safe in any case.

How to carry out a side channel attack on the 2FA keys

The procedure described at NinjaLab to clone a Google Titan authentication key requires you to be in possession of the key and open it through a mix of hot air and thin tools to pry the edges (a bit like disassembling recent smartphones) so as to have physical access to chip A 700 X, the one on which the cryptographic keys are saved .

Once connected to the hardware, the researchers were able to launch a side channel attack by observing the electromagnetic radiation generated by the chip. An attack that takes a long time: we are talking about 4 hours of time required to disassemble and reassemble the key, as well as 6 hours of software processing to extract the keys of each individual account saved on the key. In short, it is particularly complex to be able to do everything without being noticed by the victim, who as soon as he noticed the lack of the key could (and should) block this authentication method before anyone can do damage.

Also for this reason Google has decided not to donate money through the Google Vulnerability Reward Program , the program that rewards researchers who have identified vulnerabilities in the company’s products: in the end, these devices serve to defend against phishing attacks or theft of credentials. If the hardware were to be stolen, the data would already be at risk.

However, this does not mean that the problem should be underestimated. If “normal” people can sleep soundly, those who use Google Titan keys to protect sensitive material (political dissidents, journalists, lawyers and other high-risk targets) would do well to consider switching to other hardware solutions that are not based on the chip A 700 X, also used by YubiKey and Feitian. Although vulnerability has not been demonstrated on these keys as well, they are likely not immune to the problem, since they are based on the same chip.