Even Google’s toughest security tools can’t protect from this flaw
Physical security keys from Google could be targeted by hackers looking to break into user devices and steal personal data, new research has found.
Security experts have discovered a vulnerability impacting the hardware included in Google Titan and YubiKey hardware security keys that have become popular with users looking for that extra level of protection.
The flaw looks to expose the encryption keys used to protect a device, leaving it unsecured and open to attack from outside sources.
The findings come from Victor Lomne and Thomas Roche, researchers with Montpellier-based NinjaLab, who examined all versions of Google’s Titan Security Key, the Yubico Yubikey Neo, and several Feitian FIDO devices (Feitian FIDO NFC USB-A / K9, Feitian MultiPass FIDO / K13, Feitian ePass FIDO USB-C / K21, and Feitian FIDO NFC USB-C / K40)
The duo discovered a flaw that could allow hackers to recover the primary encryption key used by the key device to generate cryptographic tokens used in two-factor authentication (2FA) operations.
This could allow threat actors to clone specific Titan, YubiKey, and other keys, meaning hackers could bypass the 2FA procedures that are meant to offer users an extra level of protection.
However in order for the attack to work, the hacker would need to physically get hold of the security key device, as it will not work over the internet. This could mean that any lost or stolen devices could be temporarily used and cloned, before being returned to the victim.
Once completed, though, the attackers could clone the encryption keys used to protect Google or Yubico devices, allowing them access.
The researchers also noted that the keys themselves offered a robust protection against attacks, putting up a strong fight against heat and pressure to resist attempts to break in by hand.
This means that if an attackers was able to steal a key from say an office or factory, they would have a hard time returning it in the same condition it began in.
When contacted by ZDNet, Google highlighted this fact, noting that such an attack would be difficult to carry out in “normal circumstances”.