Google's physical security keys could be attacked by hackers looking to break into users' devices and steal personal data, new research shows. Security experts have discovered a vulnerability affecting hardware included in the Google Titan and YubiKey hardware security keys, which have become popular with users looking for that extra level of protection. The flaw appears to expose the encryption keys used to protect a device, leaving it insecure and open to attacks from outside sources.
Unlocked
The results come from Victor Lomne and Thomas Roche, researchers at NinjaLab in Montpellier, who examined all versions of Google's Titan security key, the Yubico Yubikey Neo, and various Feitian FIDO devices (Feitian FIDO NFC USB-A / K9, Feitian MultiPass FIDO/K13, Feitian ePass FIDO USB-C/K21 and Feitian FIDO NFC USB-C/K40) The duo have discovered a flaw that could allow hackers to recover the master encryption key used by the key device to generate tokens cryptographic used in two-factor authentication (2FA) operations. This could allow threat actors to clone Titan, YubiKey, and other specific keys, meaning hackers could bypass 2FA procedures that are supposed to offer users an extra level of protection. However, for the attack to work, the hacker will need to physically obtain the security key device, as it will not work on the Internet. This could mean that any lost or stolen device could be used and temporarily cloned, before being returned to the victim. However, once complete, attackers could clone the encryption keys used to protect Google or Yubico devices, allowing them access. The researchers also noted that the keys themselves offered solid protection against hacking, putting up a strong fight against heat and pressure to resist burglary attempts. This means that if an attacker could steal a key from an office or factory, for example, he would have a hard time returning it to the same state it started in. Contacted by ZDNet, Google emphasized this fact, emphasizing that such an attack would be difficult to carry out under "normal circumstances." Via ZDNet