Hackers can clone Google Titan 2FA keys using a side channel in NXP chips

by
Dan Goodin
from Ars Technica - All content on (#5CJCR)
google-titan-keys-800x353.jpg

Enlarge (credit: Google)

There's wide consensus among security experts that physical two-factor authentication keys provide the most effective protection against account takeovers. Research published today doesn't change that, but it does show how malicious attackers with physical possession of a Google Titan key can clone it.

There are some steep hurdles to clear for an attack to be successful. A hacker would first have to steal a target's account password and to also gain covert possession of the physical key for as many as 10 hours. The cloning also requires up to $12,000 worth of equipment, custom software, and an advanced background in electrical engineering and cryptography. That means the key cloning-were it ever to happen in the wild-would likely be done only by a nation-state pursuing its highest-value targets.

Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid [an] unnoticed security breach by attackers willing to put enough effort into it," researchers from security firm NinjaLab wrote in a research paper published Thursday. Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered."

Read 17 remaining paragraphs | Comments

index?i=eontoBDygdY:ERkd0FK3xUo:V_sGLiPB index?i=eontoBDygdY:ERkd0FK3xUo:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments