New attack variant allows hackers to clone Google Titan security keys

Cybersecurity specialists reported the finding of a severe vulnerability in the chips installed in the Google Titan and YubiKey security keys. Reported vulnerabilities would allow malicious hackers to obtain the primary encryption keys used by these devices to generate encryption tokens and solve multi-factor authentication challenges or, in other words, clone security keys.

Although the flaw, tracked as CVE-2021-3011, sounds serious, the experts who discovered it report that it is not really such a severe problem. The first problem for potential threat actors is that this attack requires physical access to the device, making it impossible to compromise remotely. However, users of these devices should not dismiss the possibility of attack as similar techniques have proven successful in the past.

On the other hand, experts report that the housings of these devices are virtually inviolable, as it is very difficult to open the devices without damaging their internal components: “These safety keys are composed of two pieces of plastic tightly attached to each other; it’s not easy to release them with a knife or some other artifact.” The following are the affected device models:

  • Google Titan Security Key (all versions)
  • Yubico Yubikey Neo
  • Feitian FIDO NFC USB-A / K9
  • Feitian MultiPass FIDO / K13
  • Feitian ePass FIDO USB-C / K21
  • Feitian FIDO NFC USB-C / K40

In their report, experts mention using a hot air gun to soften the plastic and remove the printed circuit board (PCB) without damaging it. However, it was impossible to reassemble the key without highlighting the changes, as the heat deformed the plastic.

La imagen tiene un atributo ALT vacío; su nombre de archivo es titan08012021.jpg

Finally, specialists mention that the hardware and software tools required for this hack are really expensive and sophisticated, further complicating a possible attack.

While these attacks are beyond the reach of common hackers, it is entirely feasible for investigative agencies to complete a campaign based on this attack: “Users who feel exposed to these attacks can change their security keys or resort to other devices,” the experts add.