Cybersecurity specialists reported the finding of a severe vulnerability in the chips installed in the Google Titan and YubiKey security keys. Reported vulnerabilities would allow malicious hackers to obtain the primary encryption keys used by these devices to generate encryption tokens and solve multi-factor authentication challenges or, in other words, clone security keys.
Although the flaw, tracked as CVE-2021-3011, sounds serious, the experts who discovered it report that it is not really such a severe problem. The first problem for potential threat actors is that this attack requires physical access to the device, making it impossible to compromise remotely. However, users of these devices should not dismiss the possibility of attack as similar techniques have proven successful in the past.
On the other hand, experts report that the housings of these devices are virtually inviolable, as it is very difficult to open the devices without damaging their internal components: “These safety keys are composed of two pieces of plastic tightly attached to each other; it’s not easy to release them with a knife or some other artifact.” The following are the affected device models:
- Google Titan Security Key (all versions)
- Yubico Yubikey Neo
- Feitian FIDO NFC USB-A / K9
- Feitian MultiPass FIDO / K13
- Feitian ePass FIDO USB-C / K21
- Feitian FIDO NFC USB-C / K40
In their report, experts mention using a hot air gun to soften the plastic and remove the printed circuit board (PCB) without damaging it. However, it was impossible to reassemble the key without highlighting the changes, as the heat deformed the plastic.
Finally, specialists mention that the hardware and software tools required for this hack are really expensive and sophisticated, further complicating a possible attack.
While these attacks are beyond the reach of common hackers, it is entirely feasible for investigative agencies to complete a campaign based on this attack: “Users who feel exposed to these attacks can change their security keys or resort to other devices,” the experts add.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.