Should You Worry About Hackers Cloning Your 2FA Hardware Security Keys?

Hardware security keys, such as the Google Titan, have become a cornerstone of enterprise security, adding a much-needed layer of protection on top of the password. But researchers have now shown that it is possible to clone keys -- given the key, a few hours, and thousands of dollars.

Researchers from security firm NinjaLab have managed to make a clone of a Google Titan 2FA security key. The process makes use of a side-channel vulnerability in the NXP A700X chip.

Must read: Best security keys in 2021: Hardware-based two-factor authentication for online protection

I'll let you read up on this, but basically, the process requires having physical access to the key, take hours, involves trashing the casing to get at the chip, thousands of dollars of equipment, custom software, and a lot of know-how.

Oh, and the attacker also needs the target's account password.

The idea is that after the cloning process, the original key is put back into a new shell and given back to the rightful owner.

This will, as you might expect, be worrying for organizations that rely on 2FA keys. That said, the amount of information, along with free time an attacker needs to accomplish this is high. I mean, needing both the key and the password are themselves high hurdles.

On top of that, getting at the key involves trashing the casing of the original. This means that the replacement needs to be convincing, and in my experience keys take on a distinctive battering after very little use.

So, what can you do to mitigate this attack?

  • Have strong passwords.
  • Treat your 2FA keys the same way you'd treat your car or house keys -- keep them with you at all times.
  • Make your keys distinctive -- I know someone who puts a spot of glittery nail polish on their key, leaves it to dry, and takes a photo of the unique glittery blob.
  • If you believe that your key has been compromised, inform your IT department (or, if that's you, remove the offending key from your accounts).
  • Google can detect cloned keys using its FIDO U2F counters feature.

I expect that this will result in better, more tamper-resistant keys in the future. I use 2FA keys, and I am surprised how little tamper-resistance Google's Titan Bluetooth key has -- the shell snaps off easily to expose the innards.

Still, the ingenuity of this attack should be applauded. It's a very impressive hack.

RECENT NEWS

Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals

The recent correction in US megacap tech stocks, including giants like Nvidia, Tesla, Meta, and Alphabet, has sent rippl... Read more

AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments

Recent declines in the stock prices of major tech companies such as Nvidia, Tesla, Meta, and Alphabet have highlighted a... Read more

Technology Sector Fuels U.S. Economic Growth In Q2

The technology sector played a pivotal role in accelerating America's economic growth in the second quarter of 2024.The ... Read more

Tech Start-Ups Advised To Guard Against Foreign Investment Risks

The US National Counterintelligence and Security Center (NCSC) has advised American tech start-ups to be wary of foreign... Read more

Global IT Outage Threatens To Cost Insurers Billions

Largest disruption since 2017’s NotPetya malware attack highlights vulnerabilities.A recent global IT outage has cause... Read more

Global IT Outage Disrupts Airlines, Financial Services, And Media Groups

On Friday morning, a major IT outage caused widespread disruption across various sectors, including airlines, financial ... Read more

We use cookies to give you the best experience possible. By continuing we’ll assume you’re on board with our cookie policy.