The attack requires the attacker to have physical access to the victim’s Titan Key, hours of time, and side-channel setup equipment worth €10,000 ($12,000 – £9,000).
Most of you may have heard about the benefits two-factor authentication (2FA) offers. Many of you may even be using it, receiving a one-time code via SMS or email when signing into various websites.
However, an often less used way for 2FA involves the use of physical keys making the entire authentication measure more robust and less vulnerable to attacks such as Sim Swapping.
In the latest, a new method has been devised by NinjaLab researchers to bypass Google’s Titan Key which is a physical 2FA key by cloning it.
The method requires the attacker to firstly know the victim’s password and secondly have access to the key itself for about 10 hours. Alongside, equipment worth $12000, and special software is also needed for a skilled actor to execute the attack.
Explaining the technicalities, the researchers state in their report [PDF] that,
The plastic casing [on the Titan key] is made of two parts which are strongly glued together, and it is not easy to separate them with a knife, cutter or scalpel. We used a hot air gun to soften the white plastic, and to be able to easily separate the two casing parts with a scalpel.
Then the NXP A700X chip which “acts as the secure element, storing cryptographic secrets and performing cryptographic operations” is analyzed in order to make it work.
The entire process is nonetheless cumbersome which is why a minimum of 10 hours is required for the attacker to have access to the Titan key.
On the other hand, it is important to realize that such an attack would take an enormous amount of work to execute which is self-explanatory seeing the budget required as well.
Therefore, we wouldn’t expect individuals to exploit this, large black hat groups and state-backed attackers are more likely to do so.
Since the vulnerability (CVE-2021-3011) centers around physical possession of the device, the researchers were not given any reward by Google as it does not fit into their bug bounty program scope.
To conclude, this does not make the use of physical keys more dangerous than digital methods by any measure, and those of you who use Google’s Titan key or any other similar device should continue to do so. The only precaution that is important to take is to avoid handing out your key to anyone else, even for a short period of time.