Before letting you in on the development of what is actually causing this threat let us clear up what is the purpose of the Googles’ Titan Security Key in case you don’t know.
The Google Titans Security Key is a pair of small USB devices that provide security to your account with its two factor authentication to your accounts. The Key provides you with security and prevents your Google account from phishing or your account getting hacked. The key has a cryptographic proof that ensures that you are connected with the service with which the key is registered and let that company know that you still have access to your accounts. It basically like a password to your Google Accounts which keeps them secured.
Coming back to the point, the key has basically two sources of entry commonly called “side channel vulnerability” through which the hackers can have access to your key. The first side channel vulnerability is in the chip that powers the 2FA Key but to get through the chip the hacker needs to have an access to the login credentials of the user, need to fully disassemble the key which will take them at least hours of work and around thousands of dollars of resources to reverse the cryptographic code and even the hacker gets all this done it will eventually get spoiled under the U2F standards. So much to say, we believe the key is of secured from the hacker if he tries cloning from this way.
The second most possible way to get access into our key for the hacker is through NXP A700X chip in the security keys. This chip manages your security and ensures its under your possession. The chip is not directly under threat but there is always a loophole. It came into observation that if the researchers repeatedly used the key they can observe radio emissions from the secure element to find the private key details inside it, after this the attacker can make a hardcopy of the key. However, the U2F protocol should make this act impossible because it will also require thousands of dollars of equipment and hours of work to deconstruct the key but it still does not mean that the key is out of threat.
If you lost your key and immediately found out about the missing device, your key can be revoked. However, a number of times before the users realize that the key is missing, it might have been taken and replaced because the window attack is so small. However, the U2F makes sure that this attack is only for a short period of time. That is because the key exchange includes the exact number of how many times the key has been used with the service and when the number of the original key and the cloned key do not match, the U2F standards lock both the keys realizing something is wrong.
This is not the first time some flaw has emerged from one of Google’s product, but no device ever made is perfect and problems in devices is inevitable. However, it is good to see that Google is taking steps to always ensure the privacy of its customers.
Image Credits: Veanne Cao/TechCrunch