Snynet Solution Logo
MON - SUN: 10 AM - 6 PM
+60 11 5624 8319

Blog

Even Google's toughest security tools can't protect from this flaw

Image Description

Physical security keys from Google could be targeted by hackers looking to break into user devices and steal personal data, new research has found.

Security experts have discovered a vulnerability impacting the hardware included in Google Titan and YubiKey hardware security keys that have become popular with users looking for that extra level of protection.

The flaw looks to expose the encryption keys used to protect a device, leaving it unsecured and open to attack from outside sources.

Unlocked

The findings come from Victor Lomne and Thomas Roche, researchers with Montpellier-based NinjaLab, who examined all versions of Google's Titan Security Key, the Yubico Yubikey Neo, and several Feitian FIDO devices (Feitian FIDO NFC USB-A / K9, Feitian MultiPass FIDO / K13, Feitian ePass FIDO USB-C / K21, and Feitian FIDO NFC USB-C / K40)

The duo discovered a flaw that could allow hackers to recover the primary encryption key used by the key device to generate cryptographic tokens used in two-factor authentication (2FA) operations.

This could allow threat actors to clone specific Titan, YubiKey, and other keys, meaning hackers could bypass the 2FA procedures that are meant to offer users an extra level of protection.

However in order for the attack to work, the hacker would need to physically get hold of the security key device, as it will not work over the internet. This could mean that any lost or stolen devices could be temporarily used and cloned, before being returned to the victim.

Once completed, though, the attackers could clone the encryption keys used to protect Google or Yubico devices, allowing them access.

The researchers also noted that the keys themselves offered a robust protection against attacks, putting up a strong fight against heat and pressure to resist attempts to break in by hand.

This means that if an attackers was able to steal a key from say an office or factory, they would have a hard time returning it in the same condition it began in.

When contacted by ZDNet, Google highlighted this fact, noting that such an attack would be difficult to carry out in "normal circumstances".

Via ZDNet

Date

10 Jan 2021

Sources


Share


Other Blog

  • Hackers are using DDoS attacks to squeeze victims for ransom

    Ransom DDoS attacks are quickly gaining popularity making real-time DDoS protection a must for any business.

    Read More
  • The best keyboards of 2021: top 10 keyboards compared

    Find the best keyboard for your Mac or PC with our list of the top keyboards to buy.

    Read More
  • Who cares about the PS5 or Xbox? Modded Witcher 3 looks stunning at 4K with Nvidia RTX 3090

    Keenly awaiting Witcher 3’s next-gen update? Well, the game can already look jaw-dropping with the right mods (and GPU).

    Read More
  • iPadOS 15 features, release date, supported devices and everything coming to iPad

    Based on iOS 15, here's what we've found so far for the newest software update to the iPad.

    Read More

Find Out More About Us

Want to hire best people for your project? Look no further you came to the right place!

Contact Us