This key, which was supposed to help with dual-factor authentication, had a reputation for being inviolable.
It is inviolability that has given her this reputation and the success she has enjoyed. Yet two French hackers have managed to prove that it is as vulnerable as any computer hardware.
This article will also interest you: Google's USB stick in support of passwords
As a reminder it must be said that these tools have been on the market for 2 years now. Their basic features are to maximize connections by making it impossible for users to hack. It's a USB-A/NFC key, lined with a second Bluetooth key. If in practice it has long proven that it can be useful to secure the connection, its invulnerable character has unfortunately been broken thanks to the discovery of the French. The problem is that the physical tokens used for authentication can be cloned. This was discovered by Thomas Roche and Victor Lomne, computer security researchers, of NinjaLab, a company based in Montpellier.
The researchers after analyzing the Google key, they felt that similar to other keys of this kind, their use has many advantages for the security of connections and for dual factor authentication. This means is beautiful and of course. But not infallible. For any hacker who gives himself the means, it is clear that he will succeed in finding a security flaw. "The flaw in the Google Titan security key is the NXP chip in its small plastic case, which is much harder to open than it looks, making it impossible to close without damage. Once the key is opened and the chip is accessible, the hacker can carry out a side-channel attack that you will understand can only be implemented if physically accessed to the object. explains the ninja lab researchers.
In order to be able to explore the security flaw, the French researchers had to notice electromagnetic radiation emissions after several analyses. Programs that strongly coincide with the digital signature issued apart from the chip. Using more than 6,000 operations that used the NXP chip references, our two researchers were able to reconstruct the private key through ECDSA encryption. With all the resources at their disposal and then it is possible for them to create their own key.
The operation is difficult to put into practice it should be noted. Whether it is for the extraction of information or the reintegration of the chip, it is to be expected to put at least 4 hours of time. It will then take 6 hours of well-run time to have sufficient information to initiate the hacking of a specific account. To finish what makes things even more difficult, the hacker needs to have access to the key. To separate a user from his Titan key from Google, it is difficult to do so in a fairly natural way, unless the hacker anticipates the progress of the burglary. For a single account, it will take 10 hours of time in total. When you reach both accounts it takes about 16 hours of time and 10pm for 3 accounts to hack. But one thing will be remembered after this analysis of the two French hackers: the key cannot be hacked remotely. On this occasion it is Google who is right.
Now access an unlimited number of passwords: