Download the Writeup

Illustration made by Romain Flamand


Abstract

The Google Titan Security Key is a FIDO U2F hardware device proposed by Google (available since July 2018) as a two-factor authentication token to sign in to applications (e.g. your Google account). Our work describes a side-channel attack that targets the Google Titan Security Key’s secure element (the NXP A700X chip) by the observation of its local electromagnetic radiations during ECDSA signatures (the core cryptographic operation of the FIDO U2F protocol). In other words, an attacker can create a clone of a legitimate Google Titan Security Key.

To understand the NXP ECDSA implementation, find a vulnerability and design a key-recovery attack, we had to make a quick stop on Rhea (NXP J3D081 JavaCard smartcard). Freely available on the web, this product looks very much like the NXP A700X chip and uses the same cryptographic library. Rhea, as an open JavaCard platform, gives us more control to study the ECDSA engine.

We could then show that the electromagnetic side-channel signal bears partial information about the ECDSA ephemeral key. The sensitive information is recovered with a non-supervised machine learning method and plugged into a customized lattice-based attack scheme.

Finally, 4000 ECDSA observations were enough to recover the (known) secret key on Rhea and validate our attack process. It was then applied on the Google Titan Security Key with success (this time by using 6000 observations) as we were able to extract the long term ECDSA private key linked to a FIDO U2F account created for the experiment.

Cautionary Note

Two-factor authentication tokens (like FIDO U2F hardware devices) primary goal is to fight phishing attacks. Our attack requires physical access to the Google Titan Security Key, expensive equipment, custom software, and technical skills.

Thus, as far as our study goes, it is still safer to use your Google Titan Security Key or other impacted products as FIDO U2F two-factor authentication token to sign in to applications rather than not using one.

Nevertheless, this work shows that the Google Titan Security Key (and other impacted products) would not avoid unnoticed security breach by attackers willing to put enough effort into it. Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.

Discovered By

Victor lomné (NinjaLab) and Thomas Roche (NinjaLab).
with the help of Camille Mutschler (NinjaLab) and Dr. Laurent Imbert (LIRMM, CNRS).

List of Impacted Products

  • Google Titan Security Key (all versions)
  • Yubico Yubikey Neo
  • Feitian FIDO NFC USB-A / K9
  • Feitian MultiPass FIDO / K13
  • Feitian ePass FIDO USB-C / K21
  • Feitian FIDO NFC USB-C / K40
  • NXP J3D081_M59_DF and variants
  • NXP J3A081 and variants
  • NXP J2E081_M64 and variants
  • NXP J3D145_M59 and variants
  • NXP J3D081_M59 and variants
  • NXP J3E145_M64 and variants
  • NXP J3E081_M64_DF and variants

Further Notes

1. The impacted Yubico Yubikey Neo is an old product no more available for sale. All FIDO U2F Yubico Yubikeys currently available on their webstore are based on a newer secure element from Infineon, and are not impacted by our work to our knowledge.

2. The NXP P5 / SmartMX secure microcontroller family and its associated cryptographic library (up to v2.9) impacted by our work is quite old. Since, NXP has released two new generations of secure microcontroller families, the “NXP P60 / SmartMX2” family and now the “NXP P70 / SmartMX3” family. Both are Common Criteria certified (with recent certification process), and are not impacted by our work to our knowledge.

CVE

We assigned CVE-2021-3011