![]() ![]() The attack would begin with a simple social engineering attack - likely a phishing email - to obtain the target’s username and password. In fact, the process detailed in NinjaLab’s report reads like something out of a Mission Impossible movie. While it is possible to clone a Google Titan Security or similar key using the NXP P5x chipset, that doesn’t mean it’s easy or even practical. ![]() NinjaLab notes that this chipset is used in a wide variety of MFA security keys are likely affected, with NXP Product Security Response Teams on the record as confirming that all “NXP ECC Crypto Library up to version 2.9 on P5 and A7x products” are vulnerable to the attack. For those that aren’t familiar, side-channel measurements and attacks take advantage of the electromagnetic radiation coming off electronic devices during normal operation to identify patterns and glean useful information.īy observing the electromagnetic radiations during ECDSA signatures, NinjaLab was able to successfully execute a side-channel attack on the key’s secure element, an NXP A700X chip, enabling researchers to clone the key. The keys are commonly used in place of less secure MFA methods such as confirmation codes sent to the users phone via text message or email.įrom the time its launch, NinjaLab researchers had suspected the keys may be vulnerable certain kinds of side-channel attacks. ![]() ![]() Launched in 2018, Google’s Titan security key is a MFA hardware device used to physically verify the identity of the user. In a report published this week, security researchers from NinjaLab successfully cloned a Google Titan security key and exposed a vulnerability affecting the NXP P5x cryptographic chipset used by numerous other security keys. Multi-factor authentication (MFA) is one of the easiest ways to combat spear phishing and account take over, but it’s not perfect. ![]()
0 Comments
Leave a Reply. |