Two French security researchers, Victor Lomne and Thomas Roche, published in January an impressive 55-page report. The report describes a successful Electro-Magnetic side-channel attack on Google’s Titan security key. They succeeded in extracting the ECDSA private key.
Titan security key is a FIDO U2F compliant key also known as Google authenticator. It is functionally similar to Yubikeys. Its purpose is to serve as a physical token for Two-Factor Authentication (2FA).
Mounting side-channel attacks on secure components like smart cards is “common.” It usually assumes the attacker has samples to analyze and that the attacker can store arbitrary known secrets in the samples. This knowledge provides some reference points during the attack. Once the attack is fine-tuned with the samples using a known secret, it is possible to extract the target’s secret. Unfortunately, this is not true in this specific use case. When registering, the token generates its ECDSA key pair. The private key never leaves the token. It is why it is not possible to back up such tokens. Thus, it is possible to purchase Titan tokens, but not to feed an arbitrary key pair. The researchers used an interesting methodology to overcome this issue.
They first identified the secure component used by Titan. They removed the plastic cover and identified NXP A7005. They found out that some JavaCards have similar characteristics to the NXP A7005. Thus, they used JavaCards using NXP P5x chips.
Using a 500µm coil with 10µm precision micromanipulators, they measured the EM signature of the ECDSA signing for both Titan and the JavaCard. The comparison of the two EM signatures confirmed that they used the same implementation. Thus, they concentrated their effort on the Javacard to design the exploit. They reverse-engineered the implementation using the EM traces to guess the calculations. They discovered a sensitive leakage and could mount a complex side-channel attack. The document details the complexity of the attack. With 4,000 sampled signatures for 2TB of data, they succeeded in extracting the key that they fed to the smart card.
Then, they implemented the same attack on the Titan chip. They increased the number of samples to 6,000 for 3TB of data. They succeeded in extracting the private key.
How devastating is this attack?
- The specialized equipment is about 10K€ (about $12K). The needed skill set is high. On the Common Criteria (CC) scale, it has a rating of 27 corresponding to attackers with moderate attack potential. The corresponding chips are old and are not any more covered by CC certificates.
- The attack requires the attacker to get the Titan key for several hours to collect the 6,000 samples. It is not possible to clone it.
- The attack requires opening the plastic casing. The operation seems destructive. For stealthiness, the attacker must be able to repackage the chip in a legitimate case.
- The attacker needs to return the “borrowed” recased key to the legitimate owner. Else this owner may detect the loss and block the access.
- This attack impacts not only the Titan token but a long list of components.
Thus, we may forecast that such attack would be efficient only against very high-profile targets.
The attack is an impressive piece of work. Reading the document gives an overview of the issues a side-channel attack requires to solve. It is extremely interesting.
Diversity of implementation across different products is a costly but secure option.
Continue to use your 2FA tokens. It is more secure than not using them. If you lost your 2FA token, change your accounts to use a new one as soon as possible (which should be the case, independently of this attack).
Use 2FA tokens as much as possible.
Lomne, Victor, and Thomas Roche. “A Side Journey to Titan.” NinjaLab, January 7, 2021. https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf.