To prevent their employees from being phished, Google introduced the Titan security key which they then released to the public. This is a USB dongle that authenticates the user whenever it’s plugged into the computer. It sounds like a pretty useful security tool, but it turns out that even such devices are not completely invulnerable to attacks.
According to a report published on Ninjalab, it seems that Google’s Titan key is actually vulnerable to cloning attacks. This is due to the use of the NXP A700X chipset, which is also used in other popular authentication keys, in which it was found that through a side-channel attack, it could be cloned and have the data from it extracted.
Based on that, the attacker could then create a clone key and use that data to make computers think it is the real deal. However, before you throw away your security key, do note that this particular hack isn’t exactly easy or cheap to pull off. First of all, it will require your login credentials, physical access to the key to disassemble it, hours of work, and also thousands of dollars in equipment to try and reverse engineer it.
This means that it can’t be pulled off by just anyone, and even then it would not be a cheap endeavor, so unless you’re someone of importance whose laptop and accounts contain very valuable information, there’s a good chance you won’t be targeted by it. That being said, it is still a flaw that should be addressed, and one that we hope that companies like Google and NXP will look into.