![]() ![]() It remains to be seen how Google or NXP plan on addressing this issue in the long-term - both when it comes to addressing keys already in the wild and mitigating or circumventing attack vectors in the future. Google reportedly doesn't even offer a bug bounty for physical attacks like this - though that policy is stated for its Google Play program, other programs this would seem to fall under don't mention it. Venues that follow U2F standards will then lock out both keys when they observe a discrepancy, and Google tells Ars that it does follow those standards. ![]() That's because the key exchange also includes a reference to the number of times a key has been used with a service, and the two keys eventually won't match. Importantly, though, the U2F standard also means this sort of attack should only work for a short period. However, the window for this attack is short enough it could happen before you're aware the key has been taken and replaced. Security standards at many venues consider a loss of physical access to constitute an immediate loss of security anyway, and two-factor keys can be easily revoked, assuming you know you've lost possession of them. Google Titan Security Key (all versions).The full list of affected devices noted by the researchers is just below: ![]() NXP and Yubico are both aware of the security researchers' claims, according to statements provided to Ars Technica, and neither disputes the details of the vulnerability. That includes the popular but discontinued Yubikey Neo. Other hardware keys from companies like Feitan and Yubico that use the same chip may also be vulnerable to this attack. ![]()
0 Comments
Leave a Reply. |