Uh oh, Google's Titan physical security key can be cloned

The complexity of the hack means risk is likely limited to high-value targets. That's worrying for dissidents and journalists.

Researchers at security firm NinjaLab have identified a vulnerability in Google's Titan security key that makes it possible to clone it, opening up the possibility that a hacker could gain covert access to a victim's online accounts, entirely unbeknownst to them.

Nothing is airtight — Two-factor authentication (2FA) security keys like Titan are considered the strongest form of online security. Using such a tool, authenticating into an account requires the username, password, and physical possession of the hardware key. That prevents hackers from accessing your accounts who may have found the credentials online, or stolen them from you through phishing attempts.

This new vulnerability doesn't change that, because a hacker needs access to the physical key, but it shows that if a bad actor did manage to get ahold of your 2FA key, there are certain methods they could use to clone it. Then, so long as they also have your login credentials, they would be able to gain access to whichever accounts you've protected with it. If they were able to surreptitiously return the original key to you, you'd be none the wiser and open to persistent attacks.

The danger here is that people using 2FA keys might assume that as long as they have their key, their accounts are 100 percent bulletproof.


Caveats abound — Before even cloning your key, a bad actor would need to know the credentials for one of your accounts. Then they need to somehow wrest the key from you, and use a hot air gun and scalpel to remove the key casing before extricating the chip that contains cryptographic secrets protecting your accounts. After that, they would need to use expensive hardware that connects to the chip and takes measurements as the key is being used to authenticate into one of your accounts. And even after that they would need to reseal the key so that you wouldn't be alerted to something being awry.

All of this would take hours, according to the researchers, so the victim would need to be distracted for a long time. We're envisioning the cut scenes in a spy movie already.

Sufficiently motivated — The research is impressive, and highlights that no form of security is completely airtight. As was shown in the aftermath of the murder of Jamal Khashoggi, and Russia's ongoing propensity to poison people, that some nation-states will go to great lengths to target those who speak out against them. It's really not science fiction to think that this hack could be used on somebody.

Thankfully there's already a way to mitigate the issue. Built into the technology underlying Titan and other security chips is a feature that counts the number of interactions a key has had with a service provider's servers. If the original key is reporting a different number to the cloned key, the provider could be alerted to a clone. Google says this feature is supported in Titan.

No technology is 100 percent safe from attack, but attackers always consider the return-on-investment. Most of us, unfortunately (or fortunately, depending on how you want to look at it), are not interesting enough to be worth the effort required for this type of sophisticated attack. Which is to say, 2FA keys are still very good at keeping you safe, and definitely better than not using them at all.