|
Title: {Warning}: Many 2FA hardware are vulnerable to attacks Post by: Baofeng on January 13, 2021, 12:33:36 PM As per this 60 page analysis report from NinjaLab: https://ninjalab.io/a-side-journey-to-titan/, many 2FA hardwares are vulnerable to CVE-2021-3011 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3011) attacks.
https://i.imgur.com/osNO9PN.png Quote List of Impacted Products Google Titan Security Key (all versions) Yubico Yubikey Neo Feitian FIDO NFC USB-A / K9 Feitian MultiPass FIDO / K13 Feitian ePass FIDO USB-C / K21 Feitian FIDO NFC USB-C / K40 NXP J3D081_M59_DF and variants NXP J3A081 and variants NXP J2E081_M64 and variants NXP J3D145_M59 and variants NXP J3D081_M59 and variants NXP J3E145_M64 and variants NXP J3E081_M64_DF and variants Further Notes 1. The impacted Yubico Yubikey Neo is an old product no more available for sale. All FIDO U2F Yubico Yubikeys currently available on their webstore are based on a newer secure element from Infineon, and are not impacted by our work to our knowledge. 2. The NXP P5 / SmartMX secure microcontroller family and its associated cryptographic library (up to v2.9) impacted by our work is quite old. Since, NXP has released two new generations of secure microcontroller families, the “NXP P60 / SmartMX2” family and now the “NXP P70 / SmartMX3” family. Both are Common Criteria certified (with recent certification process), and are not impacted by our work to our knowledge. Of course, there are 2FA softwares like Authy or Google Authenticator, however, I believed that there are crypto users who uses 2FA hardware as well, specially this coming from Binance: Quote Using a YubiKey for Two-Factor Authentication (2FA) Binance 2019-06-27 18:51 A YubiKey is a hardware device that you can use on Binance as a Two-Factor Authentication (2FA) method to enhance your account security. It is used for 【Withdraw & API】,【Log in】,【Reset password】function. https://www.binance.com/en/support/articles/360029994311 Also, we need to understand that this kind of attacks is very sophisticated and will have to meet several conditions to be successful. Title: Re: {Warning}: Many 2FA hardware are vulnerable to attacks Post by: Zilon on January 30, 2021, 07:06:15 AM 2FA authenticator has saved many accounts from been hacked. I could remember once when my busha wallet was attacked by hackers but for my authenticator my little fund would have been a past tense.
This is applicable to other Crypto wallet so as to secure what we have struggled to acquire and avoid our accounts from been attacked Title: Re: {Warning}: Many 2FA hardware are vulnerable to attacks Post by: Maxstl007 on January 30, 2021, 07:13:49 AM 2FA authentication may have it's flaw and not 100% secured like some used to say but using 2FA is more safer and secured than not using anything at all, it's why many crypto exchanges compulsory 2FA, you can't make withdraws on some exchanges if you don't active 2FA code first.
Title: Re: {Warning}: Many 2FA hardware are vulnerable to attacks Post by: joniboini on January 30, 2021, 08:17:31 AM For those who are too lazy to check the link and see what the attack is about, here's the excerpt from the CVE database:
Quote An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone). In short, it requires physical access and it will take some time to 'clone' your HW. It's not as if your 2FA suddenly become vulnerable when you store it in a secure storage. Title: Re: {Warning}: Many 2FA hardware are vulnerable to attacks Post by: dkbit98 on January 30, 2021, 09:49:53 AM Interesting.
I wonder how that is affecting hardware wallets like trezor (they don't have secure element) and ledger (they have ST secure element) who also have option to be used as 2fa hardware. Secure element chip NXP used in 2FA devices is affected and that means that other 'secure elements' could have similar flaws. According to my research NXP secure elements are currently used in CoolWalletS and D'CENT hardware wallets: https://bitcointalk.org/index.php?topic=5304483.0 Title: Re: {Warning}: Many 2FA hardware are vulnerable to attacks Post by: boyptc on January 30, 2021, 11:06:31 AM For those who are too lazy to check the link and see what the attack is about, here's the excerpt from the CVE database: Thanks for that summary, it is the first thing to come to my mind as I don't know that code and what is the description of that attack. You saved my time.Quote An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone). In short, it requires physical access and it will take some time to 'clone' your HW. It's not as if your 2FA suddenly become vulnerable when you store it in a secure storage. People who worry about this vulnerability should worry about $5 wrench attack instead. Well yeah, better remain low key.Title: Re: {Warning}: Many 2FA hardware are vulnerable to attacks Post by: Charles-Tim on January 30, 2021, 12:21:00 PM Of course, there are 2FA softwares like Authy or Google Authenticator, however, I believed that there are crypto users who uses 2FA hardware as well, specially this coming from Binance: If the software 2fa can work effectively for Bitcoin and other crypto users, I think I better hold on to using the software ones that are totally free. I have the software on a different protected and secure device which makes it work well for me without any malware compromising. If crypto users are using the hardware 2fa, it is a waste of money when the reputed software ones can do the same waork effectively without paying them. Title: Re: {Warning}: Many 2FA hardware are vulnerable to attacks Post by: Baofeng on January 30, 2021, 10:04:33 PM Of course, there are 2FA softwares like Authy or Google Authenticator, however, I believed that there are crypto users who uses 2FA hardware as well, specially this coming from Binance: If the software 2fa can work effectively for Bitcoin and other crypto users, I think I better hold on to using the software ones that are totally free. I have the software on a different protected and secure device which makes it work well for me without any malware compromising. If crypto users are using the hardware 2fa, it is a waste of money when the reputed software ones can do the same waork effectively without paying them. Yes, software 2FA can work effectively as long, adding another later of security. But we all know that Sim swap attack are prevalent and that's why exchanges are recommending using a 2FA hardware as well. Title: Re: {Warning}: Many 2FA hardware are vulnerable to attacks Post by: palle11 on February 18, 2021, 12:54:03 PM 2FA authenticator has saved many accounts from been hacked. I could remember once when my busha wallet was attacked by hackers but for my authenticator my little fund would have been a past tense. This is applicable to other Crypto wallet so as to secure what we have struggled to acquire and avoid our accounts from been attacked Using a wallet that you can have all security phrase to yourself is advised. Using exchange address is not advised if you can avoid it and transfer your hodling coins to the coins personal wallet or the wallet compatible with the coin like erc20 or tron , depending on the coin. |
