{Warning}: Many 2FA hardware are vulnerable to attacks

[Baofeng]

As per this 60 page analysis report from NinjaLab: https://ninjalab.io/a-side-journey-to-titan/, many 2FA hardwares are vulnerable to CVE-2021-3011 attacks.

List of Impacted Products

    Google Titan Security Key (all versions)
    Yubico Yubikey Neo
    Feitian FIDO NFC USB-A / K9
    Feitian MultiPass FIDO / K13
    Feitian ePass FIDO USB-C / K21
    Feitian FIDO NFC USB-C / K40
    NXP J3D081_M59_DF and variants
    NXP J3A081 and variants
    NXP J2E081_M64 and variants
    NXP J3D145_M59 and variants
    NXP J3D081_M59 and variants
    NXP J3E145_M64 and variants
    NXP J3E081_M64_DF and variants

Further Notes

1. The impacted Yubico Yubikey Neo is an old product no more available for sale. All FIDO U2F Yubico Yubikeys currently available on their webstore are based on a newer secure element from Infineon, and are not impacted by our work to our knowledge.

2. The NXP P5 / SmartMX secure microcontroller family and its associated cryptographic library (up to v2.9) impacted by our work is quite old. Since, NXP has released two new generations of secure microcontroller families, the “NXP P60 / SmartMX2” family and now the “NXP P70 / SmartMX3” family. Both are Common Criteria certified (with recent certification process), and are not impacted by our work to our knowledge.

Of course, there are 2FA softwares like Authy or Google Authenticator, however, I believed that there are crypto users who uses 2FA hardware as well, specially this coming from Binance:

Using a YubiKey for Two-Factor Authentication (2FA)
Binance
2019-06-27 18:51
A YubiKey is a hardware device that you can use on Binance as a Two-Factor Authentication (2FA) method to enhance your account security. It is used for 【Withdraw & API】,【Log in】,【Reset password】function.

https://www.binance.com/en/support/articles/360029994311

Also, we need to understand that this kind of attacks is very sophisticated and will have to meet several conditions to be successful.

[1715087329]

1715087329

[1715087329]

1715087329

[1715087329]

1715087329

[1715087329]

1715087329

[Zilon]

2FA authenticator has saved many accounts from been hacked. I could remember once when my busha wallet was attacked by hackers but for my authenticator my little fund would have been a past tense.

This is applicable to other Crypto wallet so as to secure what we have struggled to acquire and avoid our accounts from been attacked

[Maxstl007]

2FA authentication may have it's flaw and not 100% secured like some used to say but using 2FA is more safer and secured than not using anything at all, it's why many crypto exchanges compulsory 2FA, you can't make withdraws on some exchanges if you don't active 2FA code first.

[joniboini]

For those who are too lazy to check the link and see what the attack is about, here's the excerpt from the CVE database:

An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone).

In short, it requires physical access and it will take some time to 'clone' your HW. It's not as if your 2FA suddenly become vulnerable when you store it in a secure storage.

[dkbit98]

Interesting.
I wonder how that is affecting hardware wallets like trezor (they don't have secure element) and ledger (they have ST secure element) who also have option to be used as 2fa hardware.
Secure element chip NXP used in 2FA devices is affected and that means that other 'secure elements' could have similar flaws.

According to my research NXP secure elements are currently used in CoolWalletS and D'CENT hardware wallets:
https://bitcointalk.org/index.php?topic=5304483.0

[boyptc]

For those who are too lazy to check the link and see what the attack is about, here's the excerpt from the CVE database:

An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone).

In short, it requires physical access and it will take some time to 'clone' your HW. It's not as if your 2FA suddenly become vulnerable when you store it in a secure storage.

Thanks for that summary, it is the first thing to come to my mind as I don't know that code and what is the description of that attack. You saved my time.

People who worry about this vulnerability should worry about $5 wrench attack instead.

Well yeah, better remain low key.

[Charles-Tim]

Of course, there are 2FA softwares like Authy or Google Authenticator, however, I believed that there are crypto users who uses 2FA hardware as well, specially this coming from Binance:

If the software 2fa can work effectively for Bitcoin and other crypto users, I think I better hold on to using the software ones that are totally free. I have the software on a different protected and secure device which makes it work well for me without any malware compromising. If crypto users are using the hardware 2fa, it is a waste of money when the reputed software ones can do the same waork effectively without paying them.

[Baofeng]

Of course, there are 2FA softwares like Authy or Google Authenticator, however, I believed that there are crypto users who uses 2FA hardware as well, specially this coming from Binance:

If the software 2fa can work effectively for Bitcoin and other crypto users, I think I better hold on to using the software ones that are totally free. I have the software on a different protected and secure device which makes it work well for me without any malware compromising. If crypto users are using the hardware 2fa, it is a waste of money when the reputed software ones can do the same waork effectively without paying them.

Yes, software 2FA can work effectively as long, adding another later of security. But we all know that Sim swap attack are prevalent and that's why exchanges are recommending using a 2FA hardware as well.

[palle11]

2FA authenticator has saved many accounts from been hacked. I could remember once when my busha wallet was attacked by hackers but for my authenticator my little fund would have been a past tense.

This is applicable to other Crypto wallet so as to secure what we have struggled to acquire and avoid our accounts from been attacked

Using a wallet that you can have all security phrase to yourself is advised. Using exchange address is not advised if you can avoid it and transfer your hodling coins to the coins personal wallet or the wallet compatible with the coin like erc20 or tron , depending on the coin.