{Warning}: Many 2FA hardware are vulnerable to attacks

palle11

sr. member

Activity: 2366

Merit: 332

Quote from: Zilon on January 30, 2021, 02:06:15 AM

2FA authenticator has saved many accounts from been hacked. I could remember once when my busha wallet was attacked by hackers but for my authenticator my little fund would have been a past tense.

This is applicable to other Crypto wallet so as to secure what we have struggled to acquire and avoid our accounts from been attacked

Using a wallet that you can have all security phrase to yourself is advised. Using exchange address is not advised if you can avoid it and transfer your hodling coins to the coins personal wallet or the wallet compatible with the coin like erc20 or tron , depending on the coin.

Baofeng

legendary

Activity: 2576

Merit: 1655

Quote from: Charles-Tim on January 30, 2021, 07:21:00 AM

Quote from: Baofeng on January 13, 2021, 07:33:36 AM

Of course, there are 2FA softwares like Authy or Google Authenticator, however, I believed that there are crypto users who uses 2FA hardware as well, specially this coming from Binance:

If the software 2fa can work effectively for Bitcoin and other crypto users, I think I better hold on to using the software ones that are totally free. I have the software on a different protected and secure device which makes it work well for me without any malware compromising. If crypto users are using the hardware 2fa, it is a waste of money when the reputed software ones can do the same waork effectively without paying them.

Yes, software 2FA can work effectively as long, adding another later of security. But we all know that Sim swap attack are prevalent and that's why exchanges are recommending using a 2FA hardware as well.

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Leading Crypto Sports Betting & Casino Platform

Quote from: Baofeng on January 13, 2021, 07:33:36 AM

Of course, there are 2FA softwares like Authy or Google Authenticator, however, I believed that there are crypto users who uses 2FA hardware as well, specially this coming from Binance:

If the software 2fa can work effectively for Bitcoin and other crypto users, I think I better hold on to using the software ones that are totally free. I have the software on a different protected and secure device which makes it work well for me without any malware compromising. If crypto users are using the hardware 2fa, it is a waste of money when the reputed software ones can do the same waork effectively without paying them.

boyptc

hero member

Activity: 3024

Merit: 680

★Bitvest.io★ Play Plinko or Invest!

Quote from: joniboini on January 30, 2021, 03:17:31 AM

For those who are too lazy to check the link and see what the attack is about, here's the excerpt from the CVE database:

Quote

An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone).

In short, it requires physical access and it will take some time to 'clone' your HW. It's not as if your 2FA suddenly become vulnerable when you store it in a secure storage.

Thanks for that summary, it is the first thing to come to my mind as I don't know that code and what is the description of that attack. You saved my time.

Quote from: ?? on ??

People who worry about this vulnerability should worry about $5 wrench attack instead.

Well yeah, better remain low key.

dkbit98

legendary

Activity: 2212

Merit: 7064

Interesting.
I wonder how that is affecting hardware wallets like trezor (they don't have secure element) and ledger (they have ST secure element) who also have option to be used as 2fa hardware.
Secure element chip NXP used in 2FA devices is affected and that means that other 'secure elements' could have similar flaws.

According to my research NXP secure elements are currently used in CoolWalletS and D'CENT hardware wallets:
https://bitcointalksearch.org/topic/secure-element-in-hardware-wallets-5304483

joniboini

legendary

Activity: 2170

Merit: 1789

For those who are too lazy to check the link and see what the attack is about, here's the excerpt from the CVE database:

Quote

An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone).

In short, it requires physical access and it will take some time to 'clone' your HW. It's not as if your 2FA suddenly become vulnerable when you store it in a secure storage.

Maxstl007

member

Activity: 210

Merit: 13

2FA authentication may have it's flaw and not 100% secured like some used to say but using 2FA is more safer and secured than not using anything at all, it's why many crypto exchanges compulsory 2FA, you can't make withdraws on some exchanges if you don't active 2FA code first.

Zilon

sr. member

Activity: 966

Merit: 421

Bitcoindata.science

2FA authenticator has saved many accounts from been hacked. I could remember once when my busha wallet was attacked by hackers but for my authenticator my little fund would have been a past tense.

This is applicable to other Crypto wallet so as to secure what we have struggled to acquire and avoid our accounts from been attacked

Baofeng

legendary

Activity: 2576

Merit: 1655

As per this 60 page analysis report from NinjaLab: https://ninjalab.io/a-side-journey-to-titan/, many 2FA hardwares are vulnerable to CVE-2021-3011 attacks.

Quote

List of Impacted Products

   Google Titan Security Key (all versions)
   Yubico Yubikey Neo
   Feitian FIDO NFC USB-A / K9
   Feitian MultiPass FIDO / K13
   Feitian ePass FIDO USB-C / K21
   Feitian FIDO NFC USB-C / K40
   NXP J3D081_M59_DF and variants
   NXP J3A081 and variants
   NXP J2E081_M64 and variants
   NXP J3D145_M59 and variants
   NXP J3D081_M59 and variants
   NXP J3E145_M64 and variants
   NXP J3E081_M64_DF and variants

Further Notes

1. The impacted Yubico Yubikey Neo is an old product no more available for sale. All FIDO U2F Yubico Yubikeys currently available on their webstore are based on a newer secure element from Infineon, and are not impacted by our work to our knowledge.

2. The NXP P5 / SmartMX secure microcontroller family and its associated cryptographic library (up to v2.9) impacted by our work is quite old. Since, NXP has released two new generations of secure microcontroller families, the “NXP P60 / SmartMX2” family and now the “NXP P70 / SmartMX3” family. Both are Common Criteria certified (with recent certification process), and are not impacted by our work to our knowledge.

Of course, there are 2FA softwares like Authy or Google Authenticator, however, I believed that there are crypto users who uses 2FA hardware as well, specially this coming from Binance:

Quote

Using a YubiKey for Two-Factor Authentication (2FA)
Binance
2019-06-27 18:51
A YubiKey is a hardware device that you can use on Binance as a Two-Factor Authentication (2FA) method to enhance your account security. It is used for 【Withdraw & API】,【Log in】,【Reset password】function.

https://www.binance.com/en/support/articles/360029994311

Also, we need to understand that this kind of attacks is very sophisticated and will have to meet several conditions to be successful.

Topic: {Warning}: Many 2FA hardware are vulnerable to attacks (Read 242 times)