Google engineers recommend that Chrome OS users upgrade their devices as soon as possible due to a critical vulnerability identified earlier this year in the experimental built-in security key feature related to two-factor authentication procedures. Specialists have revealed details of this vulnerability in Chrome OS.
The built-in security key allows Chromebook users to use their devices as USB/NFC/Bluetooth dongles.For example, this function can be used when registering or entering the site. To do this, users of a Chromebook just need to press the power button, which will send a cryptographic token to the site, similar to the way in which classic hardware keys do it.
In fact, the owner of the Chromebook uses not a small key based on USB, NFC or Bluetooth, but Chrome OS device itself for identification and as proof of ownership.
Read also: Google recommends updating Chrome due to vulnerability in Blink engine
At the beginning of this year, developers discovered a vulnerability in the firmware of H1 chips, which are used for cryptographic operations related to the built-in security key function. As it turned out, due to the bug, the length of some cryptographic signatures was accidentally cut, which greatly facilitated their hacking. As a result, cybercriminals who had a couple of signatures and signed data (Chrome OS devices and sites exchanged them during registration or login to the account) could fake user’s security key even without access to the Chrome OS device.
“Typically, this data is transmitted over HTTPS connections, which reduces the risk of large-scale attacks. However, signatures are not considered confidential in the U2F protocols, which means that we can assume that they can be found and extracted from various places”, – experts warn.
Despite the severity of the problem, Google engineers say there is no reason to panic. Indeed, even after receiving signatures and a private key for creating other signatures, attackers will violate only the second factor in the process of classical two-factor authentication. They will still need to find out the user password for hacking accounts. Experts believe that even taking into account the weakness of U2F, most attackers simply do not have the technical skills to implement such attacks.
Recommendations:
Users are strongly encouraged to upgrade Chrome OS to version 75 or later, and then obtain and install the hotfix for the H1 firmware.
Vulnerable are considered firmware versions 0.3.14 and earlier, while version 0.3.15 and higher are already safe. You can find out the H1 firmware version on the chrome://system page in the cr50_version line (or rather RW). After installing the updates, you need to unregister using the built-in security key on all sites.
The list of devices threatened by this vulnerability can be found here.
