Google experts revealed details of the vulnerability in Chrome OS related to the built-in security key function

Details of vulnerability in Chrome OS
Written by Brendan Smith

Google engineers recommend that Chrome OS users upgrade their devices as soon as possible due to a critical vulnerability identified earlier this year in the experimental built-in security key feature related to two-factor authentication procedures. Specialists have revealed details of this vulnerability in Chrome OS.

The built-in security key allows Chromebook users to use their devices as USB/NFC/Bluetooth dongles.

For example, this function can be used when registering or entering the site. To do this, users of a Chromebook just need to press the power button, which will send a cryptographic token to the site, similar to the way in which classic hardware keys do it.

In fact, the owner of the Chromebook uses not a small key based on USB, NFC or Bluetooth, but Chrome OS device itself for identification and as proof of ownership.

Read also: Google recommends updating Chrome due to vulnerability in Blink engine

At the beginning of this year, developers discovered a vulnerability in the firmware of H1 chips, which are used for cryptographic operations related to the built-in security key function. As it turned out, due to the bug, the length of some cryptographic signatures was accidentally cut, which greatly facilitated their hacking. As a result, cybercriminals who had a couple of signatures and signed data (Chrome OS devices and sites exchanged them during registration or login to the account) could fake user’s security key even without access to the Chrome OS device.

“Typically, this data is transmitted over HTTPS connections, which reduces the risk of large-scale attacks. However, signatures are not considered confidential in the U2F protocols, which means that we can assume that they can be found and extracted from various places”, – experts warn.

Despite the severity of the problem, Google engineers say there is no reason to panic. Indeed, even after receiving signatures and a private key for creating other signatures, attackers will violate only the second factor in the process of classical two-factor authentication. They will still need to find out the user password for hacking accounts. Experts believe that even taking into account the weakness of U2F, most attackers simply do not have the technical skills to implement such attacks.


Users are strongly encouraged to upgrade Chrome OS to version 75 or later, and then obtain and install the hotfix for the H1 firmware.

Vulnerable are considered firmware versions 0.3.14 and earlier, while version 0.3.15 and higher are already safe. You can find out the H1 firmware version on the chrome://system page in the cr50_version line (or rather RW). After installing the updates, you need to unregister using the built-in security key on all sites.

The list of devices threatened by this vulnerability can be found here.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.

Leave a Reply