Yes, Google’s Security Key Is Hackable

Here is an article by Roger Grimes, Data-Driven Defense Evangelist at KnowBe4

Ever since Google told the world that none of its 85,000 employees had been successfully hacked (https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/) since they started implementing Security Keys, like Yubico’s YubiKey (https://www.yubico.com/products/yubikey-hardware/), I’ve been contacted by friends and the media about my thoughts.

Apparently as the author and presenter of the 12 Ways to Hack 2FA(https://www.brighttalk.com/webcast/14421/326691/twelve-ways-to-defeat-two-factor-authentication) and an author of a similar CSO column (https://www.csoonline.com/article/3272425/authentication/11-ways-to-hack-2fa.html), I’m purported to be an authority on it. I’m not, but I did recently stay at a Holiday Inn.

Never one to be a wall flower, I’ve given my opinion and limited expertise over and over. I had to repeat it enough that I decided to write an article about it so I can just point future requests to a link.

MFA and Google Are Awesome

First, and foremost, any multi-factor authentication (MFA) method should be applauded and supported. I feel almost criminal saying anything bad about any MFA solution. We need to replace as many one factor authentication (1FA) and/or simple password authentication scenarios wherever and whenever we can. I’m saying it right here, MFA is awesome!

Google is awesome in so many ways, not the least of which is their incredible push to better secure more web sites, using more default HTTPS and trying to fix our digital authentication mess as examples, but also in switching all their users to MFA. The security vendors providing Google Security Key MFA solutions are awesome. Yubico’s YubiKey is awesome. What’s not to love about any company or person trying to improve computer security?

Now that we’ve got the obligatory “I’m not insane” moment out of the way, I’m just as correct to say that there is no doubt in my mind that Google’s Security Key MFA device can be hacked. Just because it hasn’t or didn’t (not sure how you ultimately prove that of course) get hacked, doesn’t mean it can’t be hacked. Apple computers and devices didn’t get hacked until they became super popular, and now they are. Same thing here.

There is not an authentication solution made that cannot be hacked. That includes what Google has. It includes whatever we come up with in the future. It includes all known biometrics. It includes everything in the computer security world. If a vendor or person tells you they have something that is unhackable, run! They are either lying or don’t know what they are talking about. Either way, not the sources of authority you should be listening to.

Yes, Google Security Keys Can Be Hacked

Critics of mine are probably saying if Google has gone over a year without any of their 85,000 employees getting hacked, how can I say that they are hackable with any degree of expertise, certainty, or personal dignity?

Start by watching my Hacking 2FA video or read the CSO column (listed above). Or just watch my friend, co-worker, and world’s best-known hacker, Kevin Mitnick, blow past a popular 2FA solution (https://www.youtube.com/watch?v=xaOX8DS-Cto) using social engineering and some common hacking methods like the 2FA token isn’t even there.

After Kevin first posted his video, people said that his method wouldn’t work on Google, and so he goes around demonstrating breaking around Google’s software-based 2FA solution, Google Authenticator, for giggles. Repeat after me, any authentication solution is hackable. Some are just easier than others.

Read the full article at the source.

Source: LONGEVITY

Topics: Social Engineering, Speaking Engagements, 2FA, Fake Web Sites, Google's Security Key, YubiKey, Buggy Code, hacking, hijacking shared Authentication Attacks, Man-in-the-Endpoint, MFA, Password Management, Subject Hijacking, Physical Attacks, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

6 Types of Social Engineering Attacks and How to Prevent Them

Social engineering attacks account for a massive portion of all cyber-attacks.

Read more ›

What You Get When You Invest in Social Engineering Testing with Mitnick Security

When testing your employees' social engineering readiness, your teams need simulated attacks that feel as if they’re coming from a nefarious engineer...

Read more ›

Mitnick Security: Ransomware Awareness Training

Ransomware is a type of malware that prevents accessibility to either a single computer or an entire network until a ransom is paid. This can result i..

Read more ›
tech-texture-bg