Google discloses vulnerability in Chrome OS 'built-in security key' feature

Google discloses vulnerability in Chrome OS 'built-in security key' feature

Google is urging Chromebook users to update devices to fix a critical vulnerability in an experimental Chrome OS feature that handles two-factor authentication procedures.


The vulnerability impacts the Chrome OS feature known as the "built-in security key." The feature works by allowing users to use a Chromebook device similar to a hardware-based USB/NFC/Bluetooth security key.


The feature can be used when registering or logging into a website. Users can press the Chromebook power button, which will send a cryptographic token to the website, similar to how a classic hardware key would normally work. The difference is that the user is using his Chromebook as proof of ownership and identity, instead of a small USB, NFC, or Bluetooth-based key.


Vulnerability found in H1 chip firmware


But earlier this year, Google engineers discovered a vulnerability in the firmware of H1 chips, which are used to process the cryptographic operations part of the "built-in security key" feature.


Google found that the chip's firmware was mishandling some operations, and accidentally cutting the length of some cryptographic signatures, making them easier to break. Google's technical explanation is below:




We discovered a vulnerability in the H1 security chip firmware concerning ECDSA signature generation. The firmware code used incompatible transfer instructions when passing a critical secret value to the cryptographic hardware block, resulting in generating secret values of a specific structure and having a significant loss of entropy in the secret value (64 bits instead of 256 bits). We confirmed that the incorrect generation of the secret value allows it to be recovered, which in turn allows the the underlying google discloses vulnerability chrome built security feature