Google engineers recommend Chrome OS users should update their devices as soon as possible due to a critical vulnerability identified earlier in the year in the built-in security key experimental feature related to two-factor authentication procedures.
The built-in security key feature allows Chromebook users to use their devices as an analogue of USB / NFC / Bluetooth dongles. For example, this function can be used when registering or logging in to the site. To do this, users of a Chromebook just need to press the power button, which will send a cryptographic token to the site, similar to the way classic hardware keys do. In fact, the owner of the Chromebook uses not a small key based on USB, NFC or Bluetooth, but the Chrome OS device itself for identification and as proof of ownership.
At the beginning of this year, developers discovered a vulnerability in the firmware of H1 chips, which are used for cryptographic operations related to the built-in security key function. As it turned out, due to the bug, the length of some cryptographic signatures was accidentally cut, which greatly facilitated their hacking. As a result, attackers who had a couple of signatures and signed data (Chrome OS devices and sites exchange them during registration or login to the account) could fake a user's security key even without access to the Chrome OS device.
Experts emphasize that usually this data is transmitted via HTTPS connections, which reduces the risk of large-scale attacks. However, signatures are not considered confidential in the U2F protocols, which means that we can assume that they can be found and extracted from various places.
Despite the severity of the problem, Google engineers say there is no reason to panic. Indeed, even after receiving signatures and a private key for creating other signatures, attackers will violate only the second factor in the process of classical two-factor authentication. They will still need to find out the user password for hacking accounts. Experts believe that even taking into account the weakness of U2F, most attackers simply do not have the technical skills to implement such attacks.
Now, users are encouraged to upgrade Chrome OS to version 75 or later, and then obtain and install a patch for the H1 firmware. Vulnerability is considered firmware version 0.3.14 and earlier, while version 0.3.15 and higher are already safe. You can find out the H1 firmware version on the chrome: // system page in the cr50_version line (or rather RW). After installing the updates, you need to unregister using the built-in security key on all sites. The list of devices threatened by this vulnerability can be found here.