1 month ago
15 ARTICLE AD
Security researchers have discovered a vulnerability in YubiKey 5 that would allow a dedicated and resourceful hacker to clone the device. As first spotted by Ars Technica, the vulnerability is thanks to a cryptographic flaw, a side channel, in the microcontroller of the devices.
Millions of people use YubiKeys as part of a multi-factor authentication system to keep sensitive accounts locked down. The pitch is that someone trying to get into your bank account or corporate servers would need physical access to the key to get inside. A password is relatively easy to phish, but a physical device like a YubiKey makes entry almost impossible.
YubiKeys are FIDO hardware, meaning they use a standardized cryptographic system called Elliptic Curve Digital Signature Algorithm (ECDSA). NinjaLab rooted through ECDSA, reverse-engineered some of its cryptographic library, and designed its side-channel attack.
The new vulnerability makes it possible, provided they’ve got a lot of time, brains, and cash. Yubico disclosed the vulnerability on its website alongside a detailed report from security researchers at NinjaLab.
“An attacker could exploit this issue as part of a sophisticated and targeted attack to recover affected private keys. The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack,” Yubico explained on its site. “Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key.”
According to NinjaLab, the vulnerability impacts all YubiKey 5s using firmware 5.7 or below as well as “all Infineon security microcontrollers that run the Infineon cryptographic security library.” NinjaLab tore down a key, hooked it up to an oscilloscope, and measured the tiny fluctuations in the electromagnetic radiation put out by the key while it was authenticating.
So anyone looking to get access to something protected by one of these keys would need to access it, tear it down, and use sophisticated knowledge and equipment to clone the key. Then, assuming they don’t want to be discovered, they’d have to put the original key back together and return it to the owner.
“Note that the cost of this setup is about [$10,000],” NinjaLab said. Using a fancier oscilloscope could push the cost of the whole operation up an additional $30,000.
NinjaLab noted that this vulnerability might extend to other systems using the same microcontroller as the YubiKey 5, but it hadn’t tested them yet. “These security microcontrollers are present in a vast variety of secure systems—often relying on ECDSA—like electronic passports and crypto-currency hardware wallets but also smart cars or homes,” it said. “However, we did not check (yet) that the EUCLEAK attack applies to any of these products.”
NinjaLab stressed repeatedly in its research that exploiting this vulnerability takes extraordinary resources. “Thus, as far as the work presented here goes, it is still safer to use your YubiKey or other impacted products as FIDO hardware authentication token to sign in to applications rather than not using one,” it said.
