A newly discovered side-channel vulnerability leaves YubiKeys, the popular hardware authentication tokens, exposed to cloning attacks. The flaw resides in a microcontroller from Infineon that’s widely used in various security devices, including smartcards and electronic passports.
Researchers with the cybersecurity group NinjaLab have confirmed that all YubiKey 5 series models are vulnerable, although other devices that use the same microcontroller could also be affected. The side-channel attack involves measuring the electromagnetic radiation during cryptographic calculations, which reveals sensitive information such as private keys.
Unfortunately, patching the affected YubiKeys is not possible. Yubico, the maker of YubiKeys, has issued a statement acknowledging the vulnerability but clarifying that the attack requires temporary physical access to the device, specialized equipment, and extensive technical expertise. The flaw exists in YubiKeys running firmware prior to version 5.7, which switched to a custom cryptographic library that isn’t vulnerable to this attack. However, for older devices, the vulnerability remains permanent, as their firmware cannot be updated.
The technical root of the problem lies in the implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) in Infineon’s cryptographic library. The attack exploits differences in the time taken to compute a modular inversion during the authentication process.
In other words, the problem comes from how the YubiKey’s security system performs certain calculations during the login process. These calculations don’t always take the same amount of time, which can give away clues about the secret information inside the key. An attacker with the right equipment, like an oscilloscope (a device that measures electrical signals), can detect these tiny time differences and use them to figure out the secret keys the YubiKey is protecting.
Once they have that information, they can make a copy of the YubiKey and use it as if they were the real owner.
This attack is highly sophisticated and expensive, requiring about $11,000 worth of equipment and deep cryptographic expertise. It’s not likely to be undertaken by everyday fraudsters, but could be done by nation-state actors or similarly well-funded adversaries. Nonetheless, physical access and additional information, such as usernames and passwords, are required for a successful attack, reducing the likelihood of widespread exploitation.
Source: Ars Technica
–
September 4, 2024 – by Cass Kennedy and Alex Perala
Related News
‘RAMBO’ Cyberattack Can Steal Biometric Data from an Air-gapped Network
Major Tech Firms Join Germany’s EUDI Wallet Project
Vueling Up With Biometrics – Identity News Digest
BioCatch Launches Behavioral Fraud Detection Network with Major Australian Banks
China to Launch Mandatory Data Management Audits in 2025
Sumsub Finds AI-driven ‘Democratization of Fraud’ in New Report
Follow Us