Photo credit: arstechnica.com
Yubico, a prominent provider of hardware tokens, has come under scrutiny due to a cryptographic vulnerability found in its YubiKey 5 model, one of the leading devices used for two-factor authentication adhering to the FIDO standard. Researchers announced on Tuesday that this flaw exposes the device to potential cloning if an attacker can gain temporary physical access.
The vulnerability is categorized as a side channel attack, which leverages weaknesses in hardware implementations. This specific flaw is tied to a microcontroller shared across various authentication devices, not limited to YubiKey models. Other devices that may be affected include smartcards used in banking, electronic passports, and access systems for secure locations. While the researchers have confirmed all YubiKey 5 series models are open to cloning attacks, they have yet to validate whether other devices using similar microcontrollers, such as the SLE78 from Infineon and its successors, are equally vulnerable.
Patching Challenges
Following this revelation, Yubico released an advisory in collaboration with NinjaLab, a security firm that executed a detailed analysis of the YubiKey 5 series and identified the cloning method. The research indicates that any YubiKey operating on firmware before the 5.7 update—launched in May to replace the vulnerable Infineon cryptographic library with a proprietary alternative—is at risk. Unfortunately, existing YubiKeys cannot be updated to the newer firmware, leaving these devices permanently susceptible to attack.
The advisory further explains, “An attacker could exploit this issue as part of a sophisticated, targeted attack to recover affected private keys.” Gaining access requires the attacker to physically hold the device and possess knowledge of the specific accounts aimed for compromise, alongside specialized equipment to perform the attack. Depending on the particular use case, additional credentials such as usernames, PINs, or passwords might be necessary.
Side-channel attacks exploit potential leaks of information through external clues found in a device’s physical behavior. In this case, the vulnerability involves timing discrepancies during modular inversion calculations, specifically related to the Elliptic Curve Digital Signature Algorithm (ECDSA). The Infineon cryptolibrary did not implement a crucial defense against side-channel exploits known as constant time, which ensures consistent operation durations regardless of the input keys.
More technically, the flaw resides in Infineon’s version of the Extended Euclidean Algorithm, a method utilized for calculating modular inverses. Researchers have been able to observe electromagnetic emissions during the token’s authentication process, revealing minute variations in execution time that expose the token’s transient ECDSA key, further leading to the extraction of the permanent ECDSA key that is central to the device’s security framework.
In a statement released by NinjaLab co-founder Thomas Roche, he elaborated on the implications of this discovery:
“In the present work, NinjaLab unveils a new side-channel vulnerability in the ECDSA implementation of Infineon models across any security microcontroller from the manufacturer. This vulnerability is linked to the modular inversion of the ECDSA ephemeral key, specifically within the Infineon Extended Euclidean Algorithm implementation. To our knowledge, this represents the first demonstration of a side-channel vulnerability associated with this algorithm, contrasting traditional binary implementations.” Roche further stated that the attack can be efficiently performed within a relatively short time frame, highlighting the ease of executing such techniques given physical access to the device for mere minutes.
The research also notes that the susceptibility has been present for over 14 years in Infineon’s high-security chips, having undergone numerous evaluations (approximately 80) for various certification standards from 2010 to 2024.
Source
arstechnica.com