YubiKey Risk of Side-Channel Attacks

YubiKey Vulnerability: Risk of Side-Channel Attacks

Introduction

One of the highest security hardware tools widely used for two-factor authentication (2FA), YubiKeys has a cryptographic vulnerability. Now, security expert Thomas Roche the head of research for NinjaLab who warned about these threats at SAS earlier this year and briefly alluded to them here last month (PDF) has published a passel of papers on how side-channel attacks could be more successful carried out against Yubikey 5 Series devices or similar keys that use raw elliptic-curve signatures, along with shared-code space benefits/risks discovered during those explorations among so many other things. Such a vulnerability is most severe when an intruder has physical access to the device.

How YubiKeys Work and Why They're Trusted

Yubikeys, developed by Yubico is a security key used for MFA in large-scale deployment of an application or infrastructure. Adding an extra layer of security by forcing anyone trying to access your accounts to need both a password and access to the physical key. It is extremely hard for the attacker to counter Yubikeys, which is based on ECDSA and FIDO standard that provides very secure online account protection against phishing or other similar attacks.

The EUCLEAK Side-Channel Vulnerability

The now notorious vulnerability in the cryptographic library used by Infineon Technologies was spotted for the first time after 14 years, and this finding is coming from researchers of NinjaLab. This attack, known as EUCLEAK allows adversaries to clone Yubikey devices. Side-channel attacks exploit the physical behaviour of a system and extract sensitive data like cryptographic keys. The difficult execution process and high cost (€11,000) don’t make this attack easy to pull off but the vulnerability is still present in these flashed devices.

Advertisement Know Tech News

Affected YubiKey Devices and Versions

Yubico, in a public advisory, confirmed that the affected devices are running with older firmware. These include:

  • YubiKey 5 Series before version 5.7
  • YubiKey 5 FIPS Series before version 5.7
  • YubiKey Bio Series before version 5.7.2
  • YubiHSM 2 before version 2.4.0

The newer version of the firmware upgrades some affected devices to Yubico’s library instead of Infineon’s cryptographic library. Affected devices can not be updated to solve this in the field, though.

Difficulty of Exploiting the YubiKey Vulnerability

Despite the severity of this flaw, exploiting it is complex. It takes physical possession of the Yubikey, information about the target account, and some very advanced technical work to pull off. Account setup will determine if a PIN code, username and password are also required. Also, an EUCLEAK attack depends on specialized hardware for its implementation, which not all adversaries can have access to.

Advertisement Know Tech News

Conclusion

When it comes to phishing and threats in the digital sphere Yubikey devices are still proven defence despite their vulnerability. Although the attack is complex, owners of impacted devices are not recommended to switch to newer models. The Authenticator app by Yubico can help them identify the firmware they are running on their device and what mitigations to take. There may be isolated incidents of people for whom this flaw is a dealbreaker, but I suspect that the overwhelming majority will decide to buy/use Yubikey.

FAQs

A side-channel attack is a type of cyber-attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical breakthroughs.

The affected devices are the YubiKey 5 Series, YubiKey 5 FIPS Series, and earlier models of the YubiHSM 2 (with firmware versions up to Applet Loader version D3).

You can use the Yubico Authenticator app to check the model and firmware version of your YubiKey device.

No These will need to be upgraded with the newest releases that includes fixes for this issue.

Exploiting this vulnerability to clone a YubiKey would require some specialized equipment, physical access to the device and for someone with reasonable relevant technical knowledge in part making it quite an difficult attack vector against.

Loading

0
Would love your thoughts, please comment.x
()
x