A cryptographic flaw in YubiKey 5 Series devices running firmware versions prior to 5.7, named “Eucleak,” was recently identified by security expert Thomas Roche of NinjaLab. This vulnerability allows threat actors to potentially clone the devices and compromise FIDO credentials.

Description

The vulnerability exploits a flaw in the Infineon microcontroller’s cryptographic library, making the devices susceptible to side-channel attacks. Yubico issued an advisory about the flaw and collaborated with NinjaLab to release an 88-page report detailing the attack. While the flaw is unpatchable and firmware updates are not possible, it is considered challenging to exploit due to the requirement of physical possession of the device and specialized equipment. Despite this vulnerability [1] [2] [3] [4] [6], FIDO-compliant keys remain one of the most secure authentication methods [1], as they necessitate physical access and knowledge of user passwords for compromise [1].

Conclusion

Yubico has addressed the vulnerability by implementing a patch to mitigate the attack threat. The company has also replaced the cryptographic library in newer firmware versions and suggested mitigation techniques like transitioning to RSA keys and enhancing access control [5]. The responsible disclosure of the vulnerability underscores the importance of continuously testing the security of secure elements, raising concerns about the security of FIDO-compliant keys and other devices utilizing vulnerable Infineon secure modules [1]. Moving forward, it is crucial for users to exercise due diligence when installing software on their devices and maintain control of their YubiKeys to ensure added security when logging into applications.

References

[1] https://www.wired.com/story/yubikey-vulnerability-cloning/
[2] https://www.scmagazine.com/news/yubikey-5-devices-open-to-cloning-via-side-channel-attacks
[3] https://www.infosecurity-magazine.com/news/researcher-vulnerability-yubikeys/
[4] https://www.helpnetsecurity.com/2024/09/04/yubico-security-keys-vulnerability/
[5] https://www.biometricupdate.com/202409/side-channel-vulnerability-found-in-legacy-yubikey-firmware
[6] https://www.engadget.com/cybersecurity/yubikey-vulnerability-will-let-attackers-clone-the-authentication-device-143049198.html