In context: The YubiKey is a hardware security key that simplifies two-factor authentication. Instead of receiving codes via text or an app, users simply tap the YubiKey when logging into accounts, apps, or services that require 2FA. This adds an extra layer of security beyond just a password. However, as researchers have now demonstrated, the device is not infallible.
Researchers have uncovered a cryptographic flaw in the widely adopted YubiKey 5 series. The flaw, known as a side-channel vulnerability, makes the device susceptible to cloning if an attacker gains temporary physical.
The vulnerability was initially discovered by cybersecurity firm NinjaLab, which reverse-engineered the YubiKey 5 series and devised a cloning attack. They found that all YubiKey models running firmware versions prior to 5.7 are susceptible.
The issue stems from a microcontroller made by Infineon, known as the SLB96xx series TPM. Specifically, the Infineon cryptographic library fails to implement a crucial side-channel defense known as “constant time” during certain mathematical operations. This oversight allows attackers to detect subtle variations in execution times, potentially revealing the device’s secret cryptographic keys. Even more concerning is that this particular chip is used in numerous other authentication devices, such as smartcards.
It’s not all doom and gloom, however Yubico, the company behind YubiKeys, has already released a firmware update (version 5.7) that replaces the vulnerable Infineon cryptographic library with a custom implementation. The downside is that existing YubiKey 5 devices can’t be updated with this new firmware, leaving all affected keys permanently vulnerable.
That said, existing YubiKey owners don’t need to discard their devices. The attack in question requires significant resources – around $11,000 worth of specialized equipment – and advanced expertise in electrical and cryptographic engineering. It also necessitates knowledge of the targeted accounts and potentially sensitive information such as usernames, PINs, account passwords, or authentication keys.
“The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack,” the company noted in its security advisory.
Fair to say, it’s not something most cybercriminals can pull off. Targeted attacks by nation-states or well-funded groups are still a possibility, though extremely slim.
Yubico recommends continuing to use them, as they’re still safer than relying solely on passwords. However, it’s advisable to monitor for any suspicious authentication activities that could indicate a cloned device.
Image credit: Andy Kennedy
