Hacker News: Yubikeys are vulnerable to cloning attacks thanks to side channel

Source URL: https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/
Source: Hacker News
Title: Yubikeys are vulnerable to cloning attacks thanks to side channel

Feedly Summary: Comments

AI Summary and Description: Yes

Summary: The text discusses a significant cryptographic vulnerability in the YubiKey 5 hardware authentication token, which has implications for security professionals and organizations relying on hardware tokens for two-factor authentication. Researchers found that an attacker with physical access can clone the YubiKey, compromising security. This vulnerability, which affects multiple authentication devices using a specific microcontroller, highlights the importance of constant-time defenses in cryptographic implementations.

Detailed Description:

– A cryptographic flaw has been identified in the YubiKey 5, a widely used hardware token for two-factor authentication based on the FIDO standard. This flaw makes it vulnerable to cloning when an attacker gains temporary physical possession of the device.
– The vulnerability is categorized as a side channel attack, and it resides in a microcontroller that is used in various authentication devices, including banking smartcards and electronic passports.
– Key points regarding the vulnerability include:
– All YubiKey 5 series models are confirmed to be vulnerable to this cloning attack.
– The researchers suspect that other devices utilizing the same microcontroller and Infineon’s cryptographic library may also be susceptible to the same issue.
– Users of YubiKeys running firmware prior to version 5.7 (released in May 2024) are at risk, as updating the firmware is not possible.
– An attacker needs physical access to the device and may require additional knowledge about the target accounts to successfully exploit this vulnerability.
– The attack can be facilitated using specialized equipment, as it revolves around side-channel information such as electromagnetic emanations during cryptographic operations.

– The flaw stems from the failure to implement constant-time cryptographic operations in the execution of the Extended Euclidean Algorithm. This oversight allows time-sensitive operations to leak information through varying execution times based on the data processed.
– Researchers have demonstrated how one could exploit this flaw physically and have highlighted the alarmingly long duration (over a decade) that the vulnerability may have existed without detection.
– This situation underlines the critical need for robust security measures and protocols, especially in the design and certification of cryptographic systems used in hardware security tokens.
– The report by NinjaLab draws attention to the effective side-channel vulnerabilities and the potential risks involved with relying on an imperfect cryptographic implementation.

The YubiKey 5 vulnerability serves as a crucial reminder for security and compliance professionals to continuously assess and strengthen security systems, emphasizing the need for rigorous testing and validation of cryptographic algorithms as part of security best practices.