Vulnerability allows Yubico security keys to be cloned
Researchers have unearthed a cryptographic vulnerability in popular Yubico (FIDO) hardware security keys and modules that may allow attackers to clone the devices.
But the news is not as catastrophic as it may seem at first glance.
“The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM [hardware security module], knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key,” Yubico explained in an advisory published on Tuesday.
About the vulnerability
The vulnerability was discovered by NinjaLab researchers, after reverse-engineering the YubiKey 5 series keys. It is still without a CVE number, but the attack it enables has been dubbed EUCLEAK by the researchers.
It is a side-channel vulnerability in the cryptographic library of Infineon Technologies, whose microcontrollers are used in Yubico’s security keys to generate/store secrets and perform cryptographic operations.
“This vulnerability – that went unnoticed for 14 years and about 80 highest-level Common Criteria certification evaluations – is due to a non constant-time modular inversion,” Thomas Roche, a hardware security researcher and NinjaLab co-founder, explained.
“The attack requires physical access to the secure element (few local electromagnetic side-channel acquisitions, i.e., few minutes, are enough) in order to extract the [Elliptic Curve Digital Signature Algorithm] secret key. In the case of the FIDO protocol, this allows to create a clone of the FIDO device.”
Yubico delivers fix, but…
Yubico has evaluated its products and found that the vulnerability affects:
- YubiKey 5 Series, YubiKey 5 FIPS Series, and YubiKey 5 CSPN Series devices with firmware prior to 5.7
- YubiKey Bio Series devices with firmware prior to 5.7.2
- Security Key Series all versions with firmware prior to 5.7
- YubiHSM 2 and YubiHSM 2 FIPS moduls with firmware prior to 2.4.0
“The (…) vulnerability primarily impacts FIDO use cases because the FIDO standard relies on the affected functionality by default. YubiKey PIV and OpenPGP applications and YubiHSM 2 usage may also be impacted depending on configuration and algorithm choices by the end user,” Yubico noted.
The security hole has been plugged by Yubico by exchanging Infineon’s cryptographic library with Yubico’s own cryptographic library in later firmware versions. Unfortunately, devices with the vulnerable firmware versions can’t be updated.
Yubico has advised users on how to check whether their keys / modules are affected, and has offered advice to organizations on how to mitigate the risk of a successful attack.
Yubico Authenticator app shows the model and version of the YubiKey (Source: Yubico)
Roche also pointed out that the primary goal of authentication tokens (like FIDO hardware devices) is to fight the scourge of phishing attacks. “The EUCLEAK attack requires physical access to the device, expensive equipment, custom software and technical skills. Thus, (…) it is still safer to use your YubiKey or other impacted products as FIDO hardware authentication token to sign in to applications rather than not using one,” he noted.
Wider implications
NinjaLab researchers have tested YubiKey 5 series models with the Infineon SLE78 microcontrollers and have proved that they can be cloned, but they also suspect that the Infineon Optiga Trust M and Optiga TPM security microcontrollers have the same vulnerability.
“Infineon did not clearly confirm nor deny our suspicion but went on to develop a patch for their cryptolib. To our knowledge, at the time of writing this report, the patched cryptolib did not yet pass a CC certification. Anyhow, in the vast majority of cases, the security microcontrollers cryptolib cannot be upgraded on the field, so the vulnerable devices will stay that way until device roll-out,” Roche added.
“[Vulnerable Infineon] security microcontrollers are present in a vast variety of secure systems – often relying on ECDSA – like electronic passports and crypto-currency hardware wallets but also smart cars or homes. However, we did not check (yet) that the EUCLEAK attack applies to any of these products.”