Tuesday, September 3, 2024

YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel


YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel

Enlarge (credit: Yubico)

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains brief physical access to it, researchers said Tuesday.

The cryptographic flaw, known as a side channel, resides in a small microcontroller that’s used in a vast number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, which is the SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.

Patching not possible

YubiKey-maker Yubico issued an advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse-engineered the YubiKey 5 series and devised the cloning attack. All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable.

Read 21 remaining paragraphs | Comments

Reference : https://ift.tt/zL9Zfvp

No comments:

Post a Comment

Startups Begin Geoengineering the Sea

If you search up Hawaii’s Keāhole Point on Google Maps, center it on your screen, and then zoom out until you can see the edges of the g...