In context, the YubiKey is a hardware security key that simplifies two-factor authentication, providing an extra layer of security beyond just a password. However, researchers have now demonstrated that the device is not infallible.
Researchers have uncovered a cryptographic flaw in the widely adopted YubiKey 5 series. The flaw, known as a side-channel vulnerability, makes the device susceptible to cloning if an attacker gains temporary physical access. This issue stems from a microcontroller made by Infineon, known as the SLB96xx series TPM.
The Infineon cryptographic library fails to implement a crucial side-channel defense known as “constant time” during certain mathematical operations. This oversight allows attackers to detect subtle variations in execution times, potentially revealing the device’s secret cryptographic keys.
Yubico, the company behind YubiKeys, has already released a firmware update (version 5.7) that replaces the vulnerable Infineon cryptographic library. However, existing YubiKey 5 devices cannot be updated with this new firmware, leaving all affected keys permanently vulnerable.
Recommendation:
A recent discovery has shed light on a cryptographic flaw in the widely adopted YubiKey 5 series, a popular hardware security key that simplifies two-factor authentication. The vulnerability, known as a side-channel vulnerability, makes the device susceptible to cloning if an attacker gains temporary physical access.
The issue stems from a microcontroller made by Infineon, known as the SLB96xx series TPM. The Infineon cryptographic library fails to implement a crucial side-channel defense known as “constant time” during certain mathematical operations. This oversight allows attackers to detect subtle variations in execution times, potentially revealing the device’s secret cryptographic keys.
While the vulnerability is concerning, it’s not all doom and gloom. Yubico, the company behind YubiKeys, has already released a firmware update that replaces the vulnerable library. However, existing YubiKey 5 devices cannot be updated, leaving them permanently vulnerable. Despite this, the attack requires significant resources and expertise, making it extremely unlikely to be exploited by the average cybercriminal.