YubiKeys have an unfixable security flaw

2 months ago 37

Security researchers person detected a vulnerability successful YubiKey two-factor authentication tokens that enables attackers to clone the instrumentality according to a caller information advisory. The vulnerability was discovered wrong the Infineon cryptographic room utilized by astir YubiKey products, including the YubiKey 5, Yubikey Bio, Security Key, and YubiHSM 2 bid devices.

YubiKey shaper Yubico says the severity of the side-channel vulnerability is “moderate” but is hard to exploit, partially due to the fact that two-factor systems trust upon thing the idiosyncratic has and thing lone they should know. 

“The attacker would request carnal possession of the YubiKey, Security Key, oregon YubiHSM, cognition of the accounts they privation to target, and specialized instrumentality to execute the indispensable attack,” the institution said successful its information advisory. “Depending connected the usage case, the attacker whitethorn besides necessitate further cognition including username, PIN, relationship password, oregon authentication key.” But those aren’t needfully deterrents to a highly motivated idiosyncratic oregon state-sponsored attack.

As YubiKey firmware can’t beryllium updated, each YubiKey 5 devices earlier mentation 5.7 (or 5.7.2 for the Bio bid and 2.4.0 for YubiHSM 2) volition stay susceptible forever. Later exemplary versions aren’t affected arsenic they nary longer usage the Infineon cryptolibrary. NinjaLab, the information steadfast that discovered the vulnerability, estimates that it's existed successful Infineon’s apical information chips for implicit 14 years. The researchers judge different devices utilizing the Infineon cryptographic room oregon Infineon’s SLE78, Optiga Trust M, and Optiga TPM microcontrollers are besides astatine risk.

Read Entire Article