Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
A security researcher at NinjaLab has pulled the cloak off of a vulnerability found in the secure elements of older YubiKey devices that would allow an attacker to clone the hardware authentication gadget.
The side-channel vulnerability was found in the cryptographic library of Infineon Technologies, which is used in the YubiKey 5 series among other devices. The vulnerability—which was discovered by NinjaLab co-founder Thomas Roche and dubbed “EUCLEAK” in a Sept. 3 research paper—went unnoticed for 14 years and is due to a non-constant-time modular inversion that would enable an attacker to extract YubiKey’s security key.
In a Sept. 3 security advisory, Yubico acknowledged the security issue and said the vulnerability was moderate. According to the global cybersecurity company, affected devices include:
- YubiKey 5 Series versions prior to 5.7
- YubiKey 5 FIPS Series prior to 5.7
- YubiKey 5 CSPN Series prior to 5.7
- YubiKey Bio Series versions prior to 5.7.2
- Security Key Series all versions prior to 5.7
- YubiHSM 2 versions prior to 2.4.0
- YubiHSM 2 FIPS versions prior to 2.4.0
Yubico added that the vulnerability primarily impacts Fast IDentity Online (FIDO) use cases because the FIDO standard “relies on the affected functionality by default.”
Don’t freak. In its security advisory, Yubico disclosed that it has nixed its dependency on Infineon’s cryptographic library for its own on newer devices. YubiKey firmware cannot be updated, meaning that affected devices will remain vulnerable indefinitely.
Owners of affected YubiKeys don’t need to fret just yet, as potential attacks aren’t easy to execute.
“The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack,” Yubico said in the security advisory. It added that attackers may also need additional information such as a username, account passwords or an authentication key to execute attacks.
Roche in his research paper also noted that the attack would require expensive equipment, custom software, and technical skills.
“[A]s far as the work presented here goes, it is still safer to use your YubiKey or other impacted products as FIDO hardware authentication token to sign in to applications rather than not using one,” he said.
Jason Soroko, senior vice president of product at certificate lifecycle management company Sectigo, told IT Brew via email that professionals looking to mitigate potential risks can still do so by making sure they are using updated firmware and monitoring for new security advisories.
“Teams should also implement device rotation or replacement where vulnerabilities cannot be patched, limiting the exposure to side-channel risks in sensitive environments,” wrote Soroko. “Take inventory of where these devices are used and have a plan to sunset their usage for something else in the future.”