YubiKeys are a gold standard for security, but they can be cloned

YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standardcontains a cryptographic flaw that makes the finger-sized device vulnerable to cloning when an attacker gains temporary physical access to it, researchers said Tuesday.

The cryptographic flaw, known as side channelThe vulnerability resides in a small microcontroller used in a host of other authentication devices, including smart cards used in banking, e-passports, and access to secure areas. While researchers have confirmed that all models in the YubiKey 5 series can be cloned, they have not tested other devices that use the microcontroller, such as the Infineon-made SLE78 and successor microcontrollers known as the Infineon Optiga Trust M and Infineon Optiga TPM. Researchers suspect that any device using any of these three microcontrollers and Infineon’s cryptographic library contains the same vulnerability.

Patching is not possible

YubiKey manufacturer Yubico issued a advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse-engineered the YubiKey 5 series and designed the cloning attack. All YubiKeys running firmware older than version 5.7, which was released in May and replaces the Infineon crypto library with a custom one, are vulnerable. It is not possible to update the key firmware on the YubiKey. That leaves all affected YubiKeys permanently vulnerable.

“An attacker could exploit this issue as part of a sophisticated and targeted attack to recover the affected private keys,” the advisory confirmed. “The attacker would need physical possession of the YubiKey, security key, or YubiHSM; knowledge of the accounts they wish to attack; and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge such as the account username, PIN, password, or authentication key.”

Side channels are the result of clues left in physical manifestations such as electromagnetic emanations, data caches, or the time taken to complete a task that leaks cryptographic secrets. In this case, the side channel is the amount of time it takes to perform a mathematical calculation known as modular inversion. The Infineon crypto library did not implement a common side channel defense known as constant time as it performs modular inversion operations involving the elliptic curve digital signature algorithm. Constant time ensures that the execution of time-sensitive cryptographic operations is uniform rather than variable depending on specific keys.

More precisely, the side channel lies in Infineon’s implementation of the extended Euclidean algorithm, a method for, among other things, computing the modular inverse. By using an oscilloscope to measure electromagnetic radiation while the token is authenticating, researchers are able to detect small differences in runtime that reveal a token’s ephemeral ECDSA key, also known as a nonce. Further analysis allows researchers to extract the secret ECDSA key that underpins the entire security of the token.

In Tuesday’s report, NinjaLab co-founder Thomas Roche wrote:

In this work, NinjaLab unveils a new side-channel vulnerability in Infineon 9’s ECDSA implementation on any of the manufacturer’s security microcontroller families. This vulnerability resides in the modular inversion of the ECDSA ephemeral key (or nonce), and more precisely in Infineon’s implementation of the Extended Euclidean Algorithm (EEA). To our knowledge, this is the first time that an EEA implementation has been shown to be vulnerable to side-channel analysis (unlike the binary version of EEA). Exploitation of this vulnerability is demonstrated through realistic experiments, and we show that an adversary only needs to have access to the device for a few minutes. The offline phase took us around 24 hours; with further engineering work in developing the attack, it would take less than an hour.

After a long phase of understanding Infineon’s implementation through side-channel analysis on an open Feitian 10 JavaCard smart card, the attack is tested on a YubiKey 5Ci, a FIDO hardware token from Yubico. The entire YubiKey 5 series (before firmware update 5.7 11 on May 6, 2024) is affected by the attack. In fact, all products that rely on Infineon’s cryptographic library ECDSA running on an Infineon security microcontroller are affected by the attack. We estimate that the vulnerability has existed for more than 14 years in Infineon’s high-security chips. These chips and the vulnerable part of the cryptographic library went through around 80 AVA VAN 4 (for TPM) or AVA VAN 5 (for the others) level CC certification assessments from 2010 to 2024 (and a little less than 30 certificate maintenances).