YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standardcontains a cryptographic flaw that makes the finger-sized device vulnerable to cloning when an attacker gains temporary physical access to it, researchers said Tuesday.
The cryptographic flaw, known as side channelThe vulnerability resides in a small microcontroller used in a host of other authentication devices, including smart cards used in banking, e-passports, and access to secure areas. While researchers have confirmed that all models in the YubiKey 5 series can be cloned, they have not tested other devices that use the microcontroller, such as the Infineon-made SLE78 and successor microcontrollers known as the Infineon Optiga Trust M and Infineon Optiga TPM. Researchers suspect that any device using any of these three microcontrollers and Infineon’s cryptographic library contains the same vulnerability.
Patching is not possible
YubiKey manufacturer Yubico issued a advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse-engineered the YubiKey 5 series and designed the cloning attack. All YubiKeys running firmware older than version 5.7, which was released in May and replaces the Infineon crypto library with a custom one, are vulnerable. It is not possible to update the key firmware on the YubiKey. That leaves all affected YubiKeys permanently vulnerable.
“An attacker could exploit this issue as part of a sophisticated and targeted attack to recover the affected private keys,” the advisory confirmed. “The attacker would need physical possession of the YubiKey, security key, or YubiHSM; knowledge of the accounts they wish to attack; and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge such as the account username, PIN, password, or authentication key.”
Side channels are the result of clues left in physical manifestations such as electromagnetic emanations, data caches, or the time taken to complete a task that leaks cryptographic secrets. In this case, the side channel is the amount of time it takes to perform a mathematical calculation known as modular inversion. The Infineon crypto library did not implement a common side channel defense known as constant time as it performs modular inversion operations involving the elliptic curve digital signature algorithm. Constant time ensures that the execution of time-sensitive cryptographic operations is uniform rather than variable depending on specific keys.
More precisely, the side channel lies in Infineon’s implementation of the extended Euclidean algorithm, a method for, among other things, computing the modular inverse. By using an oscilloscope to measure electromagnetic radiation while the token is authenticating, researchers are able to detect small differences in runtime that reveal a token’s ephemeral ECDSA key, also known as a nonce. Further analysis allows researchers to extract the secret ECDSA key that underpins the entire security of the token.
In Tuesday’s report, NinjaLab co-founder Thomas Roche wrote:
