The YubiKey 5, the most prevalent hardware token for two-factor authentication adhering to the FIDO standard, has been identified to possess a cryptographic flaw. This flaw exposes the small device to risks of being cloned if an attacker temporarily acquires physical access, as per the findings released by researchers on Tuesday.
The vulnerability, known as a side channel, is found in a tiny microcontroller present in numerous other authentication tools, such as banking smartcards, electronic passports, and devices used for accessing secure locations. The flaw has been verified in all models of YubiKey 5 series; however, devices containing similar microcontrollers like the SLE78 from Infineon, Infineon Optiga Trust M, and Infineon Optiga TPM haven’t been examined. The presumption remains that any device integrating these microcontrollers along with the Infineon cryptographic library shares this flaw.
In response, YubiKey manufacturer Yubico announced an advisory together with a detailed disclosure report by NinjaLab. NinjaLab is the security entity that reverse-engineered the YubiKey 5 series and uncovered the cloning technique. They reported that all YubiKeys operating on firmware versions prior to 5.7 are susceptible, with 5.7 released in May replacing the Infineon cryptography library with Yubico’s proprietary alternative. Additionally, updating firmware on the YubiKey is unfeasible, rendering all impacted YubiKeys perpetually vulnerable.
This information was initially published on Ars Technica, a reliable source for technology news, technological policy analysis, reviews, and more, part of the Condé Nast family, which also owns WIRED.
“An attacker could leverage this vulnerability during elaborate and specific attacks to extract the compromised private keys,” the advisory stated. “To accomplish this, the attacker would have to physically acquire the YubiKey, Security Key, or YubiHSM, possess knowledge of the targeted accounts, and utilize specialized equipment for the attack. The complexity of the attack might further require the attacker to know additional information such as usernames, PINs, passwords, or authentication keys.”
Side channels arise from physical traces like electromagnetic signals, data storage remnants, or the duration it takes to finish an operation, which can expose cryptographic information. In this scenario, the side channel involves the time it takes to perform a mathematical operation known as a modular inversion. The Infineon cryptographic library did not apply a basic protective measure for side-channel attacks, known as constant time, when managing modular inversion operations that use the Elliptic Curve Digital Signature Algorithm (ECDSA). Employing constant time ensures that operations sensitive to timing are conducted consistently, regardless of the keys involved.
More specifically, the side channel exists within the Infineon implementation of the Extended Euclidean Algorithm, which is used to compute the modular inverse among other tasks. Researchers use an oscilloscope to monitor electromagnetic emissions while the token authenticates, enabling them to notice minor variations in execution times that expose the token’s ephemeral ECDSA key, also known as a nonce. Subsequent analysis could then allow investigators to deduce the secret ECDSA key, which is vital for the token’s security integrity.
In a report released on Tuesday, NinjaLab co-founder Thomas Roche noted:
NinjaLab has announced the discovery of a new side-channel vulnerability within the ECDSA algorithm used in Infineon’s security microcontroller series. This particular flaw is related to the modular inversion of the ephemeral key within Infineon’s realization of the Extended Euclidean Algorithm. This marks the first known vulnerability of the Extended Euclidean Algorithm to side-channel assaults, differentiating from its binary counterpart. Through realistic testing, NinjaLab disclosed that gaining this exploitable information from the device can take just a few minutes, with the offline analysis requiring around 24 hours—a duration potentially reducible to one hour with further refinements.
Intensive side-channel investigations into Infineon’s methods were conducted using a Feitian smartcard enhanced with open JavaCard technology. Subsequent tests were carried out on a YubiKey 5Ci by Yubico, revealing that vulnerabilities affect all hardware within the YubiKey 5 Series developed prior to the May 6th, 2024 firmware update. Essentially, every product incorporating Infineon’s cryptographic solutions, operating across their security microcontroller spectrum, possesses this vulnerability. This flaw has been present in Infineon’s highly protected chips for over 14 years, enduring through numerous Common Criteria (CC) certification evaluations dating between 2010 and 2024.
During an interview, Roche explained that Infineon produces “security microcontrollers” or “secure elements”, which are widely accessible in the market. Specifically, many devices, including the YubiKey 5 Series, implement the Infineon cryptographic library created by Infineon to offer a ready-to-use solution to clients not opting to develop a custom solution.
This cryptography library is strictly confidential, requiring a non-disclosure agreement with Infineon to access its API. Its countermeasures and internal workings are known only to Infineon.
The library implements ECDSA, which is a fundamental cryptographic function used in multiple applications including FIDO. ECDSA involves several subprocesses, one of which is the modular inversion of the ephemeral key. This operation is crucial because any leakage about the ephemeral key can compromise the security of the secret key.
In the Infineon library, the modular inversion process varies with the ephemeral key, causing different execution times. By monitoring electromagnetic emissions during this operation, subtle variations in timing can be detected, allowing attackers to deduce the ephemeral key and ultimately, the secret key.
The equipment necessary for such attacks costs approximately $11,000, along with a deep knowledge of electrical and cryptographic engineering. Due to the complexity and cost, such attacks are most likely undertaken by nation-states or similarly resourced groups in very specific cases. However, the probability of widespread use of this attack is minimal. Notably, two-factor authentication and one-time password mechanisms remain secure, as they do not depend on the compromised element of the cryptolibrary.
Tuesday’s report from NinjaLab outlines the full flow of the cloning attack as:
The list, however, omits a key step, which is tearing down the YubiKey and exposing the logic board housed inside. This likely would be done by using a hot air gun and a scalpel to remove the plastic key casing and expose the part of the logic board that acts as a secure element storing the cryptographic secrets. From there, the attacker would connect the chip to hardware and software that take measurements as the key is being used to authenticate an existing account. Once the measurement-taking is finished, the attacker would seal the chip in a new casing and return it to the victim.
Left: a YubiKey 5Ci intact; Right: the logic board found inside.
Two descriptions explaining how the electromagnetic radiation is measured using a probe.
The assault and its associated vulnerability were identical to those used by NinjaLab to clone Google Titan keys back in 2021, which also required physical possession of the token for around 10 hours.
Such attacks breach the basic promise offered by FIDO-compliant keys, ensuring that the secret cryptographic information they contain cannot be extracted or duplicated by any other device. This is critical since FIDO keys are employed in numerous security-sensitive settings, including military and corporate sectors.
However, FIDO-compliant authentication remains one of the strongest authentication measures, immune to threats like credential phishing or man-in-the-middle attacks. Provided the key is not acquired by a resourceful and technologically equipped adversary, it stands as a highly secure authentication option. It is important to remember that cloning the token is just the initial step to access an account or system illicitly. The attacker also needs the user’s password, which is the first factor of authentication. Hence, physical keys are still considered one of the most reliable authentication techniques.
To discover the side channel, researchers conducted a reverse engineering analysis of the Infineon cryptographic library, an extensively secured code series that the manufacturing entity strives to shield from public knowledge. The intricacies of this library are likely to draw significant interest from cryptography experts investigating its application across various security apparatuses.
Individuals interested in determining the firmware version of their YubiKey can utilize the Yubico Authenticator application. The application’s home screen, in its upper-left corner, displays the series and model of the key. For instance, per the advisory released on Tuesday, the YubiKey illustrated is a YubiKey 5C NFC version 5.7.0.
YubiKeys offer optional user authentication protections, which include the necessity for a user-provided PIN, fingerprint, or face scan. To effectively execute the cloning attack on YubiKeys that implement these security measures, the attacker would also need access to the user verification method. Additional details on enhancing the security of YubiKeys using these measures are available here.
A critical unanswered question is regarding other security devices that depend on the three compromised Infineon secure modules and utilize the Infineon cryptolibrary. To date, Infineon has not released an advisory and did not reply to inquiries about this issue. Currently, there is no CVE assigned for tracking this vulnerability.
This story was originally published on Ars Technica.