YubiKey FIDO authenticators can be exploited due to an unpatchable cryptographic flaw
All physical multi-factor authentication (MFA) keys that run on Infeneon’s SLE78 microcontroller are reportedly vulnerable to a cryptographic flaw that could allow malicious actors to clone the gadget and gain unrestricted access to restricted accounts. This includes the YubiKey 5, which is considered the most widely used hardware token based on the FIDO standard.
In a in-depth technical analysisResearchers from NinjaLab described how they discovered the flaw and what it means for those using the YubiKey 5. As explained, the SLE78 microcontroller implements the Elliptic Curve Digital Signature Algorithm (ECDSA) as its core cryptographic primitive. In short, ECDSA is a cryptographic algorithm used to create digital signatures, and if a hacker can read this signature, they can undermine the security of the entire token.
And that’s exactly what NinjaLab did, using a technique known as “side-channel.” This is a type of security attack where hackers use information gained from the physical implementation of a computer system, rather than weaknesses in the implemented algorithms. These attacks gather information by observing how a system works, such as timing, power consumption, electromagnetic emissions, or even sound.
YubiKey 5 not so easy to abuse
With SLE78, generating another temporary key takes varying amounts of time. This is something the researchers were able to read out and clone their own YubiKey 5 based on (this is a very simplified explanation).
It’s definitely a major security flaw, but one that isn’t easy to reproduce in the wild. The attacker would first need to know the victim’s credentials and have physical access to the MFA token. They would then need to disassemble the token to gain access to the hardware inside it and use $11,000 worth of equipment to read it. The actual reading, and the process of cloning the device, takes just a few minutes.
This isn’t something your average hacker can exploit, but a nation state can – absolutely. It’s also worth noting that there is no patch or workaround – all YubiKey 5 devices running firmware prior to version 5.7 are permanently vulnerable.
Via Ars Technique