Researchers announced Tuesday that the YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that could allow an attacker to clone the finger-sized device if they gain temporary physical access.
The cryptographic flaw, known as a side channel, is present in a small microcontroller used in numerous other authentication devices, such as smart cards used in banking, electronic passports and access to secure areas. The researchers confirmed that all models of the YubiKey 5 series can be cloned, but did not test other devices that use this microcontroller, such as the Infineon-made SLE78 or successor microcontrollers known as Infineon Optiga Trust M and Infineon Optiga TPM. The researchers believe that all devices that use any of these three microcontrollers and Infineon’s cryptographic libraries contain the same vulnerability.
Not patchable
YubiKey manufacturer Yubico issued the advisory in coordination with a detailed disclosure report from security firm NinjaLab, which reverse engineered the YubiKey 5 series and devised the cloning attack. All YubiKeys running firmware prior to version 5.7, which was released in May and replaces the Infineon cryptographic library with a custom library, are vulnerable. It is not possible to update the key firmware on a YubiKey, which means all affected YubiKeys will remain permanently vulnerable.
“An attacker could exploit this issue as part of a sophisticated, targeted attack to recover affected private keys,” the advisory confirms. “An attacker would require physical possession of a YubiKey, security key, or YubiHSM, knowledge of the account being attacked, and specialized equipment to carry out the required attack. Depending on the use case, an attacker may also require additional knowledge such as a username, PIN, account password, or authentication key.”
A side channel is the result of clues left in physical manifestations such as electromagnetic radiation, data caches, or the time required to complete a task that leaks a cryptographic secret. In this case, the side channel is the time it takes to perform a mathematical calculation called modular inversion. Because the Infineon cryptographic library performs modular inversion operations, including the Elliptic Curve Digital Signature algorithm, it was unable to implement a common side channel defense called constant time. Constant time makes the execution of a time-sensitive cryptographic operation uniform rather than varying depending on a particular key.
More precisely, the side channel lies in Infineon’s implementation of the Extended Euclidean Algorithm, a method for computing its modular inverse. By measuring the electromagnetic emissions with an oscilloscope while the token is authenticating, the researchers are able to detect slight differences in execution time that reveal the token’s ephemeral ECDSA key (also known as a nonce). Further analysis allows the researchers to extract the secret ECDSA key that underpins the token’s overall security.
In a report on Tuesday, NinjaLab co-founder Thomas Roche wrote: