Yubikey cloning attack: Apparently possible – but not trivial

IT security researchers have discovered a security vulnerability in the firmware of Yubikey and YubiSHM from Yubiko that could allow attackers to access private keys. However, exploiting this is anything but trivial and requires physical access to the stick as well as expensive electronic equipment, know-how and more.

The manufacturer Yubico has issued a security release on the vulnerability and classifies it as such. The error is due to a gap in a crypto library from Infineon, which Yubico uses in the old firmware versions. "Attackers can exploit the issue as part of an advanced and targeted attack to recover private keys," explain the developers at Yubico. "Attackers need physical access to the Yubikey, Security Key or YubiSHM, need to know the targeted accounts and need special equipment to carry out the attack." Depending on the use case, further information such as user name, PIN, account password or authentication key may be required.

Use as a FIDO stick affected

Use as a FIDO stick is primarily affected by the problem, as the FIDO uses the affected function by default. Depending on the selected configuration and algorithm, Yubikey PIV, OpenPGP applications and YubiSHM-2 usage may also be affected. The vulnerability has received the CVE entry CVE-2024-45678 and is considered a medium risk with a CVSS value of 4.9.

Details on the attacks and side-channel vulnerabilities can be found in the paper "EUCLEAK" by Thomas Roche from NinjaLabs in France. This is a side-channel attack on the ECDSA implementation in the Infineon library, which is used by numerous Infineon security controllers and TPMs. The attack is based on non-constant computing time for a modular inversion –. The timing information can be used to draw conclusions about the secret for the digital signatures. This can then be used to create valid signatures even without the token.

Thomas Roche expressly points out that the primary purpose of Yubikeys and similar products is to combat phishing attacks. "The EUCLEAK attack requires physical access to the device, expensive equipment, customized software and technical talent. Therefore, as far as the work presented is concerned, it is still safer to use the Yubikey or other affected products as a FIDO hardware authentication token to log into applications than not to use one," Roche reiterates.

Affected products

Yubikey 5, Yubikey 5 FIPS, Yubikey 5 CSPN and Security Key before version 5.7, Yubikey Bio before 5.7.2 as well as YubiSHM 2 and YubiSHM 2 FIPS before 2.4.0 are affected. An update of the firmware of Yubikeys is not planned. This means that the security gap cannot be closed and the tokens would therefore have to be disposed of to eliminate the problem. Whether this is really necessary outside of high-security environments in view of the limited risk is for everyone to decide. The manufacturer has not yet responded to an inquiry from heise Security as to whether Yubico intends to offer at least favorable conditions for such an exchange.

In the security notice, Yubico at least discusses some countermeasures for the old sticks that can further reduce the risk. In principle, setting up PIN or even biometric protection for accessing the dongles makes sense – Attackers would then first have to get hold of them. For FIDO authentication, the session duration could be shortened, thus requiring more frequent FIDO authentication. This would allow lost or stolen keys to be detected more quickly and reduce the time window for a threat to attack. For the use of Yubikey for PIV and OpenPGP signature keys, a switch to RSA keys could provide a remedy; this also applies to YubiSHM.

On tokens with firmware version 5.7 and newer, Yubico uses its own cryptographic library instead of the vulnerable Infineon library, which is not affected. Roche lists other potential victims for his side-channel attack. He suspects that all products that use security microcontrollers from Infineon and use the Infineon crypto libraries could be vulnerable. He was able to prove this specifically with the Feitian A22 JavaCard, which, according to the manufacturer, is no longer in use.

(dmk)