Yubikey cloning attack: No firmware update, perhaps key replacement
Yubico is not planning any firmware updates for vulnerable Yubikeys in the future. The company will decide on a replacement on a case-by-case basis.
(Image: Bild erstellt mit KI in Bing Image Creator durch heise online / dmk)
A security vulnerability in an Infineon crypto library can be abused with physical possession and expensive equipment to access secrets from Yubikeys, for example. heise online asked Yubico how the company intends to deal with the situation.
Yubico initially played it down. The vulnerability only affects older devices, but not Yubikeys with firmware versions 5.7 and newer, which have been available since May 21, 2024. This relies on its own cryptographic library and not the Infineon library, which is susceptible to the side-channel attack. This was already known.
No firmware update planned
When asked whether firmware updates are planned, a company spokesperson referred to a Yubico support website. There, the manufacturer explains that the firmware of Yubikeys cannot be updated after production and provision: "To prevent attacks on the YubiKey which might compromise its security, the YubiKey does not permit its firmware to be accessed or altered." However, other manufacturers such as Nitrokey do allow firmware updates and, if necessary, a factory reset to delete the data. In principle, secure, cryptographically signed firmware updates would therefore be possible, but Yubikey insists on its decision not to allow this, even considering the current problems: "We believe that not allowing firmware updates is still the best way to maximize the security of the keys".
Videos by heise
Yubikey owners should take care
In the case of the currently vulnerable keys, Yubico believes it is primarily the owners' responsibility. The attack requires physical access to a vulnerable USB dongle. "By keeping their YubiKeys in physical possession, users avoid this problem", explains the Yubico spokesperson, "Users should take precautions to maintain physical control of their Yubikeys".
If a stick is lost or stolen, owners should deregister the keys of linked accounts and services. A guide explains further recommendations in such cases. The manufacturer also recommends using a backup key so that accounts can still be accessed in the event of loss. However, the advice seems counter-intuitive: a second stick with vulnerable firmware increases the risk of one being stolen, especially in the case of high security requirements.
Yubico replacement keys as a case-by-case decision
When asked whether Yubico replaces vulnerable keys and swaps them for ones with secure firmware, the manufacturer remains cautious. "We evaluate requests on a case-by-case basis, depending on the customer scenario," Yubico explains. The company spokeswoman did not provide any more detailed information on criteria. Customer support can be reached via the website.
Yubico emphasizes that the company and IT security researcher Thomas Roche recommend the continued use of the (vulnerable) FIDO authenticators before using the weaker authentication methods OTP or SMS. Using them is still better than not using such protection. In addition, Yubico has classified the risk as moderate due to the extraordinary resources required for the attack.
(dmk)
