Yubikey cloning attack: online ID card not vulnerable
Some ID cards use Infineon chips that have been attacked using EUCLEAK. However, the ID card is not vulnerable.
(Image: Bild erstellt mit KI in Bing Image Creator durch heise online / dmk)
After a side-channel attack on fairly widespread Yubikeys, which are used as FIDO2 sticks for authentication, became known, some heise readers pricked up their ears. According to them, the affected microcontrollers from Infineon are also used in ID cards with online functions. The question they asked: are the ID documents now also vulnerable to attack and copying?
Apparently, the attacked Infineon controllers from the SLE78 series were used between 2013 and 2020 for ID cards and other "sovereign documents". When asked by heise online, the German Federal Office for Information Security (BSI) replied: "The attack published by the security researchers was intensively investigated by the BSI. The BSI came to the conclusion that the attacks shown in the research work on sovereign documents (identity cards, passports, residence permits), as used in the German market, cannot be successfully carried out. The aforementioned products can therefore be considered secure against the attack scenarios outlined in the research work."
Vulnerable combination is not used
When asked about the specific threat posed by the use of Infineon ICs and the Infineon crypto library, a BSI spokesperson specified: "The vulnerability published by the security researchers only affects chips from the manufacturer Infineon in combination with their crypto libraries. This combination is not used in sovereign documents in the German market."
Yubico's case-by-case decision
Yubico told heise online that the company wanted to check on a case-by-case basis whether it would replace affected Yubikeys. Initial reports available to heise online from those affected indicate that Yubico is rejecting exchange requests from individuals. According to the manufacturer, the risk is only low.
Around two weeks ago, the EUCLEAK attack on Yubikeys with Infineon chips using associated Infineon crypto libraries became known. In newer firmware versions, Yubico relies on its own libraries, which means that the side-channel attack, which requires physical access, expensive equipment and some know-how, no longer works. A firmware update is not planned due to the manufacturer's security concerns and is prevented on the hardware side by setting the corresponding fuses on the microcontrollers.
(dmk)
