Some versions of Yubikeys, one of the most popular hardware security keys, were vulnerable to side-channel attacks. This unfixable vulnerability is caused by a cryptography flaw in a third-party library that somehow slipped under the radar for 14 years, including 80 highest-level Common Criteria certification evaluations.
The vulnerability was discovered by Thomas Roche, a security expert and co-founder of NinjaLab, who promptly reported it to Yubikeys. It runs an attack called EUCLEAK, which, if exploited properly, allows the attacker to clone affected devices. However, exploitation is unlikely as Roche had to use equipment worth €11,000 and needed physical access to the key.
Yubikeys has acknowledged the vulnerability in a security advisory. The company claims a medium-severity vulnerability with a CVE ID assignment in process and a CVSS score of 4.9 causes the problem. The advisory further claims that an attacker may need additional information, such as account name, account password, device PIN, or YubiHSM authentication key, in addition to access to specialised equipment and physical access to the device.
Roche describes his attack in an 88-page PDF report. First, the attacker steals the victim’s account credentials for a given FIDO-protected account with a phishing attack. Then, the attacker needs to gain physical access to the key and send authentication requests to the device as many times as necessary while performing side-channel measurements.
A side-channel attack run on these measurements can extract the Elliptic Curve Digital Signature Algorithm (ECDSA) private key linked to the victim’s account. This allows the attacker to log into the victim’s account without the FIDO device or victim noticing, essentially cloning the security key. The clone will provide access to the victim’s account as long as its authentication credentials aren’t revoked.
In the News: Predator spyware returns after sanctions against Intellexa fail