YubiKey FIDO authenticators could be abused through unpatchable cryptographic flaw

(Image credit: Yubico)

All physical multi-factor authentication (MFA) keys that work on Infeneon’s SLE78 microcontroller were said to be vulnerable to a cryptographic flaw which allows threat actors to clone the gadget and gain unabated access to restricted accounts. This includes the YubiKey 5, considered the most widely used hardware token based on the FIDO standard.

In an in-depth technical analysis, researchers from NinjaLab described how they discovered the flaw, and what it means for those using YubiKey 5. As explained, the SLE78 microcontroller implements the Elliptic Curve Digital Signature Algorithm (ECDSA) as its core cryptographic primitive. In short, ECDSA is a cryptographic algorithm used to create digital signatures, and if a hacker is able to read this signature, then they are able to undermine the security of the entire token.

And that’s exactly what NinjaLab did, by employing a technique known as “side-channel”. This is a type of security attack in which hackers exploit information gained from the physical implementation of a computer system, rather than weaknesses in the implemented algorithms. These attacks gather information by observing how a system operates, such as its timing, power consumption, electromagnetic emissions, or even sound.

YubiKey 5 not so easily exploited

With SLE78, generating a different ephemeral key takes varying amounts of time, and this is something the researchers were able to read, and from it clone their own YubiKey 5 (this is a super simplified explanation).

It is definitely a major vulnerability, but one that is not that easy to replicate in the wild. The attacker would need to know the victim’s login information first, and have physical access to the MFA token. Then, they would need to tear the token apart in order to access the hardware within, and use $11,000 worth of equipment to do the reading. The reading itself, and the process of cloning the device, only takes a few minutes.

This isn’t something your average hacker could abuse, but a nation-state - absolutely. It’s also worth mentioning that there is no patch, or fix - all YubiKey 5 devices running firmware prior to version 5.7 are permanently vulnerable.

Via Ars Technica

More from TechRadar Pro

Uncovering the cybersecurity industry’s senseless fixation with security keys
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.