워드프레스 "콘텐츠 열람 전 자동 광고 시스템"을 통해, 특정 웹페이지를 열람하기 위해 먼저 봐야 하는 사전 광고를 원하는 위치에 자유롭게 배치/설정할 수 있습니다
YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel - Kims Media Press "Enter" to skip to content

YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel

YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel

Enlarge (credit: Yubico)

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains brief physical access to it, researchers said Tuesday.

The cryptographic flaw, known as a side channel, resides in a small microcontroller that’s used in a vast number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contain the same vulnerability.

Patching not possible

YubiKey-maker Yubico issued an advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse-engineered the YubiKey 5 series and devised the cloning attack. All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable.

Read 20 remaining paragraphs | Comments



Source : https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/