Researchers clone YubiKeys, many security microchips may be flawed


Security chips produced by Infineon Technologies, a major secure element manufacturer spanning multiple product lines, have been found vulnerable to side-channel attacks. Researchers disclosed that YubiKey, a hardware authentication device popular among crypto enthusiasts, can be cloned.

The flaw may also affect other security cards with microcontrollers, such as SIM cards or passport chips.

Security experts from NinjaLab disclosed a new side-channel attack affecting the YubiKey 5 series. They successfully tested the attack on YubiKey 5Ci, a versatile hardware key used to log in to many popular services.

ADVERTISEMENT

The flaw lies in the Infineon chips used for the device. The side-channel vulnerability has lurked unnoticed for 14 years and slipped through 80 “highest-level Common Criteria certification evaluations.”

The vulnerability extends to the recent security microcontrollers such as Infineon Optiga Trust M and Infineon Optiga TPM.

“An attacker could exploit this issue as part of a sophisticated and targeted attack to recover affected private keys. The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack,” the authentication device manufacturer Yubico confirmed the findings in the security advisory.

Depending on the use case, the attacker may also require additional knowledge, such as a username, PIN, account password, or authentication key.

All YubiKeys released with firmware version 5.7 or earlier are vulnerable, and firmware updates are impossible.

However, the attack is not that easy for attackers. Not only would it require physical access to the chip, meaning that the device needs to be disassembled, but attackers would also need a fully functional electronics lab with equipment costing €10,000 ($11,000) and degrees in engineering and cryptography.

process-hack

Highly resourced attackers, such as nation-states, could, in theory, fit all the required equipment in a backpack using a small oscilloscope and a laptop.

ADVERTISEMENT

“The attack requires physical access to the secure element (few local electromagnetic

side-channel acquisitions, i.e., a few minutes are enough) in order to extract the ECDSA

(Elliptic Curve Digital Signature Algorithm) secret key,” NinjaLab’s report said.

Researchers assure users that it is still safer to use a YubiKey or other potentially impacted products, such as FIDO (Fast IDentity Online) hardware authentication tokens, to sign in to applications than not to use them.

The new YubiKey firmware 5.7 update, released on May 6th, 2024, switches from the Infineon cryptographic library to Yubico's new cryptographic library.

The attack scenario

The secure elements from the Infineon SLE78 family are “one of the most common in the field” used for banking and ID applications. They have components such as dual central processing units, memory management units, and memory encryption/decryption units.

The device with the affected chip must be in an adversary's hands. After opening the device and accessing the Infineon secure element, an attacker would need to put an electromagnetic probe and capture the chip’s signals while it performs ECFSA signature operations.

Infineon implementation leaks information about the secret keys as its mathematical operations, called modular inversion, take different times to complete.

Once an attacker is done acquiring side-channel traces, which may take anywhere from a few minutes to an hour, depending on the whole process and skill, the device may be re-packaged and returned to the legitimate user. Later, an attacker can retrieve the secrets from them offline.

ADVERTISEMENT

“The offline phase took about 24 hours in total for us. The vast majority of this time is

spent in a by-hand process that should be automatized. The rest is the iteration detection

and splitting of the traces (a few seconds), the attack process on the extracted leakages (a few

minutes), and the discreet logarithm computation (a few seconds). With enough engineering

work, this offline step should take less than an hour,” the researchers estimate.

They suspect that the vulnerability affects all Infineon security microcontrollers embedding Infineon crypto lib 1. Therefore, any system relying on ECDSA running on an affected microcontroller might be at risk. These include cryptocurrency hardware wallets, ID cards, passports, health cards, IoT devices, and even cars or home security products.

According to the report, Infineon is working on risk mitigation.