close
close

Hackers Clone YubiKeys With New Side-Channel Exploit

In a successful attack scenario, a bad actor would steal a user’s login ID and password (via phishing or other means) and then gain physical access to their token without their knowledge. They would then send authentication requests to the token while recording measurements on the side token. Once the device is returned, they could then launch a side-channel attack to extract the Elliptic Curve Digital Signature Algorithm (ECDSA) associated with the account. This gives them undetected access.

“Let’s say an attacker is able to steal your YubiKey, open it up to access the motherboard, use a EUCLEAK attack, and then repackage the original YubiKey so that you don’t realize you’ve lost it,” Roche said. “The attacker can then build a clone of your authentication factor—a copy of your own YubiKey. You feel safe when you really aren’t.”

The cryptographic flaw that makes this possible exists in a small microcontroller in the device, and it affects all YubiKeys and Security Keys with firmware earlier than version 5.7 (which was released in May). It also affects versions of the YubiHSM 2 earlier than 2.4.0 (which was released this week).