NinjaLab, a security research company discovered the weakness this would allow bad actors to clone YubiKeys. As the company explained in a safety adviceNinjaLab discovered a vulnerability in the cryptographic library used in the program YubiKey 5 series. Specifically, he found a cryptographic flaw in the microcontroller, which security researchers described as something that “generates/stores secrets and then performs cryptographic operations” for security devices like bank cards and FIDO hardware tokens. YubiKeys are the most popular FIDO authentication keys, and they’re supposed to make accounts more secure because users will have to connect it to their computer before logging in.
The researchers explained how they discovered the vulnerability because they found an open platform based on Infineon’s cryptographic library used by Yubico. They confirmed that all YubiKey 5 models can be cloned and also stated that the vulnerability is not limited to the brand, although they have yet to test and clone other devices.
This vulnerability has gone unnoticed for 14 years, but just because it’s out now doesn’t mean anyone can use it to clone YubiKeys. To begin with, bad actors must have physical access to the token they want to copy. Then they must disassemble it and use expensive equipment, including an oscilloscope, to “perform the side-electromagnetic side-channel measurements” needed to analyze the token. of researchers paperthey said their setup cost about $11,000 and that using more advanced oscilloscopes could raise the cost of the setup to $33,000. Additionally, attackers may still need their targets’ PINs, passwords, or biometrics to access specific accounts.
The bottom line is that users who are part of government agencies, or anyone dealing with very, very sensitive documents that could make them targets for espionage, need to be very careful with their keys. For regular users, the researchers wrote in their paper, “it’s still safer to use a YubiKey or other affected products, such as a FIDO hardware authentication token, to access apps rather than not using one.”
