A critical security flaw has been discovered that affects multiple YubiKey two-factor authentication devices, compromising their security without a patch in sight. Yubico’s safety message confirmed that Yubikey 5 and Security Key Series before firmware 5.7 are always vulnerable to high-level cloning attacks. However, the average user should not be too concerned about this vulnerability.
The Yubikey 5 series, YubiHSM 2, and other two-factor authentication products from Yubico and other vendors that utilize the Infineon SLB96xx series TPM chip are vulnerable to a newly discovered attack. Security researchers at NinjaLab Yubikey 5 products were tested — because they are the most popular FIDO authenticators — and a bug in the Infineon library was found to allow bad actors to clone keys. All Infineon chips dating back 14 years that support any version of the crypto library are vulnerable to the same attack.
FIDO devices with physical two-factor authentication, such as Yubikeys, are an incredibly valuable convenience for users who want to save time compared to using an authenticator app when logging into secure computers, websites, or apps. Potential users range from government employees with sensitive secrets to people who have nothing to hide but think it’s chilly to turn on their computer with a key.
This cloning attack is a earnest weakness in any 2FA tool, although the materials needed to carry it out make this weakness a non-issue for most consumers. The attack first requires bad actors to obtain the key, at which point the key is completely compromised. Then, once the key is cracked, the Yubikey device must be connected to a $45,000 setup (although the researchers believe an $11,000 setup would work just fine) to read electromagnetic side-channel measurements. This process takes an hour to capture EM emissions, and then a day to clone the key. Now that the Infineon chip has been successfully cracked, the key can be cloned, and the original can be reassembled and fraudulently returned to its owner.
The complexity of the steps required to carry out an attack makes the real-world risk close to zero for most Yubikey owners. However, those with highly sensitive information, such as government employees, journalists, or healthcare workers, may need to consider retiring affected hardware in favor of newer hardware without the vulnerability. When we reached out to Yubico for comment, a company spokesperson provided the following responses:
“This issue was discovered in the Infineon cryptographic library used in older versions of Yubico devices. Yubico’s latest YubiKey 5 Series and Security Key Series security keys, which are currently available for purchase on Yubico.com, include firmware 5.7. Firmware 5.7 includes Yubico’s own cryptographic library, and these new devices are not affected by the Infineon vulnerability.
FIDO is the strongest, phishing-resistant protocol. Yubico (and the researchers in their report) strongly recommend continuing to use FIDO authenticators over weaker authentication methods such as OTP or SMS.
To help avoid local and physical threats, users should continue to take precautions to maintain physical control of their YubiKeys. In the event that a YubiKey is lost or stolen, users should always immediately deregister keys from associated applications and services. This also supports the recommended best practice of having a primary and backup key.“
Yubico has been selling products with firmware 5.7.0 and newer since May of this year. For security reasons, the firmware cannot be backdated to older products, so those interested in replacing affected products should look to Yubico products with firmware 5.7.0 or newer or other 2FA key manufacturers.
