September 4, 2024 at 08:36AM
NinjaLab demonstrated the Eucleak attack, exploiting a vulnerability in third-party cryptographic libraries to clone YubiKey hardware authentication devices. The attack requires physical access and equipment to extract the cryptographic key, but Yubico has issued a security advisory and implemented firmware updates to mitigate the issue. Infineon is also working on a patch.
Based on the meeting notes, here are the key takeaways:
1. YubiKey security keys can be cloned using a side-channel attack leveraging a vulnerability in a third-party cryptographic library, referred to as Eucleak.
2. The attack was demonstrated by NinjaLab, a company focused on security of cryptographic implementations. Yubico, the developer of YubiKey, has published a security advisory in response to the findings.
3. The vulnerability affects YubiKey devices that use an impacted Infineon cryptographic library, but devices running the latest firmware versions are not impacted.
4. The attack scenario requires physical access to the victim’s YubiKey device for a limited time, during which an attacker obtains measurements using an oscilloscope from the Infineon security microcontroller chip inside the device.
5. Once the attack is completed, the obtained private key can only be used to clone the YubiKey for the targeted online account, as long as the legitimate user does not revoke its authentication credentials.
6. Yubico had been in the process of replacing the impacted Infineon crypto library with its own library in order to reduce supply chain exposure.
7. NinjaLab stated that Infineon has been informed about the findings and has been working on a patch, but added that the patched cryptolib had not yet passed a CC certification.
8. NinjaLab had also previously demonstrated a similar side-channel attack on Google’s Titan Security Keys.
The information in the notes indicates the seriousness of the vulnerability and the ongoing efforts by Yubico and Infineon to address and mitigate the issue.