September 4, 2024 at 01:51PM
A new security flaw called “EUCLEAK” has been discovered in FIDO devices utilizing the Infineon SLE78 security microcontroller, such as the Yubico YubiKey 5 Series. The flaw allows attackers to extract secret keys and clone the FIDO device using a side-channel attack, requiring specialized equipment and a high level of expertise. Yubico has issued advisories and recommendations for affected devices and suggests alternative security measures. Additionally, the flaw impacts other products utilizing Infineon’s SLE78 microcontroller, such as TPMs, smart cards, IoT devices, and cryptocurrency hardware wallets.
Based on the meeting notes, the EUCLEAK flaw impacts FIDO devices that use the Infineon SLE78 security microcontroller, such as Yubico’s YubiKey 5 Series. The flaw allows attackers to extract Elliptic Curve Digital Signature Algorithm (ECDSA) secret keys. However, the attack requires extended physical access, specialized equipment, and a high level of understanding of electronics and cryptography, which significantly mitigates the risk. Yubico has responded to EUCLEAK, noting that the flaw impacts specific YubiKey models running firmware versions older than 5.7.0. Yubico has rated the issue as moderate, with a CVSS score of 4.9, reflecting its low risk. The company recommends using RSA signing keys instead of elliptic curve (ECC) signing keys and limiting the maximum session duration from the identity provider settings to require more frequent FIDO authentications. Additionally, the issue impacts other products including Infineon TPMs, used in smartphones, tablets, and some laptop models, as well as the Feitian A22 JavaCard and other devices utilizing the Infineon SLE78 microcontroller.