September 4, 2024 at 01:59PM
A new “EUCLEAK” flaw affects FIDO devices, such as Yubico’s YubiKey 5 Series, using the Infineon SLE78 microcontroller, allowing attackers to extract Elliptic Curve Digital Signature Algorithm (ECDSA) secret keys. The attack requires extended physical access and specialized equipment, limiting the risk to highly sophisticated, state-sponsored threat actors against high-value targets. Update to firmware versions 5.7.0 or 2.4.0 to mitigate the flaw, or use RSA signing keys instead of ECC. Other impacted products include Infineon TPMs, Feitian A22 JavaCard, e-passports, cryptocurrency hardware wallets, IoT devices, and any FIDO devices using Infineon’s SLE78.
Based on the meeting notes, here are the key takeaways:
1. A new security flaw named EUCLEAK has been discovered in FIDO devices using the Infineon SLE78 security microcontroller, such as Yubico’s YubiKey 5 Series.
2. The flaw allows attackers to extract Elliptic Curve Digital Signature Algorithm (ECDSA) secret keys and clone the FIDO device, but it requires extended physical access, specialized equipment, and a high level of understanding of electronics and cryptography.
3. Yubico has responded to EUCLEAK, identifying the impacted models of YubiKey 5 Series devices and providing guidance to users on how to check if their devices are affected.
4. Yubico recommends using RSA signing keys instead of elliptic curve (ECC) signing keys and suggests limiting the maximum session duration from the identity provider settings to require more frequent FIDO authentications to mitigate the flaw.
5. EUCLEAK also impacts other Infineon products, such as TPMs, smart cards, IoT devices, and cryptocurrency hardware wallets that use the Infineon SLE78 microcontroller.