What is the YubiKey vulnerability?
September 10, 2024 •
The announcement of a YubiKey vulnerability is making headlines as researchers uncover a method for cloning the popular phishing-resistant security keys. But what does this vulnerability involve, and how much can it compromise your security?
Continue reading to learn more about this YubiKey vulnerability.
What is a YubiKey?
YubiKeys are a type of security key created by the company, Yubico. They utilize the WebAuthn FIDO2 protocol in order to provide secure, phishing-resistant multi-factor authentication, and passwordless authentication.
What is the YubiKey vulnerability?
On September 3, 2024 Yubico announced that a vulnerability had been discovered that affects the hardware of some YubiKeys. The vulnerability itself lies in the cryptographic library that the keys use, which was created by Infineon.
NinjaLab, the researchers that discovered the vulnerability, are calling it “EUCLEAK”, and say that it has been present in the cryptographic library for the past 14 years.
The EUCLEAK vulnerability is known as a “side-channel” vulnerability, and gives threat actors the ability to clone YubiKeys. The attack only takes a few minutes to conduct, but it does require the attacker to have physical possession of the token they want to clone.
Which Yubikey products are affected?
Yubico has stated the the following YubiKeys are confirmed to be affected by the vulnerability:
- YubiKey 5 Series versions prior to 5.7
- YubiKey 5 FIPS Series prior to 5.7
- YubiKey 5 CSPN Series prior to 5.7
- YubiKey Bio Series versions prior to 5.7.2
- Security Key Series all versions prior to 5.7
- YubiHSM 2 versions prior to 2.4.0
- YubiHSM 2 FIPS versions prior to 2.4.0
To find out if your YubiKey is impacted, confirm the model and version of the YubiKey by checking in the Yubico Authenticator.
Are other security keys affected?
As the vulnerability originates from the Infineon cryptographic library, rather than Yubico specifically, researchers believe that any security keys that also use that library are likely affected.
This includes all devices using these three microcontrollers:
- Infineon SLE78
- Infineon Optiga Trust M
- Infineon Optiga TPM
How can the YubiKey vulnerability be fixed?
Unfortunately, there is no patch for the EUCLEAK vulnerability. It’s not possible to update the firmware that’s at the root of the issue, and so all existing YubiKeys that have been built with this vulnerability are not able to be fixed.
Is security key authentication still safe?
Despite this new vulnerability, security key authentication remains one of the most secure forms of authentication.
Unlike password spraying and brute force attacks, this vulnerability can only be exploited by sophisticated attackers with time, money, and an advanced understanding of cryptographic engineering.
Additionally, if the YubiKey is being used as the second factor of authentication, then a potential attacker also needs to acquire the username and password of the target account. Additionally, as many YubiKeys also require PINs and even biometric information to complete authentication, it may be impossible in some cases to exploit.
The future of security keys
Regardless of the likelihood of exploitation, it is good to be aware of the vulnerabilities and limitations of any authentication method. This is especially important in high-security environments like the military and critical infrastructure providers, who are already more likely to use advanced security authentication like FIDO2 security keys.
This vulnerability underscores the importance of a defense-in-depth strategy that doesn’t rely on just one type of cybersecurity protection, but rather a combination of factors to reduce your overall risk.