Older YubiKeys compromised by unpatchable 2FA bug — side-channel attack is critical, but expensive and difficult to execute

Yubico's YubiKey with 5.7 firmware
(Image credit: Yubico)

A critical security vulnerability has been discovered affecting many YubiKey two-factor authentication devices, breaking their security with no patch in sight. Yubico's security advisory confirmed that Yubikey 5 and Security Key Series prior to firmware 5.7 are forever vulnerable to a high-level cloning attack. However, the average user should not worry too much about the vulnerability.

Yubikey 5 series, YubiHSM 2, and other two-factor authentication products by Yubico and other vendors utilizing the Infineon SLB96xx series TPM chip are vulnerable to the newly found attack. Security researchers at NinjaLab tested Yubikey 5 products — due to them being the most common FIDO authenticator tools — and found that an issue in Infineon's library allows bad actors to clone the keys. All Infineon chips, going back 14 years, which run any version of its cryptographic library, are vulnerable to the same attack.

Physical two-factor authentication FIDO devices like Yubikeys are hugely valuable conveniences for users who want to save time compared to using an authenticator app when logging into secure computers, websites, or apps. Potential users include anywhere from government workers with sensitive secrets to those with nothing to hide but think turning on their computer with a key is cool. 

This cloning attack is a severe weakness for any 2FA tool, though the materials needed to perform it make the weakness a non-issue for most consumers. The attack first requires bad actors to obtain the key, at which point the key is already completely compromised. Then, after opening the key, the Yubikey device must be connected to a $45,000 setup (though researchers believe an $11,000 setup would function just fine) to read electromagnetic side-channel measurements. This process takes an hour to capture EM emissions and then a day to clone the key. Now that the Infineon chip has been successfully breached, the key can be cloned, and the original can be reassembled and sneakily returned to its owner.

The complexity of the steps required to perform the attack makes its real-world risk close to zero for most owners of a Yubikey. However, those with highly sensitive information, such as government employees, journalists, or healthcare workers, may need to consider phasing out affected hardware for newer hardware without the vulnerability. When we asked Yubico for comment, a company spokesperson gave the following:

"This issue was discovered in Infineon's cryptographic library, which is used in older versions of Yubico devices. Yubico's latest YubiKey 5 Series and Security Key Series hardware security keys that are currently available for purchase on Yubico.com include 5.7 firmware. The 5.7 firmware contains Yubico's own cryptographic library and these new devices are not impacted by Infineon's vulnerability.

FIDO is the strongest, phishing-resistant protocol. Yubico (and the researchers in their report) highly recommend continued use of FIDO authenticators over weaker authentication methods like OTP or SMS.

To help avoid local and physical threats, users should continue to take precautions to maintain physical control of their YubiKeys. In the event a YubiKey is lost or stolen, users should always promptly deregister keys with associated applications and services. This also supports the recommended best practice of having a primary and a backup key."

Yubico has been selling products with its 5.7.0 firmware and newer since May of this year. For security reasons, the firmware cannot be retroactively updated to older products, so those interested in replacing affected products should look to Yubico products with firmware 5.7.0 or newer or to other 2FA key manufacturers. 

Dallin Grimm
Contributing Writer

Dallin Grimm is a contributing writer for Tom's Hardware. He has been building and breaking computers since 2017, serving as the resident youngster at Tom's. From APUs to RGB, Dallin has a handle on all the latest tech news. 

  • Dingledooda
    Just waiting for people who don't read the article or Security Advisory to start yelling the sky is falling and everyone's Yubikeys are now useless lol.
    Reply
  • Pierce2623
    A “vulnerability” that requires you to have access to the key and a massive super specialized rig for 24 hours undetected is NOT a real vulnerability for something like this.
    Reply
  • newtechldtech
    Pierce2623 said:
    A “vulnerability” that requires you to have access to the key and a massive super specialized rig for 24 hours undetected is NOT a real vulnerability for something like this.
    it is ... if they are after your bank account for example.
    Reply
  • Dingledooda
    newtechldtech said:
    it is ... if they are after your bank account for example.
    If they are after your bank account they arn't going to break into your home and steal your Yubikey, open it and spend the time cloning it, putting it back together (somehow in a way you don't know it was ever opened) then break back into your home and replace it (hoping you didn't notice it was gone) then at some point in the future use their clone to clean out your bank account.

    If they've broken into your home and have the Yubikey then that's it they're just gonna use it to clean out your bank account, they arn't gonna bother with cloning it and returning it because there isnt any point.
    Reply
  • tamalero
    Pierce2623 said:
    A “vulnerability” that requires you to have access to the key and a massive super specialized rig for 24 hours undetected is NOT a real vulnerability for something like this.
    it is if you're a giant company ( corporate spy), a government or military related operation (like Raytheon , aka good old spy ops)
    Reply
  • purposelycryptic
    newtechldtech said:
    it is ... if they are after your bank account for example.
    To take advantage of the vulnerability, they already need to have stolen your key. The key that is your form of 2FA. They already have everything they need at that point, assuming they also have your login information (and without that, the key itself would be useless).

    This vulnerability only allows them to duplicate the key, using expensive hardware, highly specific technical expertise, and at least a day's worth of time. There is absolutely no reason to go through all that if they just want access to your bank account, since they would already have the key, and therefore access to your bank account.

    The only scenarios in which this would be useful is those in which you covertly duplicate the key without the target realizing it happened, which would involve stealing the key, disassembling the key (which you can't really do non-destructively), spending a day to get access to it so you can clone it, then somehow reassembling it into its original state and returning it to its original location without anyone noticing anything happened.

    And even then, it wouldn't be useful for robbing your bank account, since you would immediately notice something is wrong, and deauthorize the key; they could achieve the exact same thing with the original one. So the only actions it would be beneficial for is ones the target won't realize are happening, which would mainly be espionage, specifically long term access to confidential data via the target's accounts.

    It's still not a good thing, but it only presents an increased risk for those in very specific circumstances.
    Reply
  • speculatrix
    Dingledooda said:
    Just waiting for people who don't read the article or Security Advisory to start yelling the sky is falling and everyone's Yubikeys are now useless lol.
    who hasn't been to a KGB party and got blackout drunk for 36 hours allowing them time to copy the contents of your laptop and duplicate your 2FA token?
    Reply
  • DS426
    Pierce2623 said:
    A “vulnerability” that requires you to have access to the key and a massive super specialized rig for 24 hours undetected is NOT a real vulnerability for something like this.
    Agreed, or more importantly, a compromised device due to physical possession makes any vulnerabilities effectively irrelevant; while vulns would make it easier and faster for the adversary to accomplish their goal of cloning or using the device itself, this is basically a purely academic security problem. Foreign government spies and military are going to be the only ones with the combination of resources and goals/need to carry out this kind of an attack. As for those with the highest level of secrets to protect, I'd assume they'd be using a different product anyways (more proprietary and/or not even commercially available on public marketplaces). As for healthcare and others mentioned in the article, no, not seeing a need to buy new Yubikeys just to resolve the "vulnerability."

    Even for thieves wanting to get into big bank accounts, social engineering and other methods would be more practical, reliable, and ultimately effectively, especially when you're talking about a scope between one or two people as casting a wider net is surely almost always more profitable on a profit-time-rate basis ($/day or however one presents the measurement).
    Reply
  • wingfinger
    I was thinking about one of these a while ago.

    There was a question as to whether to keep it with you or to keep it at home.

    If you leave it at home, someone could enter without permission and steal your key.

    If you keep it with you..... They don't look too robust to be on a keyring. It could become damaged, and that could be troublesome. And, they aren't super cheap. Otherwise, you could lose it or your keyring somehow. Then it can be acquired without theft.

    I also thought that people might be less suspicious of unusual activity if they knew a key was involved.

    If you don't use one of these specialized keys, one might use your phone. But people can call up telecom companies and convince them to ship them a new phone with "your" number. (It's their number that they let you use.)

    Then there is good ol bad email authentication, and passwords.

    The problem is not solved.

    Guess what, it's the future now and everything has to be done online.

    When something goes wrong, the problem isn't that they were fooled, it is that your account was stolen.

    Sometimes you are not responsible for actions on stolen accounts, but this is, after, they agree.
    Reply