Vulnerability given moderate severity rating.
A discussed vulnerability in the YubiKey 5 authentication devices would require a great deal of expertise to execute the side-channel attack.
NinjaLabs researcher Thomas Roche wrote in a blog post that all YubiKey 5 Series with firmware versions below 5.7 are impacted by the “Eucleak” vulnerability, as are the Infineon microchips that run the Infineon cryptographic library used in the affected YubiKey devices.
Hardware Vulnerability
According to SC US, the vulnerability is in the firmware of Yubikey 5, and affects FIDO2/WebAuthn functionality. The vulnerability could potentially allow an attacker to bypass certain security checks under specific conditions.
However Roche specifically said that the attack requires physical access to the secure element in order to extract the Elliptical Curve Digital Signature Algorithm (ECDSA) secret key, and the attacker would need to tamper with or modify the device firmware to exploit the vulnerability.
Specifically, the vulnerability could theoretically allow an attacker to bypass authentication or spoof a user’s credentials, though the attack vector is complex and requires physical access to the device.
Moderate Severity
In an update, Yubikey parent Yubico acknowledged the vulnerability, rating the severity as ‘moderate’.
“An attacker could exploit this issue as part of a sophisticated and targeted attack to recover affected private keys” it said, saying an attacker would need physical possession of the key, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack.
“The moderate vulnerability primarily impacts FIDO use cases because the FIDO standard relies on the affected functionality by default,” it said. “YubiKey PIV and OpenPGP applications and YubiHSM 2 usage may also be impacted depending on configuration and algorithm choices by the end user.
“As part of ongoing improvements in Yubico products and to reduce exposure to our supply chain, the dependency on Infineon’s cryptographic library has been removed in favor of Yubico’s own cryptographic library.”
Yubikey recommended users to exercise due diligence when installing software on their devices and maintain control of YubiKeys. In the event of a lost or stolen YubiKey, deregister the YubiKey immediately from services and use backup YubiKeys or authentication methods.
Callie Guenther, senior manager of threat research at Critical Start, told SC US security teams should take the following steps to protect their organizations:
Firmware Updates: Ensure all YubiKeys and similar devices are updated to the latest firmware version that no longer uses the vulnerable Infineon cryptographic library (version 5.7 or later). Devices using earlier firmware are vulnerable.
Physical Security: Protect hardware tokens from being accessed by unauthorized personnel. Since this attack requires physical access, limiting who can handle devices is crucial.
Session Management: Security teams should enforce shorter session lifetimes and require frequent re-authentication, making it harder for attackers to use cloned keys unnoticed.
Key Rotation and Monitoring: Keep track of where YubiKeys are registered, and if a key gets lost or potentially compromised, revoke its access immediately. Organizations should adopt a process to quickly rotate credentials when a key is suspected to be compromised.
User Education: Inform users about the potential risks associated with their hardware tokens and ensure they are aware of proper security hygiene, such as using PINs or biometric verification where applicable.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.