#Yubikey-Seitenkanal: Weitere Produkte für Cloning-Attacke anfällig | Security https://www.heise.de/news/EUCLEAK-Weitere-Produkte-fuer-Cloning-Attacke-anfaellig-10078520.html #EUCLEAK #Hacking

"We discovered a side-channel vulnerability in the YubiKey 5Ci. More precisely, we were able to extract the full long term ECDSA secret key linked to a FIDO account from the YubiKey. Furthermore our side-channel journey showed that the vulnerability applies to all YubiKey 5 Series and more generally to all Infineon security microcontrollers (including TPMs)."
https://ninjalab.io/eucleak/
#eucleak #yubikey5

YubiKey 還在出清有問題的版本

在「YubiKey still selling old stock with vulnerable firmware」這邊看到的，有人提到 YubiKey 還在賣有問題的版本，裡面提到的 blo

https://blog.gslin.org/archives/2024/11/15/12066/yubikey-%e9%82%84%e5%9c%a8%e5%87%ba%e6%b8%85%e6%9c%89%e5%95%8f%e9%a1%8c%e7%9a%84%e7%89%88%e6%9c%ac/

#Computer #Hardware #Murmuring #Security #Software #attack #channel #compliance #eucleak #fips #firmware #hardware #security #side #sidechannel #sidechannel #vulnerability #vulnerable #yubico #yubikey

#Ninjalab also has their own site about their #EUCLEAK research: https://ninjalab.io/eucleak/

Side-channel #EUCLEAK attack discovered on devices using the Infineon cryptographic library, like the YubiKey 5 series (firmware <5.7) and Feitian A22 JavaCard.

But it does require a fair amount of factors to succeed: username, password, physical access, additional equipment, and for the cryptographic operations to involve modular inversions, like ECDSA.

There are two phases to the attack:

(1) The online phase requires opening the device to access the microcontroller, then using an electromagnetic probe, an oscilloscope, and a computer to capture the electromagnetic side-channel signals during operation.

(2) The offline phase (physical access no longer necessary) supposedly takes time varying from one hour to one day for each secret to uncover.

https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf

#ninjalab #eucleak #sidechannel #attack #infineon #yubikey #feitian

We've update our security keys guide in light of the #Eucleak attack. Given the complexity of the attack, we think most people can continue using their security keys. But if you're a high-risk individual, you may want to consider buying a new one.

https://www.nytimes.com/wirecutter/reviews/best-security-keys/

This Week in Security: EUCLEAK, Revival Hijack, and More https://hackaday.com/2024/09/06/this-week-in-security-eucleak-revival-hijack-and-more/ #ThisWeekinSecurity #HackadayColumns #SecurityHacks #RevivalHijack #EUCLEAK #News

USB MFA SCA😱: #Infineon hardware and software blamed for timing side-channel attack on popular auth tokens.

The most widely used #FIDO2 authentication device has a nasty flaw: It can be cloned. Other uses of #YubiKey’s vulnerable Infineon embedded chip might also be at risk—such as passports and credit cards.

But is the sky really falling? In #SBBlogwatch, we dig into the nuance. At @TechstrongGroup⁠’s @SecurityBlvd: https://securityboulevard.com/2024/09/fwbifx/?utm_source=richisoc&utm_medium=social&utm_content=richisoc&utm_campaign=richisoc #EUCLEAK

i want to know, which companies/agencies were doing this highest level common criteria certification evaluation for the #infineon library that had this side-channel. #eucleak #ecdsa

Można klonować klucze Yubikey 5. Podatne są klucze z firmware < 5.7. Wymagany fizyczny dostęp.

Piekło zamarzło, Yubikey’e zhackowane – tak moglibyśmy opisać wczorajszy komunikat wydany przez Yubico, czyli producenta najpopularniejszych na świecie fizycznych kluczy bezpieczeństwa. Moglibyśmy, ale pomimo że jest w tym nieco prawdy, to nie ma powodu do paniki, przynajmniej dla większości użytkowników popularnych yubikey’ów. Dlaczego nie ma? Zacznijmy od teorii. Badacze z...

#WBiegu #Atak #EUCLEAK #Infineon #Klonowanie #SideChannel #U2f #Yubikey

https://sekurak.pl/mozna-klonowac-klucze-yubukey-5-podatne-sa-klucze-z-firmware-5-7-wymagany-fizyczny-dostep/

Even more luck to those who will now try frantically to switch their PCs bitlocker TPM from a potentially vulnerable Optima to the fTPMs on their CPU … #eucleak

Good luck to everyone out there trying to identify if their smartcard, building access card, TPM or HSM use the vulnerable ECDSA library from Infineon! #eucleak https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

(2 of 2) An outstanding question is: which other keys / firmware versions are affected? Likely any keys using Infineon SLE78, Optiga Trust M, orInfineon Optiga TPM plus the Infineon crypto libraries. I assume that Google's Titan keys have Google's own crypto libraries (but I don't actually know that).

Links:

Researcher:
https://ninjalab.io/eucleak/

Infineon:
?

Yubico (affected):
https://www.yubico.com/support/security-advisories/ysa-2024-03/
https://support.yubico.com/hc/en-us/articles/15705749884444-Infineon-ECDSA-Private-Key-Recovery-Customer-Resources

Google (write their own firmware?):
?

FEITIAN (Unaffected?):
From NinjaLAb writeup PDF: "Feitian explains that the Feitian A22 JavaCard has been updated years ago and
none of their products is impacted."

Google (vulnerable hardware?)
https://infosec.exchange/@maxeddy/113092117674749246
"Also, Google confirmed to us that the current version of its Titan keys uses the SLE78 that NinjaLabs used in their attack. Google told us that it will start providing a version of the Titan that won't be vulnerable to the attack 'soon.' "

HID (?):
?

Kensington(?):
?

Ledger (at least one report of using STMicroeelctronics, not Infineon):
?

NitroKey (stated as unaffected in email):
https://gist.github.com/roycewilliams/4d100719f033cc1b1aa9fad084b74a97

Nordic (?):
?

Solo Keys (?):
?

Thales (?):
?

Thetis: (?):
?

Trezor (at least one report of using Infineon):
?

TrustKey (formerly eWBM)
(probably unaffected, own MCU)
https://www.trustkeysolutions.com/en/sub/product.form
(No official response link)

Commentary:
https://abyssdomain.expert/@filippo/113074626948195938

News/threads:

https://www.reddit.com/r/yubikey/comments/1f83qv4/eucleak_sidechannel_attack_on_the_yubikey_5_series/

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

"The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out by nation-states or other entities with comparable resources and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low."

https://infosec.exchange/@dangoodin/113074992609951759

"While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability."

https://news.ycombinator.com/item?id=41434500

https://securityboulevard.com/2024/09/fwbifx/

https://www.theverge.com/2024/9/4/24235635/yubikey-unfixable-security-vulnerability-side-channel-explot

https://shkspr.mobi/blog/2024/09/some-thoughts-on-the-yubikey-eucleak-vulnerability/

https://www.bleepingcomputer.com/news/security/new-eucleak-attack-lets-threat-actors-clone-yubikey-fido-keys/

https://www.tomshardware.com/tech-industry/cyber-security/older-yubikeys-compromised-by-unpatchable-2fa-bug-side-channel-attack-is-critical-but-expensive-and-difficult-to-execute

https://www.wired.com/story/yubikey-vulnerability-cloning/

https://www.nytimes.com/wirecutter/reviews/best-security-keys/

Wallets and their secure element hardware:
https://bitcointalk.org/index.php?topic=5304483.0

#YubiKey #EUCLeak #Infineon #YSA202403 #YSA_2024_03