All physical multi-factor authentication (MFA) keys running on Infeneon’s SLE78 microcontroller are said to be vulnerable to a cryptographic flaw that allows threat actors to clone the device and gain unrestricted access to restricted accounts. This includes the YubiKey 5, considered the most widely used hardware token based on the FIDO standard.
In an in-depth technical analysis, NinjaLab researchers described how they discovered the flaw and what it means for those using the YubiKey 5. As explained, the SLE78 microcontroller implements the Elliptic Curve Digital Signature Algorithm (ECDSA) as its primary cryptographic primitive. In short, ECDSA is a cryptographic algorithm used to create digital signatures, and if a hacker can read this signature, they can undermine the security of the entire token.
And that’s exactly what NinjaLab did, employing a technique known as “side channel.” This is a type of security attack in which hackers exploit information gleaned from the physical implementation of a computer system, rather than weaknesses in the implemented algorithms. These attacks gather information by observing how a system operates, such as its timing, power consumption, electromagnetic emissions, or even sound.
YubiKey 5 is not so easy to exploit
With SLE78, generating a different ephemeral key takes different amounts of time, and this is something the researchers were able to read and clone their own YubiKey 5 from (this is a super-simplified explanation).
This is certainly a significant vulnerability, but it is not so easy to replicate in real life. The attacker would first need to know the victim's login information and have physical access to the MFA token. They would then have to dismantle the token to access the hardware inside it and use $11,000 worth of equipment to perform the reading. The reading itself and the process of cloning the device only takes a few minutes.
This isn't something a regular hacker can exploit, but a nation-state certainly can. It's also worth mentioning that there is no patch or workaround: all YubiKey 5 devices running firmware older than version 5.7 are permanently vulnerable.
Through Art-Technica