YubiKeys - valnerable to cloning attacks

[MoparMiningLLC]

saw this article - I know a few people here use them.

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/


it does take quite a bit of sophistication and hardware so hopefully not widespread issue.

[_act_]

According to what I read on the link that you posted, all devices are vulnerable to the attack but the attacker needs to have physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target and specialized equipment to perform the necessary attack. So I think people that are having such 2FA device should keep it safe.

Right from time I prefer authentication app instead which would be on a separate device.

[ABCbits]

A bit concerning, since few cryptocurrency wallet also support YubiKey these days. The news only mention someone who targeted by nation-states should be worried, although people who tons of assets/money using YubiKey probably should also be more careful.

[DaveF]

For the most part, if they need physical access to it you probably already have other problems with security if that happens.

And on top of that since it does require a lot more then just access to the device but a far amount of equipment and sophistication I would still be more concerned about the $5 wrench attack.

There will always be vulnerabilities in anything. But, your best defense is still common sense. If nobody knows you have BTC, nobody is going to try to steal your BTC.

-Dave

[dkbit98]

it does take quite a bit of sophistication and hardware so hopefully not widespread issue.

I don't know how complicated this is but I suspect many of this encryption algorithms have backdoor in them.
This could also affect more devices and maybe even some hardware wallets that have support for FIDO like ledger, trezor and maybe few others.
Another warning is that Optiga Trust M chip that is used in new Trezor Safe devices could also be affected, according to this artcile!

SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

Security Update: EUCLEAK

We've been alerted to a new side-channel vulnerability affecting the Optiga Trust M chip used in Trezor Safe series (Trezor Safe 3, Trezor Safe 5).

Please note: Your wallet backup (recovery seed) is NOT at risk! This vulnerability cannot be used to extract the seed from a Trezor Safe device, because the affected cryptography is not involved in the creation and/or protection of the device backup.

Your funds remain secure.

We will keep you updated if any new findings emerge.

https://x.com/Trezor/status/1831256973242716623

[hugeblack]

I currently believe it is safe to have a nonce side-channel long enough to keep this attack going for hours, as it would be difficult to gain physical access for those hours. In general, it seems that many devices will fail at some point if they are stolen, so keeping them in a safe and signal-free place is essential.

[NotATether]

A bit concerning, since few cryptocurrency wallet also support YubiKey these days. The news only mention someone who targeted by nation-states should be worried, although people who tons of assets/money using YubiKey probably should also be more careful.

Why are people using their hardware wallets as 2FA devices??

It makes no sense. It breaks all the laws of wallet security. You should *never* be plugging your hardware wallet into your computer just to authenticate some random websites in your browser, that makes it no more secure than Web3 Connect (spoiler alert - that's how a lot of scams are done nowadays).

Get a separate device to use for 2FA.

[ABCbits]

it does take quite a bit of sophistication and hardware so hopefully not widespread issue.

I don't know how complicated this is but I suspect many of this encryption algorithms have backdoor in them.
This could also affect more devices and maybe even some hardware wallets that have support for FIDO like ledger, trezor and maybe few others.
Another warning is that Optiga Trust M chip that is used in new Trezor Safe devices could also be affected, according to this artcile!

SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

It's probably worth to mention this isn't first time such vulnerabity discovered on Infineon product. Few examples,
https://www.infosecglobal.com/news/infineon-vulnerability
https://www.zdnet.com/article/tpm-fail-vulnerabilities-impact-tpm-chips-in-desktops-laptops-servers/

A bit concerning, since few cryptocurrency wallet also support YubiKey these days. The news only mention someone who targeted by nation-states should be worried, although people who tons of assets/money using YubiKey probably should also be more careful.

Why are people using their hardware wallets as 2FA devices??

It makes no sense. It breaks all the laws of wallet security. You should *never* be plugging your hardware wallet into your computer just to authenticate some random websites in your browser, that makes it no more secure than Web3 Connect (spoiler alert - that's how a lot of scams are done nowadays).

Get a separate device to use for 2FA.

I would expect some people assume it's much harder or practically impossible to steal their coin or other private data just by plugging their hardware wallet for a while.

[NotATether]

I would expect some people assume it's much harder or practically impossible to steal their coin or other private data just by plugging their hardware wallet for a while.

Yes but that is foolish thinking. We have seen many vulnerabilities that involve plugging your phone into an untrusted computer via a charging cable, and it can exfiltrate a lot of stuff it is not supposed to be getting. And these are phones with Secure Element and all that. So what makes you think that the same could not be devised for a security key or a hardware wallet? There was even one Youtuber who managed to extract data from a Trezor IIRC.

[dkbit98]

It's probably worth to mention this isn't first time such vulnerabity discovered on Infineon product. le.

New vulnerabilities are found in microchips all the time, but  it's probably easier to find and report flaws like this when firmware code in open like in case with Infineon Optiga.
It is good that Infineon Optiga is not used by Trezor for storing seed words, so people don't have to worry about that, but I expect to see new wave of fake trezor phishing scammers soon.
Other chips have signed NDA's so even if new flaw is discovered this will not be reported in public.

[Yaunfitda]

According to what I read on the link that you posted, all devices are vulnerable to the attack but the attacker needs to have physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target and specialized equipment to perform the necessary attack. So I think people that are having such 2FA device should keep it safe.

Right from time I prefer authentication app instead which would be on a separate device.

Not all of them, according to their security advisor,

Not Affected Products

YubiKey 5 Series version 5.7.0 and newer

YubiKey 5 FIPS Series 5.7 and newer (FIPS submission in process)

YubiKey Bio Series versions 5.7.2 and newer

Security Key Series versions 5.7.0 and newer

YubiHSM 2 versions 2.4.0 and newer

YubiHSM 2 FIPS versions 2.4.0 and newer

Affected

YubiKey 5 Series versions prior to 5.7

YubiKey 5 FIPS Series prior to 5.7

YubiKey 5 CSPN Series prior to 5.7

YubiKey Bio Series versions prior to 5.7.2

Security Key Series all versions prior to 5.7

YubiHSM 2 versions prior to 2.4.0

YubiHSM 2 FIPS versions prior to 2.4.0

https://www.yubico.com/support/security-advisories/ysa-2024-03/

For technical description here is the full disclosure: https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf

[NotATether]

Not all of them, according to their security advisor,

~

I don't get this list. Are these firmware versions? Or different iterations of the model?

[SickDayIn]

Not all of them, according to their security advisor,

~

I don't get this list. Are these firmware versions? Or different iterations of the model?

They're different hardware devices, consider them iterations of models with different features. Now you can use Yubikey out of the box, but most often people use the associated Yubikey software which can provide firmware updates to the device. So consider it hardware and associated firmware version release.