Researchers have uncovered a CVE-2024-45678 vulnerability in the widely-used YubiKey 5 two-factor authentication devices, which could jeopardize the security of countless users who rely on these tokens to safeguard their accounts.
The issue lies within a cryptographic library developed by Infineon. This flaw enables attackers to clone the YubiKey 5, provided they have temporary physical access to the device. The attack, named EUCLEAK, is based on the analysis of side channels—information leakage through physical manifestations of the device’s operations.
In this case, the side channel is the time taken to execute certain cryptographic operations. Specifically, the vulnerability emerges during modular inversion. An attacker can measure minute time differences and use this data to extract the ECDSA private key, which underpins the token’s security.
The vulnerability was discovered by specialists from NinjaLab, who detailed the attack’s mechanism. They used an oscilloscope to measure electromagnetic emissions during the token’s authentication process, allowing them to detect timing variations that revealed the key.
More precisely, the flaw is found in Infineon’s implementation of the extended Euclidean algorithm, a method also used for calculating modular inversion.
All YubiKey 5 models with firmware versions below 5.7 are vulnerable. Unfortunately, firmware updates are not possible on these devices, leaving them permanently susceptible to this attack. In May, Yubico released firmware version 5.7, replacing Infineon’s cryptographic library with their own. However, this does not resolve the issue for already released devices.
The problem extends beyond YubiKey. Researchers believe the vulnerability may affect a wide range of devices using Infineon microcontrollers, including smart cards for banking transactions, electronic passports, and access control systems for secure areas.
Potentially vulnerable microcontrollers include Infineon’s SLE78, as well as its successors, Infineon Optiga Trust M and Infineon Optiga TPM.
To successfully carry out the attack, an adversary would need equipment costing around $11,000 and extensive expertise in electrical engineering and cryptography. This limits the threat to entities with substantial resources, such as state-sponsored actors or well-funded organizations.
According to the researchers, the offline phase of the attack initially took around 24 hours, but with further refinement, the process could be reduced to less than one hour.
Cloning a YubiKey involves several steps. First, the attacker must obtain the victim’s login credentials, possibly through phishing. Then, they need to temporarily gain physical access to the device without raising suspicion.
Using the stolen credentials, the attacker sends authentication requests while simultaneously conducting side-channel measurements. Afterward, the device is returned to the owner, and the collected data is analyzed to extract the ECDSA private key. Once the key is successfully retrieved, the attacker can access the account without needing the physical FIDO device.
It is important to note that the attack requires disassembling the YubiKey, exposing the logic board inside. This involves using a heat gun and a scalpel to remove the plastic casing. The attacker must access the part of the board that acts as the secure element, which stores cryptographic secrets. The chip is then connected to hardware and software that measure its operations during authentication. Once measurements are completed, the device must be placed in a new casing.
Despite the severity of the vulnerability, experts stress that two-factor authentication using physical keys remains one of the most reliable security methods. It still effectively defends against phishing and man-in-the-middle attacks.
Users can check their device’s firmware version using the Yubico Authenticator app. The firmware version is displayed in the upper-left corner of the main screen, alongside the key’s series and model.
For additional security, YubiKey offers optional measures, such as using a PIN or biometric authentication. This makes the attack significantly harder to execute, as the attacker would need additional information to successfully clone the key.
Estimates suggest that this vulnerability has existed for more than 14 years in Infineon’s most secure chips. These chips and the vulnerable portion of the cryptographic library have undergone approximately 80 certification evaluations at AVA VAN 4 (for TPM) or AVA VAN 5 (for others) levels from 2010 to 2024.