NinjaLab, a security research company, has discovered a vulnerability that could potentially allow bad actors to clone YubiKeys, as detailed in a security advisory. The flaw was found in the cryptographic library used in the YubiKey 5 Series, specifically in the microcontroller responsible for generating and storing secrets for security devices like bank cards and FIDO hardware tokens. YubiKeys are widely used FIDO authentication keys meant to enhance account security by requiring users to physically plug them into their computers for login. The researchers identified the vulnerability by analyzing an open platform based on Infineon’s cryptographic library utilized by Yubico. They confirmed that all YubiKey 5 models are susceptible to cloning and that the issue extends beyond this specific brand, although they have not attempted to replicate the vulnerability on other devices. Exploiting the vulnerability would require physical access to the target token, dismantling it, and using costly equipment like an oscilloscope to perform electromagnetic side-channel measurements for analysis. This security flaw, present for 14 years, may pose a threat primarily to government agencies or individuals handling sensitive information at risk of espionage, emphasizing the need for caution with YubiKeys. The researchers emphasize the importance of using YubiKeys as FIDO hardware authentication tokens for added security, highlighting that the required resources and expertise make exploiting the vulnerability challenging for most attackers.
