vulnerability in YubiKey 5 keys
The big news of last week was the discovery of a fairly serious vulnerability in YubiKey 5 hardware keys used for multi-factor authentication, including the FIDO standard. Researchers from NinjaLab showed (
project,
,
for mere mortals in the Ars Technica publication), how one can, in fact, clone such a key and subsequently gain access to the services of an unsuspecting victim. The attack was called EUCLEAK.
The research is interesting more for its complexity than for its potential consequences. A successful attack requires physical access to the device. Moreover, it would require disassembling the device and working with a soldering iron, and the attack itself takes (in the worst case) about 10 hours. However, if we are talking about particularly valuable information, such efforts may be justified. But the real merit of NinjaLab is that they found a vulnerability in a highly protected and very well-tested microcontroller from Infineon, which is used in YubiKey controllers and many other devices.
A side-channel attack was successfully carried out on Infineon SLE78 and OPTIGA microcontrollers. A side-channel is understood to mean, for example, the current consumed by the device during operation. If this power consumption is measured with high accuracy, indirect signs of the encryption algorithm operation can be seen. In the worst-case scenario (from a security point of view), power consumption changes depending on the encrypted data. Or the time required to perform a specific computing operation changes, and this difference can be calculated, again, from changes in power consumption. Such leaks of secret data can be combated by both hardware and software methods. In cryptography, they generally try to make the time spent on calculations independent of the incoming data – thus, it turns out that protection against side-channel attacks is implemented in software.
The problem was found in the implementation of the algorithm. ECDSAmore precisely, in its part known as Extended Euclidean AlgorithmIt was there that the error was contained, which caused the time spent on executing this algorithm to vary depending on the input data.
The full attack scenario looks like this: without the user's knowledge, it is necessary to steal not only the YubiKey key, but also the remaining parts of the “multifactor” authentication to the required service, such as the login and password. Then it will be necessary to access the service many (thousands) times, observing the operation of the Infineon controller in the YubiKey. Many successive measurements due to an error in the code will eventually allow calculating the private key, and this, in turn, will allow creating, in fact, a clone of the device. Fortunately, the problem was successfully solved after NinjaLab disclosed information to the affected vendors in the spring of this year. Both the standard Infineon library and the YubiKey keys were patched. The firmware update to version 5.7, released in May of this year, replaces the standard Infineon library with Yubico's own implementation, which is not susceptible to this vulnerability.
What else happened?
Researchers from Kaspersky Lab cite in a new publications the most interesting examples of corporate cyber incidents recorded in 2023. Two more publications from Kaspersky Lab analyze malware in detail: Agent Loki for the popular Mythic framework and a cybercriminal campaign Tuskaimed at stealing sensitive information.
Detailed published Description of vulnerabilities in the Wi-Fi module used in a number of MediaTek chipsets, including MT6890, MT7915, MT7916, MT7981, MT7986, and MT7622. The vulnerability, CVE-2024-20017, in a worst-case scenario leads to malicious code execution and device takeover.
Israeli researcher Mordechai Guri showed a new method for extracting data from a computer disconnected from the network. If malware is successfully placed on such a PC, it will be able to control the data flows in the RAM in such a way as to generate weak radio signals, and then use them to send secret information to the outside world.
