FB pixel

Side-channel vulnerability found in legacy Yubikey firmware

Infineon cryptographic library deprecated for Yubico’s own
Side-channel vulnerability found in legacy Yubikey firmware
 

Yubico has released a security advisory addressing a side-channel vulnerability in Infineon’s cryptographic library, which several Yubico devices use. These devices include the YubiKey 5 Series, Security Key Series, YubiHSM 2, and YubiKey Bio Series, which feature fingerprint biometrics.

The vulnerability comes from an issue in implementing the Elliptic Curve Digital Signature Algorithm (ECDSA), which enables attackers to recover private keys under specific conditions. However, the attacker would need physical access to the Yubico device, detailed knowledge of the targeted account, and specialized hardware to execute the attack.

The advisory highlights that the vulnerability primarily impacts FIDO use cases relying on cryptographic functionality for digital identity and access management (IAM). Other applications may also be affected, including PIV (Personal Identity Verification), OpenPGP, and YubiHSM 2.

This type of side-channel attack exploits physical indicators like electromagnetic emissions, execution time, and data caches to extract private keys.

Through this attack method, malicious actors can observe the time it takes for a cryptographic device to execute certain operations, particularly during the modular inversion step of the Extended Euclidean Algorithm.

Variations in timing can provide insight into the cryptographic process, including the temporary key (nonce) used in ECDSA, which could lead to the compromise of the private key.

In response to this issue, the company has replaced Infineon’s cryptographic library with its cryptographic implementation in the newer firmware versions (5.7.0 and later). To determine if a device is affected, users can utilize the Yubico authenticator application to check the version and model of the Yubikey.

Patching is not feasible for the impacted Yubikeys. Devices running firmware versions before 5.7 cannot be updated, leaving them permanently vulnerable.

Manufacturers have suggested several mitigation techniques, such as transitioning to RSA keys, which are not susceptible to this vulnerability, strengthening access control, and enhancing FIDO attestation with additional controls like YubiOTP or PIV.

The security advisory follows research by Eucleak, which identified a vulnerability in the cryptographic library used in Yubico and other embedded cryptographic chips. This issue could potentially impact biometric passports that utilize ECDSA or similar algorithms for digital signatures.

Related Posts

Article Topics

 |   | 

Latest Biometrics News

 

Biometrics pilots, launches and investments foreshadow next areas for growth

Biometrics pilots, a patent, predictions and acquisitions paint a picture in the most popular news items of the week on…

 

Biometrics firms pitch privacy in age assurance ahead of US court battle

The U.S. is facing its first constitutional debate connected with age verification in 20 years: The Supreme Court will have…

 

Permira finalizes $1.3B majority stake acquisition of BioCatch

Permira Growth Opportunities has completed the acquisition of a majority position in behavioral biometrics and fraud prevention business BioCatch, four…

 

ATO attacks surge in Q2 2024, Sift warns of growing ‘Fraud-as-a-Service’ threat

A recent report highlights the growing threat of account takeover (ATO) attacks, which surged by 24 percent in the second…

 

EU AI pact sets new standards for ethical AI use across Europe

By Tony Porter, Chief Privacy Officer at Corsight AI The European Union’s AI Pact marks a crucial step towards forming…

 

Deepfake detection challenge, integration to protect content integrity unveiled

A new deepfake detection competition has been announced with the intention of advancing “next-generation deepfake detection and localization systems” development….

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events