Newly discovered flaw makes some YubiKeys vulnerable to cloning
A vulnerability in YubiKey 5 series firmware prior to version 5.7 makes the devices susceptible to cloning attacks if an attacker has physical access.
Researchers from cybersecurity firm NinjaLab have identified a cryptographic flaw in YubiKey 5 series devices running firmware versions prior to 5.7. This flaw, known as a side-channel vulnerability, could allow an attacker to clone the device if they gain temporary physical access.
The issue originates from an Infineon microcontroller, specifically the SLB96xx series TPM, whose cryptographic library fails to implement a 'constant time' defense mechanism. This deficiency makes it possible for attackers to detect execution time variations, which may reveal the device’s secret cryptographic keys.
While Yubico has released a firmware update to address the issue, existing YubiKey 5 devices cannot be updated and remain permanently vulnerable. Despite the significant resources needed to perform the attack, Yubico advises monitoring for suspicious authentication activities and continues to recommend using YubiKeys over passwords alone.