Security research company NinjaLab has discovered a vulnerability that would allow bad guys to clone YubiKeys. As the company explained in a security advisory, NinjaLab found a vulnerability in the cryptographic library used in the YubiKey 5 Series.
Specifically, it found a cryptographic flaw in the microcontroller, which the security researchers described as “generating/storing secret information and then executing cryptographic operations” for security devices such as bank cards and FIDO hardware tokens.
YubiKeys are the most well-known FIDO authentication keys, and they are supposed to make accounts more secure, as users must plug it into their computer before logging in.
The researchers explained how they discovered the vulnerability because they found an open platform based on Infineon’s cryptographic library, which Yubico uses.
They confirmed that all YubiKey 5 models can be cloned, and they also said that the vulnerability is not limited to the brand, although they have not yet attempted to clone other devices.
Obviously this vulnerability has gone unnoticed for 14 years, but just because it has come to light now doesn’t mean anyone can take advantage of it to clone YubiKeys. First, the bad guys would need physical access to the token they want to copy.
Then, they would have to take it apart and use expensive equipment including oscilloscopes to “perform electromagnetic side-channel measurements” needed to analyze the token.
In the researchers’ paper, they said that their setup cost around $11,000 and that using more advanced oscilloscopes could increase the cost of the setup to $33,000. Furthermore, attackers may still need their target’s PIN, password or biometrics to be able to access specific accounts.
The conclusion is that users who are part of government agencies or anyone handling very sensitive documents that could make them a target for espionage need to be very careful with their keys. For general users, “it is still safer to use YubiKey or other affected products as a FIDO hardware authentication token to sign in to applications than to not use it at all,” the researchers wrote in their paper.
The Switch 2 looks functionally similar to the original system, although it has a larger display, magnetic Joy-Cons and a sleeker design. The company also confirmed that the upcoming console will be backward compatible with Switch games.
Although the reveal confirmed some rumors and gave some interesting details for those who were paying attention, Nintendo is still keeping its cards close to its chest. We’ll have to wait until a special Nintendo Direct on April 2 for all the interesting details. What’s troubling is that that date is Wednesday, not To-As-Day.