Marcel SIneM(S)USNov 22, 2024
#Yubikey-Seitenkanal: Weitere Produkte für Cloning-Attacke anfällig | Security https://www.heise.de/news/EUCLEAK-Weitere-Produkte-fuer-Cloning-Attacke-anfaellig-10078520.html #EUCLEAK #Hacking
EUCLEAK: Weitere Produkte für Cloning-Attacke anfällig

Die Seitenkanal-Lücke EUCLEAK wurde auch als "Yubikey-Cloning-Attacke" bekannt. Das BSI re-zertifiziert aktualisierte Produkte, die betroffen waren.

heise online
grasteNov 15, 2024
"We discovered a side-channel vulnerability in the YubiKey 5Ci. More precisely, we were able to extract the full long term ECDSA secret key linked to a FIDO account from the YubiKey. Furthermore our side-channel journey showed that the vulnerability applies to all YubiKey 5 Series and more generally to all Infineon security microcontrollers (including TPMs)."
https://ninjalab.io/eucleak/
#eucleak #yubikey5
EUCLEAK - NinjaLab

Download the Writeup Illustration Romain Flamand – Flamingo Studio – [email protected] Abstract Secure elements are small microcontrollers whose main purpose is to generate/store secrets and then execute cryptographic operations. They undergo the highest level of security evaluations that exists (Common Criteria) and are often considered inviolable, even in the worst-case attack scenarios. Hence, complex secure […]

NinjaLab
Gea-Suan LinNov 15, 2024

YubiKey 還在出清有問題的版本

在「YubiKey still selling old stock with vulnerable firmware」這邊看到的,有人提到 YubiKey 還在賣有問題的版本,裡面提到的 blo

https://blog.gslin.org/archives/2024/11/15/12066/yubikey-%e9%82%84%e5%9c%a8%e5%87%ba%e6%b8%85%e6%9c%89%e5%95%8f%e9%a1%8c%e7%9a%84%e7%89%88%e6%9c%ac/

#Computer #Hardware #Murmuring #Security #Software #attack #channel #compliance #eucleak #fips #firmware #hardware #security #side #sidechannel #sidechannel #vulnerability #vulnerable #yubico #yubikey

YubiKey 還在出清有問題的版本

在「YubiKey still selling old stock with vulnerable firmware」這邊看到的,有人提到 YubiKey 還在賣有問題的版本,裡面提到的 blog 是德文:「https://blog.fefe.de/?ts=99ccc8dc」,開 Google Translate 翻譯成英文的話:「https://blog.fefe.

Gea-Suan Lin's BLOG
Show threadnetrom has movedSep 8, 2024
#Ninjalab also has their own site about their #EUCLEAK research: https://ninjalab.io/eucleak/
EUCLEAK - NinjaLab

Download the Writeup Illustration Romain Flamand – Flamingo Studio – [email protected] Abstract Secure elements are small microcontrollers whose main purpose is to generate/store secrets and then execute cryptographic operations. They undergo the highest level of security evaluations that exists (Common Criteria) and are often considered inviolable, even in the worst-case attack scenarios. Hence, complex secure […]

NinjaLab
netrom has movedSep 7, 2024

Side-channel #EUCLEAK attack discovered on devices using the Infineon cryptographic library, like the YubiKey 5 series (firmware <5.7) and Feitian A22 JavaCard.

But it does require a fair amount of factors to succeed: username, password, physical access, additional equipment, and for the cryptographic operations to involve modular inversions, like ECDSA.

There are two phases to the attack:

(1) The online phase requires opening the device to access the microcontroller, then using an electromagnetic probe, an oscilloscope, and a computer to capture the electromagnetic side-channel signals during operation.

(2) The offline phase (physical access no longer necessary) supposedly takes time varying from one hour to one day for each secret to uncover.

https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf

#ninjalab #eucleak #sidechannel #attack #infineon #yubikey #feitian

Max "Buzzworthy" EddySep 6, 2024

We've update our security keys guide in light of the #Eucleak attack. Given the complexity of the attack, we think most people can continue using their security keys. But if you're a high-risk individual, you may want to consider buying a new one.

https://www.nytimes.com/wirecutter/reviews/best-security-keys/

The Best Security Key for Multi-Factor Authentication

A physical security key helps you protect your online accounts, and Yubico still makes the best one.

Wirecutter: Reviews for the Real World
GeekProjects NewsSep 6, 2024
This Week in Security: EUCLEAK, Revival Hijack, and More https://hackaday.com/2024/09/06/this-week-in-security-eucleak-revival-hijack-and-more/ #ThisWeekinSecurity #HackadayColumns #SecurityHacks #RevivalHijack #EUCLEAK #News
This Week In Security: EUCLEAK, Revival Hijack, And More

[Thomas Roche] of NinjaLab is out with EUCLEAK, (pdf) a physical attack against Infineon security microcontrollers, and the security tokens that contain them. The name is a portmanteau of Euclidean…

Hackaday
Richi JenningsSep 4, 2024

USB MFA SCA😱: #Infineon hardware and software blamed for timing side-channel attack on popular auth tokens.

The most widely used #FIDO2 authentication device has a nasty flaw: It can be cloned. Other uses of #YubiKey’s vulnerable Infineon embedded chip might also be at risk—such as passports and credit cards.

But is the sky really falling? In #SBBlogwatch, we dig into the nuance. At @TechstrongGroup⁠’s @SecurityBlvd: https://securityboulevard.com/2024/09/fwbifx/?utm_source=richisoc&utm_medium=social&utm_content=richisoc&utm_campaign=richisoc #EUCLEAK

Yikes, YubiKey Vulnerable — ‘EUCLEAK’ FIDO FAIL?

USB MFA SCA😱: Infineon hardware and software blamed for timing side-channel attack on popular auth tokens.

Security Boulevard
stfSep 4, 2024
i want to know, which companies/agencies were doing this highest level common criteria certification evaluation for the #infineon library that had this side-channel. #eucleak #ecdsa
sekurak NewsSep 4, 2024

Można klonować klucze Yubikey 5. Podatne są klucze z firmware < 5.7. Wymagany fizyczny dostęp.

Piekło zamarzło, Yubikey’e zhackowane – tak moglibyśmy opisać wczorajszy komunikat wydany przez Yubico, czyli producenta najpopularniejszych na świecie fizycznych kluczy bezpieczeństwa. Moglibyśmy, ale pomimo że jest w tym nieco prawdy, to nie ma powodu do paniki, przynajmniej dla większości użytkowników popularnych yubikey’ów. Dlaczego nie ma? Zacznijmy od teorii. Badacze z...

#WBiegu #Atak #EUCLEAK #Infineon #Klonowanie #SideChannel #U2f #Yubikey

https://sekurak.pl/mozna-klonowac-klucze-yubukey-5-podatne-sa-klucze-z-firmware-5-7-wymagany-fizyczny-dostep/

Można klonować klucze Yubikey 5. Podatne są klucze z firmware < 5.7. Wymagany fizyczny dostęp.

Piekło zamarzło, Yubikey’e zhackowane – tak moglibyśmy opisać wczorajszy komunikat wydany przez Yubico, czyli producenta najpopularniejszych na świecie fizycznych kluczy bezpieczeństwa. Moglibyśmy, ale pomimo że jest w tym nieco prawdy, to nie ma powodu do paniki, przynajmniej dla większości użytkowników popularnych yubikey’ów. Dlaczego nie ma? Zacznijmy od teorii. Badacze z...

Sekurak