mc.fly

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

#Yubikey 5 can be cloned (aka the private key extracted).

Patching is not possible.

Other vendors using the same infinion chip likely also vulnerable.

YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel

Sophisticated attack breaks security assurances of the most popular FIDO key.

Ars Technica
Sep 3, 2024 at 9:09pmWeb
Show threadmc.flySep 3, 2024

Advisory from Yubico

https://www.yubico.com/support/security-advisories/ysa-2024-03/

Security Advisory YSA-2024-03

Security Advisory YSA-2024-03 Infineon ECDSA Private Key Recovery Published Date: 2024-09-03Tracking IDs: YSA-2024-03CVE: In ProcessCVSS Severity: 4.9 Summary A vulnerability was discovered in Infineon’s cryptographic library, which is utilized in YubiKey 5 Series, and Security Key Series with firmware prior to 5.7.0 and YubiHSM 2 with firmware prior to 2.4.0. The severity of the issue […]

Yubico
Show threadYrrsinnSep 3, 2024

@mcfly "All YubiKey 5 Series (before the firmware update 5.7 11 of May 6th, 2024) are affected by the attack. In fact all products relying on the ECDSA of Infineon cryptographic library running on an Infineon security microcontroller are affected by the attack."

That's a lot of expensive things, not just some YubiKey 😬

Show threadmc.flySep 3, 2024
@yrrsinn indeed.
Show threadTuxCoderSep 5, 2024

@mcfly Not good not terrible for me,
as it sounds like, this attack is pretty specific.
for most keys, all password protected (passkey, opengpg, ...)
the attack is useless,
as you need the password.
so you have anyway access.

looking forward to a better writeup to understand the issue better.