In a recent discovery by the cybersecurity research team at NinjaLab, a critical vulnerability has been identified in the YubiKey 5 Series devices and other security products that utilize Infineon chips. This vulnerability, known as EUC LEAK, poses a serious risk to the integrity of private cryptographic keys stored in these devices.
Why This Matters
YubiKey devices are widely used for securing online accounts, providing two-factor authentication (2FA) to protect against unauthorized access. These small, yet powerful, hardware tokens are trusted by millions around the world to safeguard sensitive information. However, the newly uncovered EUC LEAK vulnerability could undermine this trust by allowing attackers to extract private keys from the affected devices.
The Technical Details
EUC LEAK takes advantage of a flaw in the Elliptic Curve Digital Signature Algorithm (ECDSA) implementation within Infineon’s cryptographic library. Specifically, the vulnerability exploits timing variations in the Extended Euclidean Algorithm used for modular inversion—a crucial step in the ECDSA process. By carefully measuring these timing differences through electromagnetic side-channel analysis, an attacker with physical access to the device could potentially extract the private key in just a few minutes.
Affected Devices
- YubiKey 5 Series: All devices with firmware versions prior to 5.7 (released May 6th, 2024)
- Infineon TPMs: Particularly those from the SLB96xx version
- Other Products: Any devices utilizing Infineon security microcontrollers with the affected cryptographic library
How the Attack Works
The attack requires physical access to the device for a brief period. Using sophisticated equipment, the attacker captures electromagnetic signals emitted during ECDSA operations. These signals are then analyzed offline, typically taking about 24 hours, to recover the private key. Once the key is extracted, it could be used to compromise the security of FIDO/FIDO2, PGP, and PIV functionalities, which are critical for securing digital identities.
What You Should Do
If you own a YubiKey 5 Series device:
- Upgrade your firmware: Yubico has released an update (version 5.7 or later) that addresses this vulnerability. It is crucial to update your device as soon as possible.
For other affected devices:
- Consult the manufacturer: Depending on the device, a hardware replacement may be necessary, as some devices cannot be field-updated.
The Bigger Picture
This discovery underscores the ongoing challenges in implementing truly secure cryptography, even in devices that have undergone rigorous security certifications. It also highlights the importance of independent security research in identifying vulnerabilities that may otherwise go undetected.
The full technical details of the EUC LEAK vulnerability, along with its implications, are available in the comprehensive report published by NinjaLab on September 3rd, 2024.