NinjaLab, a security research company, has discovered a vulnerability that would allow bad actors to clone YubiKeys. As the company has explained in a security advisory, NinjaLab found a vulnerability in the cryptographic library used in the YubiKey 5 Series. In particular, it found a cryptographic flaw in the microcontroller, which the security researchers described as something that “generates/stores secrets and then execute cryptographic operations” for security devices like bank cards and FIDO hardware tokens. YubiKeys are the most well-known FIDO authentication keys, and they’re supposed to make accounts more secure, since users would have to plug it into their computers before they could log in.
The researchers explained how they discovered the vulnerability because they found an open platform based on Infineon’s cryptographic library, which Yubico uses. They confirmed that all YubiKey 5 models can be cloned, and they also said that the vulnerability isn’t limited to the brand though they’ve yet to try and clone other devices.
That vulnerability has apparently gone unnoticed for 14 years, but just because it has now come to light doesn’t mean anybody can exploit it to clone YubiKeys. To start with, bad actors will need to have physical access to the token they want to copy. Then, they have to take it apart and use expensive equipment, including an oscilloscope, to “perform electromagnetic side-channel measurements” needed to analyze the token. In the researchers’ paper, they said their setup cost them around $11,000 and that using more advanced oscilloscopes could raise the setup’s cost to $33,000. In addition, attackers might still need their target’s PINs, passwords or biometrics to be able to access specific accounts.
Bottom line is that users part of government agencies or anybody handling very, very sensitive documents that could make them espionage targets would have to be very careful with their keys. For ordinary users, as researchers wrote in their paper, “it is still safer to use YubiKey or other impacted products as FIDO hardware authentication token to sign in to applications rather than not using one.”
TikTok removes Russian state-owned media accounts for ‘covert influence’
TikTok has announced in its US Elections Integrity Hub that it has removed accounts associated with Rossiya Segodnya and TV-Novosti,...
Apple’s AirPods 4 are already on sale in this early Prime Day deal
It has been less than a week since Apple released the AirPods 4, and there's already a small sale available...
Spotify’s AI Playlists are now available for Premium users in the US
Spotify’s beta AI Playlist feature is now available for Premium users in the US, Canada, Ireland and New Zealand. It...
OpenAI’s X account was hacked to promote a crypto scam
OpenAI opened a newsroom Twitter account earlier this month and it's already been hacked. The new handle was taken over...
