YubiKeys Exposed: An Unfixable Security Flaw in Two-Factor Authentication
Revealing the Security Flaw in YubiKeys
This article discusses the recent security advisory issued regarding a vulnerability in YubiKey two-factor authentication tokens. Security researchers discovered this flaw within the Infineon cryptographic library utilized by most YubiKey products, including YubiKey 5, YubiKey Bio, Security Key, and YubiHSM 2 series devices.
Understanding the Impact of the Vulnerability
Yubico, the manufacturer, asserts that the severity of this side-channel vulnerability is 'moderate,' yet it remains difficult to exploit. This difficulty stems from the necessity of possessing both the YubiKey and information regarding the targeted accounts.
- The attacker requires physical access to the YubiKeys, Security Keys, or YubiHSM.
- Knowledge of target accounts, additional PINs, passwords, or authentication keys may also be necessary.
Despite these barriers, a determined individual or state-sponsored entity may find ways to exploit the vulnerability. Unfortunately, as YubiKey firmware cannot be updated, models released before version 5.7 remain indefinitely vulnerable.
Broader Implications
Furthermore, NinjaLab, the security firm that uncovered this vulnerability, estimates that it has persisted in Infineon’s top security chips for over 14 years.
Devices utilizing the Infineon cryptographic library, including Infineon’s SLE78, Optiga Trust M, and Optiga TPM microcontrollers, could also be impacted.
This article was prepared using information from open sources in accordance with the principles of Ethical Policy. The editorial team is not responsible for absolute accuracy, as it relies on data from the sources referenced.