YubiKeys Exposed: An Unfixable Security Flaw in Two-Factor Authentication

Wednesday, 4 September 2024, 04:49

YubiKeys have been found to contain an unfixable security flaw that poses risks to two-factor authentication. Security researchers detected a vulnerability linked to the Infineon cryptographic library. This flaw affects several YubiKey models, including the YubiKey 5 and YubiKey Bio. Although difficult to exploit, the risks highlight the importance of physical security measures. Yubico states the flaw is categorized as 'moderate' but cautions about potential state-sponsored attacks.
The Verge
YubiKeys Exposed: An Unfixable Security Flaw in Two-Factor Authentication

Revealing the Security Flaw in YubiKeys

This article discusses the recent security advisory issued regarding a vulnerability in YubiKey two-factor authentication tokens. Security researchers discovered this flaw within the Infineon cryptographic library utilized by most YubiKey products, including YubiKey 5, YubiKey Bio, Security Key, and YubiHSM 2 series devices.

Understanding the Impact of the Vulnerability

Yubico, the manufacturer, asserts that the severity of this side-channel vulnerability is 'moderate,' yet it remains difficult to exploit. This difficulty stems from the necessity of possessing both the YubiKey and information regarding the targeted accounts.

  • The attacker requires physical access to the YubiKeys, Security Keys, or YubiHSM.
  • Knowledge of target accounts, additional PINs, passwords, or authentication keys may also be necessary.

Despite these barriers, a determined individual or state-sponsored entity may find ways to exploit the vulnerability. Unfortunately, as YubiKey firmware cannot be updated, models released before version 5.7 remain indefinitely vulnerable.

Broader Implications

Furthermore, NinjaLab, the security firm that uncovered this vulnerability, estimates that it has persisted in Infineon’s top security chips for over 14 years.

Devices utilizing the Infineon cryptographic library, including Infineon’s SLE78, Optiga Trust M, and Optiga TPM microcontrollers, could also be impacted.


This article was prepared using information from open sources in accordance with the principles of Ethical Policy. The editorial team is not responsible for absolute accuracy, as it relies on data from the sources referenced.


Related posts


Newsletter

Subscribe to our newsletter for the most reliable and up-to-date tech news. Stay informed and elevate your tech expertise effortlessly.

Subscribe