.png)
2 months ago
46 BOOK THIS SPACE FOR AD
ARTICLE AD
My well-used -- and now vulnerable -- YubiKey 5C security key.
Security researchers have uncovered a flaw in YubiKey 5 two-factor authentication security keys, making them vulnerable to cloning. If you're a YubiKey 5 user, here's what you need to know.
Researchers at NinjaLabs discovered the attack. This sophisticated attack leverages a cryptographic bug, known as a side-channel attack, present in a tiny chip -- the Infineon SLE78 -- within the key. The process requires physical access to the key, disassembling it using solvents or a hot air gun, connecting the chip to $11,000 worth of equipment, and extracting private keys from the key.
Also: The best security keys of 2024
To gain access to the key owner's accounts, the attacker would also need usernames, account passwords, PIN codes, or any other authentication keys used to secure the account.
Ars Technica has a good breakdown of the vulnerability.
Yubico, the makers of YubiKey security keys, has published an advisory highlighting the affected keys:
YubiKey 5 Series versions prior to 5.7YubiKey 5 FIPS Series prior to 5.7YubiKey 5 CSPN Series prior to 5.7YubiKey Bio Series versions prior to 5.7.2Security Key Series all versions prior to 5.7YubiHSM 2 versions prior to 2.4.0YubiHSM 2 FIPS versions prior to 2.4.0These keys are not affected:
YubiKey 5 Series version 5.7.0 and newerYubiKey 5 FIPS Series 5.7 and newer (FIPS submission in process)YubiKey Bio Series versions 5.7.2 and newerSecurity Key Series versions 5.7.0 and newerYubiHSM 2 versions 2.4.0 and newerYubiHSM 2 FIPS versions 2.4.0 and newerThe 5.7 firmware for YubiKeys was released in May of this year, so all keys bought before this time are affected.
Download the Yubico Authenticator app (available for Linux, Mac, Windows, iOS, and Android). This app will identify the model and version of any YubiKey connected to the device running the app.
Yubico Authenticator highlights a vulnerable security key.
No. As part of securing the keys from being tampered with, the firmware cannot be updated on the security keys.
The Infineon SLE78 is used in a wide variety of devices, from passports to bank cards, but it is unclear if these are vulnerable.
No.
For most users, this is not a significant issue. The process of stealing a key and cloning it to hack online accounts is too complex and costly for most attackers.
Also: 7 password rules to live by in 2024, according to security experts
That said, this should concern those working with highly sensitive or valuable information, such as government organizations, financial institutions, healthcare institutions, journalists, or political activists. The use of these older, vulnerable keys by people in these sectors should be phased out.
Bengali (Bangladesh) · 
English (United States) ·