An attacker could exploit this issue as part of a sophisticated and targeted attack to recover affected private keys. The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM; knowledge of the accounts they want to target; and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge, including username, PIN, account password, or authentication key.
The YubiKey 5, the most widely used hardware token for two-factor authentication, contains a cryptographic flaw that makes the device vulnerable to cloning when an attacker gains temporary physical access to it. While researchers have confirmed all YubiKey 5 series models can be cloned, they haven't tested other devices using the same vulnerable microcontroller.
YubiKey maker Yubico issued an advisory confirming that all YubiKeys running firmware prior to version 5.7 are vulnerable. Updating key firmware on the YubiKey isn’t possible, leaving all affected YubiKeys permanently vulnerable.
This cryptographic flaw known as a side channel resides in a microcontroller used in many authentication devices, including smartcards for banking, electronic passports, and secure area access.
Collection
[
|
...
]