Some YubiKeys have an unfixable vulnerability that’s hard to exploit

Share via:


Security researchers have detected a vulnerability in YubiKey two-factor authentication tokens that enables attackers to clone the device according to a new security advisory. The vulnerability was discovered within the Infineon cryptographic library used by most YubiKey products, including the YubiKey 5, Yubikey Bio, Security Key, and YubiHSM 2 series devices.

YubiKey manufacturer Yubico says the severity of the side-channel vulnerability is “moderate” but is difficult to exploit, partly because two-factor systems rely upon something the user has and something only they should know. 

“The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack,” the company said in its security advisory. “Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key.” But those aren’t necessarily deterrents to a highly motivated individual or state-sponsored attack.

As YubiKey firmware can’t be updated, all YubiKey 5 devices before version 5.7 (or 5.7.2 for the Bio series and 2.4.0 for YubiHSM 2) will remain vulnerable forever. Later model versions aren’t affected as they no longer use the Infineon cryptolibrary. NinjaLab, the security firm that discovered the vulnerability, estimates that it’s existed in Infineon’s top security chips for over 14 years. The researchers believe other devices using the Infineon cryptographic library or Infineon’s SLE78, Optiga Trust M, and Optiga TPM microcontrollers are also at risk.



Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Popular

More Like this

Some YubiKeys have an unfixable vulnerability that’s hard to exploit


Security researchers have detected a vulnerability in YubiKey two-factor authentication tokens that enables attackers to clone the device according to a new security advisory. The vulnerability was discovered within the Infineon cryptographic library used by most YubiKey products, including the YubiKey 5, Yubikey Bio, Security Key, and YubiHSM 2 series devices.

YubiKey manufacturer Yubico says the severity of the side-channel vulnerability is “moderate” but is difficult to exploit, partly because two-factor systems rely upon something the user has and something only they should know. 

“The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack,” the company said in its security advisory. “Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key.” But those aren’t necessarily deterrents to a highly motivated individual or state-sponsored attack.

As YubiKey firmware can’t be updated, all YubiKey 5 devices before version 5.7 (or 5.7.2 for the Bio series and 2.4.0 for YubiHSM 2) will remain vulnerable forever. Later model versions aren’t affected as they no longer use the Infineon cryptolibrary. NinjaLab, the security firm that discovered the vulnerability, estimates that it’s existed in Infineon’s top security chips for over 14 years. The researchers believe other devices using the Infineon cryptographic library or Infineon’s SLE78, Optiga Trust M, and Optiga TPM microcontrollers are also at risk.



Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at office@startupnews.fyi

More like this

The US IPO window hasn’t reopened yet, but startups...

Welcome to Startups Weekly — your weekly recap of everything you can’t miss...

Swiggy Ropes In Ex-Lenskart Exec Supriya Shankar As Events...

SUMMARY An alumnus of Visvesvaraya Technological University and Indian...

Bitcoin could hit $100K November, Trump mulls crypto-friendly CFTC...

Expectations of improving economic policies under the Trump...

Popular

Upcoming Events

Startup Information that matters. Get in your inbox Daily!