NinjaLab, a security research company, has discovered a vulnerability that would allow bad actors to clone YubiKeys. As the company has explained in a security advisory, NinjaLab found a vulnerability in the cryptographic library used in the YubiKey 5 Series. In particular, it found a cryptographic flaw in the microcontroller, which the security researchers described as something that “generates/stores secrets and then execute cryptographic operations” for security devices like bank cards and FIDO hardware tokens. YubiKeys are the most well-known FIDO authentication keys, and they’re supposed to make accounts more secure, since users would have to plug it into their computers before they could log in.
The researchers explained how they discovered the vulnerability because they found an open platform based on Infineon’s cryptographic library, which Yubico uses. They confirmed that all YubiKey 5 models can be cloned, and they also said that the vulnerability isn’t limited to the brand though they’ve yet to try and clone other devices.
That vulnerability has apparently gone unnoticed for 14 years, but just because it has now come to light doesn’t mean anybody can exploit it to clone YubiKeys. To start with, bad actors will need to have physical access to the token they want to copy. Then, they have to take it apart and use expensive equipment, including an oscilloscope, to “perform electromagnetic side-channel measurements” needed to analyze the token. In the researchers’ paper, they said their setup cost them around $11,000 and that using more advanced oscilloscopes could raise the setup’s cost to $33,000. In addition, attackers might still need their target’s PINs, passwords or biometrics to be able to access specific accounts.
Bottom line is that users part of government agencies or anybody handling very, very sensitive documents that could make them espionage targets would have to be very careful with their keys. For ordinary users, as researchers wrote in their paper, “it is still safer to use YubiKey or other impacted products as FIDO hardware authentication token to sign in to applications rather than not using one.”