Monday, May 12, 2025
HomeCVE/vulnerabilitySecurity Flaw Allows Attackers to Clone YubiKeys by Extract Private Key

Security Flaw Allows Attackers to Clone YubiKeys by Extract Private Key

Published on

SIEM as a Service

Follow Us on Google News

Secure elements consist mainly of tiny microcontrollers, which provide service by generating and storing secrets and performing cryptographic operations.

Thomas Roche of NinjaLab finds a major security flaw in the crypto library of Infineon Technologies affecting a diverse range of secure elements and FIDO hardware tokens, including the popular YubiKey 5 Series.

The vulnerability, which is called EUCLEAK, capitalizes on a flaw in the implementation of ECDSA and involves a non-constant-time modular inversion operation.

- Advertisement - Google News

While the flaw enables threat actors to clone devices by extracting secret keys.

Technical Analysis

Thomas said this security flaw enables attackers with temporary physical presence to recover the secure keys using an unethical practice known as Electromagnetic Analysis, which monitors power fluctuations to reconstruct a device’s internal workings.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

This vulnerability affects gadgets that are developed on Infineon SLE78 MCUs, including YubiKey 5 Series (firmware versions below 5.7), and extends even to new Infineon products such as Optiga Trust M and Trust Platform Module security chips.

Perhaps surprisingly, this vulnerability went undetected for 14 years despite undergoing about eighty high-level security common criteria certification schemes.

This vulnerability affects the YubiKey 5 Series and Security Key Series, as well as the YubiHSM 2 with firmware before 2.4.0.

Besides this, the CVE ID for the flaw is still in process, but got a CVSS Severity score of “4.9,” and has been tracked with the “YSA-2024-03,” tracking ID.

The implications are far-reaching, as a number of secure systems that use these components may potentially be put at risk, and the components include:- 

  • Electronic passports
  • Cryptocurrency hardware wallets
  • Smart car systems 
  • Smart home systems

Although the attack is only possible with some physical access, special equipment, and some technical skills, it could enable threat actors to harvest FIDO devices and make copies of them which are robbing the devices of their main purpose, which is effective security against phishing.

Despite this vulnerability, the researchers pointed out that even using these compromised FIDO tokens would be better than having no hardware security measures in place.

Identify Your YubiKey Version

  • Open the Yubico Authenticator application on your device.
  • Locate the model and version of your YubiKey on the Home screen.
  • The series and model will be listed in the upper left corner.
  • Example: If your YubiKey is a YubiKey 5C NFC, the version might be 5.7.0.

Identify Your YubiHSM 2 Version

  • Ensure you have the YubiHSM SDK installed on your system.
  • Open your terminal or command prompt.
  • Execute the following commands in sequence:-
  • $ yubihsm-connector -d
  • $ yubihsm-shell
  • $ yubihsm> connect
  • $ yubihsm> get deviceinfo

Exploiting the flaw requires physical possession of the device, and additionally, PIN codes or passwords must be available.

Affected and not affected products (Source – Yubico)

The vulnerability in question will mainly affect the use cases for FIDO and may have impacts on PIV and OpenPGP usage, depending on implementation.

The choice of algorithms might also influence the use of YubiHSM 2.

To avoid the risks mentioned above and keep the supply chain exposure to a minimum, Yubico has stopped using Infineon’s library in later firmware versions and implemented its own cryptographic solutions in the software.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Varshini
Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...