Secure elements consist mainly of tiny microcontrollers, which provide service by generating and storing secrets and performing cryptographic operations.
Thomas Roche of NinjaLab finds a major security flaw in the crypto library of Infineon Technologies affecting a diverse range of secure elements and FIDO hardware tokens, including the popular YubiKey 5 Series.
The vulnerability, which is called EUCLEAK, capitalizes on a flaw in the implementation of ECDSA and involves a non-constant-time modular inversion operation.
While the flaw enables threat actors to clone devices by extracting secret keys.
Thomas said this security flaw enables attackers with temporary physical presence to recover the secure keys using an unethical practice known as Electromagnetic Analysis, which monitors power fluctuations to reconstruct a device’s internal workings.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
This vulnerability affects gadgets that are developed on Infineon SLE78 MCUs, including YubiKey 5 Series (firmware versions below 5.7), and extends even to new Infineon products such as Optiga Trust M and Trust Platform Module security chips.
Perhaps surprisingly, this vulnerability went undetected for 14 years despite undergoing about eighty high-level security common criteria certification schemes.
This vulnerability affects the YubiKey 5 Series and Security Key Series, as well as the YubiHSM 2 with firmware before 2.4.0.
Besides this, the CVE ID for the flaw is still in process, but got a CVSS Severity score of “4.9,” and has been tracked with the “YSA-2024-03,” tracking ID.
The implications are far-reaching, as a number of secure systems that use these components may potentially be put at risk, and the components include:-
Although the attack is only possible with some physical access, special equipment, and some technical skills, it could enable threat actors to harvest FIDO devices and make copies of them which are robbing the devices of their main purpose, which is effective security against phishing.
Despite this vulnerability, the researchers pointed out that even using these compromised FIDO tokens would be better than having no hardware security measures in place.
Exploiting the flaw requires physical possession of the device, and additionally, PIN codes or passwords must be available.
The vulnerability in question will mainly affect the use cases for FIDO and may have impacts on PIV and OpenPGP usage, depending on implementation.
The choice of algorithms might also influence the use of YubiHSM 2.
To avoid the risks mentioned above and keep the supply chain exposure to a minimum, Yubico has stopped using Infineon’s library in later firmware versions and implemented its own cryptographic solutions in the software.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…
Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…
An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…
A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…
The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…
NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…