Subj : YubiKey FIDO authenticators could be abused through unpatchable c To : All From : TechnologyDaily Date : Wed Sep 04 2024 17:15:06 YubiKey FIDO authenticators could be abused through unpatchable cryptographic flaw Date: Wed, 04 Sep 2024 16:03:00 +0000 Description: A piece of hardware in some MFA tokens is leaking data which allowed researchers to clone it. FULL STORY ====================================================================== All physical multi-factor authentication ( MFA ) keys that work on Infeneons SLE78 microcontroller were said to be vulnerable to a cryptographic flaw which allows threat actors to clone the gadget and gain unabated access to restricted accounts. This includes the YubiKey 5, considered the most widely used hardware token based on the FIDO standard. In an in-depth technical analysis , researchers from NinjaLab described how they discovered the flaw, and what it means for those using YubiKey 5 . As explained, the SLE78 microcontroller implements the Elliptic Curve Digital Signature Algorithm (ECDSA) as its core cryptographic primitive. In short, ECDSA is a cryptographic algorithm used to create digital signatures, and if a hacker is able to read this signature, then they are able to undermine the security of the entire token. And thats exactly what NinjaLab did, by employing a technique known as side-channel. This is a type of security attack in which hackers exploit information gained from the physical implementation of a computer system, rather than weaknesses in the implemented algorithms. These attacks gather information by observing how a system operates, such as its timing, power consumption, electromagnetic emissions, or even sound. YubiKey 5 not so easily exploited With SLE78, generating a different ephemeral key takes varying amounts of time, and this is something the researchers were able to read, and from it clone their own YubiKey 5 (this is a super simplified explanation). It is definitely a major vulnerability, but one that is not that easy to replicate in the wild. The attacker would need to know the victims login information first, and have physical access to the MFA token. Then, they would need to tear the token apart in order to access the hardware within, and use $11,000 worth of equipment to do the reading. The reading itself, and the process of cloning the device, only takes a few minutes. This isnt something your average hacker could abuse, but a nation-state - absolutely. Its also worth mentioning that there is no patch, or fix - all YubiKey 5 devices running firmware prior to version 5.7 are permanently vulnerable. Via Ars Technica More from TechRadar Pro Uncovering the cybersecurity industrys senseless fixation with security keys Here's a list of the best firewalls around today These are the best endpoint security tools right now ====================================================================== Link to news story: https://www.techradar.com/pro/yubikey-fido-authenticators-could-be-abused-thro ugh-unpatchable-cryptographic-flaw --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .