Researcher Thomas Roche from NinjaLab reported a vulnerability called EUCLEAK in the secure element chip Infineon SLE78 used in YubiKey 5. The vulnerability lies in the ECDSA signature verification process, which can be observed in response time to verify the key value internally. Despite randomization measures, Roche was able to detect intentional processing halts, allowing hackers with the key in hand to systematically guess the signature millions of times until retrieving the key.
The impact of this vulnerability extends beyond YubiKey, affecting all devices utilizing the SLE78 chip for security purposes, such as certain JavaCard smart cards, TPM chips, HSMs storing keys in various servers, or security chips in IoT devices. NinjaLab has contacted affected manufacturers, with YubiKey already issuing a patch by switching to their own library since May. However, already distributed keys cannot be patched, posing a risk of being copied and exploited by adversaries over an extended period.
This attack method requires physical possession of the key and cannot be executed remotely. Roche emphasizes the continued security of using FIDO keys for authentication over other methods.
Source: NinjaLab
TLDR: Researcher Thomas Roche exposed the EUCLEAK vulnerability in the Infineon SLE78 chip used in YubiKey 5, impacting various security devices and emphasizing the importance of using FIDO keys for secure authentication.
Leave a Comment