In a profitable assault state of affairs, a foul actor would steal a consumer’s login ID and password (by phishing or different means), then achieve bodily entry to their token with out their information. They’d then ship authentication requests to the token whereas recording measurements on the aspect token. As soon as the gadget has been returned, they’ll then launch a side-channel assault to extract the Elliptic Curve Digital Signature Algorithm (ECDSA) linked to the account. This then provides them undetected entry.
“Allow us to assume an attacker is ready to steal your YubiKey, open it to entry the logic board, apply the EUCLEAK assault after which re-package the unique YubiKey in such a manner that you don’t understand that you simply misplaced it within the first place,” mentioned Roche. “Then the attacker can construct a clone of your authentication issue — a duplicate of your personal YubiKey. You’re feeling protected whenever you really will not be.”
The cryptographic flaw that enables this exists in a small microcontroller within the gadget, and impacts all YubiKeys and Safety Keys working firmware sooner than model 5.7 (which was launched in Might). It additionally impacts YubiHSM 2 variations previous to 2.4.0 (rolled out simply this week).