Jump to content
  • Sign Up
×
×
  • Create New...

YubiKey vulnerability will let attackers clone the authentication device

Pelican Press

By Pelican Press,
in World News

 Share

Recommended Posts

  • Diamond Member
Pelican Press Warlord

Pelican Press 0

Posted
  • Diamond Member
Posted

This is the hidden content, please

YubiKey vulnerability will let attackers clone the authentication device

NinjaLab, a security research company, has

This is the hidden content, please
that would allow bad actors to clone YubiKeys. As the company has explained in a
This is the hidden content, please
, NinjaLab found a vulnerability in the cryptographic library used in the YubiKey 5 Series. In particular, it found a cryptographic flaw in the microcontroller, which the security researchers described as something that “generates/stores secrets and then ******** cryptographic operations” for security devices like bank cards and FIDO hardware tokens. YubiKeys are the most well-known FIDO authentication keys, and they’re supposed to make accounts more secure, since users would have to plug it into their computers before they could log in.

The researchers explained how they discovered the vulnerability because they found an open platform based on Infineon’s cryptographic library, which Yubico uses. They confirmed that all YubiKey 5 models can be cloned, and they also said that the vulnerability isn’t limited to the brand though they’ve yet to try and clone other devices.

That vulnerability has apparently gone unnoticed for 14 years, but just because it has now come to light doesn’t mean anybody can exploit it to clone YubiKeys. To start with, bad actors will need to have physical access to the token they want to copy. Then, they have to take it apart and use expensive equipment, including an oscilloscope, to “perform electromagnetic side-channel measurements” needed to analyze the token. In the researchers’

This is the hidden content, please
, they said their setup cost them around $11,000 and that using more advanced oscilloscopes could raise the setup’s cost to $33,000. In addition, attackers might still need their target’s PINs, passwords or biometrics to be able to access specific accounts.

Bottom line is that users part of government agencies or anybody handling very, very sensitive documents that could make them espionage targets would have to be very careful with their keys. For ordinary users, as researchers wrote in their paper, “it is still safer to use YubiKey or other impacted products as FIDO hardware authentication token to sign in to applications rather than not using one.”



This is the hidden content, please

#YubiKey #vulnerability #attackers #clone #authentication #device

This is the hidden content, please

This is the hidden content, please

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.

  I accept