A significant security vulnerability has been discovered in Yubico’s two-factor authentication (2FA) keys, affecting many Yubikey 5, Security Key, and YubiHSM devices. This critical flaw also impacts the Feitian A22 JavaCard and other devices using Infineon SLB96xx series TPMs. The vulnerability is so severe that it suggests all affected keys should be considered compromised and replaced promptly.
Two-factor authentication enhances security by requiring a unique code, generated by either a software app like Microsoft Authenticator or hardware devices such as Yubikey, in addition to a password for logging into accounts. This added layer of protection is increasingly adopted by financial institutions and various online services to reduce data breaches and financial fraud.
The security of 2FA keys hinges on generating codes via complex algorithms that are hard to reverse-engineer. Modern 2FA technologies often employ sophisticated mathematical methods, such as elliptic curve algorithms. However, side-channel attacks pose a significant threat. These attacks involve monitoring the physical aspects of a device to extract its secret information.
In this case, researchers at NinjaLab dedicated two years to studying and deciphering radio emissions from the vulnerable Infineon TPM chips used in various 2FA keys, including those from Yubico and Feitian. They discovered that it takes hackers about an hour of physical access to a key to capture its radio emissions and then another day or two to decode this data, making a copy of the 2FA key. The process, while complex, is detailed in NinjaLab’s publication for those acquainted with cryptography, mathematics, and electronics.
It’s crucial for users of Yubico 2FA keys to check the Yubico security advisory to determine their exposure to this vulnerability. Users of other 2FA devices should consult their manufacturers to find out if their devices utilize the compromised Infineon SLB96xx series TPMs. Unfortunately, these vulnerable devices cannot be patched to eliminate the security flaw.
Owners of compromised keys should urgently consider switching to secure alternatives after verifying they are not susceptible to the same vulnerability. Options like Feitian or iShield are potential replacements worth exploring.
