A recently uncovered vulnerability known as “EUCLEAK” poses a significant threat to FIDO devices utilizing Infineon’s SLE78 security microcontroller, including Yubico’s YubiKey 5 Series. This flaw enables attackers to extract Elliptic Curve Digital Signature Algorithm (ECDSA) secret keys through a sophisticated side-channel attack that involves capturing electromagnetic (EM) emissions from the device. Discovered by NinjaLab’s Thomas Roche, the attack method is highly complex, requiring extensive physical access to the device, specialized equipment, and advanced knowledge in electronics and cryptography.
The impact of EUCLEAK is currently considered moderate, primarily because the prerequisites for executing the attack are demanding and limit its risk to high-value targets, such as state-sponsored actors. Roche’s previous research, which revealed similar vulnerabilities in Google Titan security keys in 2021, underscores the severity of these side-channel attacks but also highlights the advanced nature of the required methods. The specific models affected include various versions of YubiKey 5 Series, YubiKey Bio, YubiHSM 2, and Infineon TPMs.
Yubico has acknowledged the issue and rated the risk as moderate, assigning a CVSS score of 4.9. The company notes that attackers would also need user PINs or biometric verification to fully exploit the vulnerability, further complicating successful attacks. Yubico has advised users to check their firmware versions using YubiKey Manager or YubiKey Authenticator and suggests switching to RSA signing keys as a precautionary measure. Unfortunately, updating firmware to mitigate the flaw is not an option for affected versions.
In addition to YubiKey devices, the EUCLEAK vulnerability impacts Infineon’s TPMs, used in older smartphones, tablets, laptops, and smart cards, as well as other devices like e-passports and cryptocurrency hardware wallets. The extensive reach of this vulnerability highlights the need for heightened awareness and proactive measures among users of affected devices.
Reference:
