In a successful attack scenario, a bad actor can steal a user’s login ID and password (through phishing or other methods), and gain virtual access to their token without their knowledge. Then they send confirmation requests to the token while recording measurements on the side token. Once the device is recovered, they can launch a side channel attack to extract the Elliptic Curve Digital Signature Algorithm (ECDSA) linked to the account. This then gives them undetected access.
“Let’s assume that an attacker is able to steal your YubiKey, unlock it to access the logic board, use the EUCLEAK attack and repackage the original YubiKey in such a way that you don’t realize you lost it in the first place. ,” said Roche. “Then an attacker can create a copy of your authentication factor – a copy of your YubiKey. You feel safe if not.”
A cryptographic flaw that allows this exists in the microcontroller used in the device, and affects all YubiKeys and Security Keys running firmware prior to version 5.7 (released in May). It also affects YubiHSM 2 versions prior to 2.4.0 (released this week).
Source link