Notebookcheck Logo

Unpatchable Yubico two-factor authentication key vulnerability breaks the security of most Yubikey 5, Security Key, and YubiHSM 2FA devices

Unpatchable Yubico two-factor authentication key vulnerability breaks the security of most Yubikey 5, Security Key, and YubiHSM 2FA devices. (Image source: Yubico)
Unpatchable Yubico two-factor authentication key vulnerability breaks the security of most Yubikey 5, Security Key, and YubiHSM 2FA devices. (Image source: Yubico)
An unpatchable Yubico two-factor authentication key vulnerability has broken the security of most Yubikey 5, Security Key, and YubiHSM 2FA devices. The Feitian A22 JavaCard is also vulnerable. Vulnerable 2FA keys should be replaced as soon as possible, especially when used to secure cybercurrency or top-secret information.

An unpatchable Yubico two-factor authentication key vulnerability has broken the security of most Yubikey 5, Security Key, and YubiHSM 2FA devices. The Feitian A22 JavaCard and other devices using Infineon SLB96xx series TPMs are also vulnerable. All vulnerable 2FA keys should be assumed compromised and replaced with non-vulnerable ones as soon as possible.

Two-factor (2FA) security authentication uses a unique code generated by a software app (e.g. Microsoft Authenticator) or a hardware key (e.g. Yubikey) in addition to a password to log into online accounts. A growing number of account providers, such as banks, have implemented 2FA security in order to reduce the theft of data and money.

Two-factor authentication keys depend on the generation of a unique code using methods that are difficult to reverse engineer. Modern 2FA apps and keys often use more complex math such as elliptic curve algorithms (deep dive into the mathematics at IBM's site).

Side-channel attacks monitor aspects of an electronic device to create an attack. For the vulnerable Infineon TPM chips used in the Yubico, Feitian, and other 2FA keys, the researchers at Ninjalabs spent two years capturing and deciphering the radio emissions from the chips to create an attack.

Hackers would need up to an hour of access to the key to capture the radio emissions, then a day or two to decipher the data and create a copy of the 2FA key. The math and techniques are rather complex, so readers with know-how in cryptography, math, and electronics can read the complex methods in the NinjaLab's article. NinjaLab previously revealed similar vulnerabilities in other Google Titan, Feitian, Yubico, and NXP keys.

Users of Yubico 2FA keys should consult the Yubico security advisory to see if their keys are vulnerable. Users of other devices will need to ask the makers if the devices use vulnerable Infineon SLB96xx series TPMs. Affected devices cannot be patched to fix the security vulnerability.

All affected key owners should strongly consider switching to alternatives after confirming the alternatives are not vulnerable. Alternative 2FA keys include the Feitian or iShield.

The listed devices are vulnerable to the security exploit, and users should consider replacing them. (Image source: Yubico)
The listed devices are vulnerable to the security exploit, and users should consider replacing them. (Image source: Yubico)
Ninjalabs used probes to measure the radio emissions from vulnerable chips to develop an attack. (Image source: Ninjalabs)
Ninjalabs used probes to measure the radio emissions from vulnerable chips to develop an attack. (Image source: Ninjalabs)
An example of the electronic signals captured that Ninjalabs used to look for a vulnerability. (Image source: Ninjalabs)
An example of the electronic signals captured that Ninjalabs used to look for a vulnerability. (Image source: Ninjalabs)
Read all 13 comments / answer
static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2024 09 > Unpatchable Yubico two-factor authentication key vulnerability breaks the security of most Yubikey 5, Security Key, and YubiHSM 2FA devices
David Chien, 2024-09- 4 (Update: 2024-09- 4)