All YubiKey 5 Series authentication devices older than firmware version 5.7, as well as Infineon microchips within the devices' Infineon cryptographic library, were noted by NinjaLabs researcher Thomas Roche to be at risk of being cloned due to the side-channel vulnerability dubbed "Eucleak," reports SC Media.
Eucleak, which stems from faulty Elliptical Curve Digital Signature Algorithm within the Infineon cryptographic library, could be leveraged by threat actors to facilitate acquisition of ECDSA private keys used for elliptic curve-based cryptographic signature generation, as well as the compromise of account names and passwords, YubiHSM authentication keys, and device PINs, according to YubiKey.
Attacks involving the issue could potentially be launched by state-backed threat operations, sophisticated cybercrime groups, and insiders due to the extensive account knowledge, specialized equipment, and physical access required for their success, noted Critical Start Senior Manager of Threat Research Callie Guenther, who urged timely firmware updates, continuous key rotation and management, more robust physical security and session management, and comprehensive user education to avert potential attacks.