Security researchers person detected a vulnerability successful YubiKey two-factor authentication tokens that enables attackers to clone nan instrumentality according to a caller information advisory. The vulnerability was discovered wrong nan Infineon cryptographic room utilized by astir YubiKey products, including nan YubiKey 5, Yubikey Bio, Security Key, and YubiHSM 2 bid devices.
YubiKey shaper Yubico says nan severity of nan side-channel vulnerability is “moderate” but is difficult to exploit, partially because two-factor systems trust upon thing nan personification has and thing only they should know.
“The attacker would request beingness possession of nan YubiKey, Security Key, aliases YubiHSM, knowledge of nan accounts they want to target, and specialized instrumentality to execute nan basal attack,” nan institution said successful its information advisory. “Depending connected nan usage case, nan attacker whitethorn besides require further knowledge including username, PIN, relationship password, aliases authentication key.” But those aren’t needfully deterrents to a highly motivated individual aliases state-sponsored attack.
As YubiKey firmware can’t beryllium updated, each YubiKey 5 devices earlier type 5.7 (or 5.7.2 for nan Bio bid and 2.4.0 for YubiHSM 2) will stay susceptible forever. Later exemplary versions aren’t affected arsenic they nary longer usage nan Infineon cryptolibrary. NinjaLab, the information patient that discovered nan vulnerability, estimates that it's existed successful Infineon’s apical information chips for complete 14 years. The researchers judge different devices utilizing nan Infineon cryptographic room aliases Infineon’s SLE78, Optiga Trust M, and Optiga TPM microcontrollers are besides astatine risk.
English (US) · 
Indonesian (ID) ·