home.social

#eucleak — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #eucleak, aggregated by home.social.

  1. "We discovered a side-channel vulnerability in the YubiKey 5Ci. More precisely, we were able to extract the full long term ECDSA secret key linked to a FIDO account from the YubiKey. Furthermore our side-channel journey showed that the vulnerability applies to all YubiKey 5 Series and more generally to all Infineon security microcontrollers (including TPMs)."
    ninjalab.io/eucleak/
    #eucleak #yubikey5

  2. "We discovered a side-channel vulnerability in the YubiKey 5Ci. More precisely, we were able to extract the full long term ECDSA secret key linked to a FIDO account from the YubiKey. Furthermore our side-channel journey showed that the vulnerability applies to all YubiKey 5 Series and more generally to all Infineon security microcontrollers (including TPMs)."
    ninjalab.io/eucleak/
    #eucleak #yubikey5

  3. "We discovered a side-channel vulnerability in the YubiKey 5Ci. More precisely, we were able to extract the full long term ECDSA secret key linked to a FIDO account from the YubiKey. Furthermore our side-channel journey showed that the vulnerability applies to all YubiKey 5 Series and more generally to all Infineon security microcontrollers (including TPMs)."
    ninjalab.io/eucleak/
    #eucleak #yubikey5

  4. "We discovered a side-channel vulnerability in the YubiKey 5Ci. More precisely, we were able to extract the full long term ECDSA secret key linked to a FIDO account from the YubiKey. Furthermore our side-channel journey showed that the vulnerability applies to all YubiKey 5 Series and more generally to all Infineon security microcontrollers (including TPMs)."
    ninjalab.io/eucleak/
    #eucleak #yubikey5

  5. Side-channel #EUCLEAK attack discovered on devices using the Infineon cryptographic library, like the YubiKey 5 series (firmware <5.7) and Feitian A22 JavaCard.

    But it does require a fair amount of factors to succeed: username, password, physical access, additional equipment, and for the cryptographic operations to involve modular inversions, like ECDSA.

    There are two phases to the attack:

    (1) The online phase requires opening the device to access the microcontroller, then using an electromagnetic probe, an oscilloscope, and a computer to capture the electromagnetic side-channel signals during operation.

    (2) The offline phase (physical access no longer necessary) supposedly takes time varying from one hour to one day for each secret to uncover.

    ninjalab.io/wp-content/uploads

    #ninjalab #eucleak #sidechannel #attack #infineon #yubikey #feitian

  6. Side-channel #EUCLEAK attack discovered on devices using the Infineon cryptographic library, like the YubiKey 5 series (firmware <5.7) and Feitian A22 JavaCard.

    But it does require a fair amount of factors to succeed: username, password, physical access, additional equipment, and for the cryptographic operations to involve modular inversions, like ECDSA.

    There are two phases to the attack:

    (1) The online phase requires opening the device to access the microcontroller, then using an electromagnetic probe, an oscilloscope, and a computer to capture the electromagnetic side-channel signals during operation.

    (2) The offline phase (physical access no longer necessary) supposedly takes time varying from one hour to one day for each secret to uncover.

    ninjalab.io/wp-content/uploads

    #ninjalab #eucleak #sidechannel #attack #infineon #yubikey #feitian

  7. Side-channel #EUCLEAK attack discovered on devices using the Infineon cryptographic library, like the YubiKey 5 series (firmware <5.7) and Feitian A22 JavaCard.

    But it does require a fair amount of factors to succeed: username, password, physical access, additional equipment, and for the cryptographic operations to involve modular inversions, like ECDSA.

    There are two phases to the attack:

    (1) The online phase requires opening the device to access the microcontroller, then using an electromagnetic probe, an oscilloscope, and a computer to capture the electromagnetic side-channel signals during operation.

    (2) The offline phase (physical access no longer necessary) supposedly takes time varying from one hour to one day for each secret to uncover.

    ninjalab.io/wp-content/uploads

    #ninjalab #eucleak #sidechannel #attack #infineon #yubikey #feitian

  8. Side-channel #EUCLEAK attack discovered on devices using the Infineon cryptographic library, like the YubiKey 5 series (firmware <5.7) and Feitian A22 JavaCard.

    But it does require a fair amount of factors to succeed: username, password, physical access, additional equipment, and for the cryptographic operations to involve modular inversions, like ECDSA.

    There are two phases to the attack:

    (1) The online phase requires opening the device to access the microcontroller, then using an electromagnetic probe, an oscilloscope, and a computer to capture the electromagnetic side-channel signals during operation.

    (2) The offline phase (physical access no longer necessary) supposedly takes time varying from one hour to one day for each secret to uncover.

    ninjalab.io/wp-content/uploads

    #ninjalab #eucleak #sidechannel #attack #infineon #yubikey #feitian

  9. We've update our security keys guide in light of the #Eucleak attack. Given the complexity of the attack, we think most people can continue using their security keys. But if you're a high-risk individual, you may want to consider buying a new one.

    nytimes.com/wirecutter/reviews

  10. We've update our security keys guide in light of the #Eucleak attack. Given the complexity of the attack, we think most people can continue using their security keys. But if you're a high-risk individual, you may want to consider buying a new one.

    nytimes.com/wirecutter/reviews

  11. We've update our security keys guide in light of the #Eucleak attack. Given the complexity of the attack, we think most people can continue using their security keys. But if you're a high-risk individual, you may want to consider buying a new one.

    nytimes.com/wirecutter/reviews

  12. We've update our security keys guide in light of the #Eucleak attack. Given the complexity of the attack, we think most people can continue using their security keys. But if you're a high-risk individual, you may want to consider buying a new one.

    nytimes.com/wirecutter/reviews

  13. USB MFA SCA😱: #Infineon hardware and software blamed for timing side-channel attack on popular auth tokens.

    The most widely used #FIDO2 authentication device has a nasty flaw: It can be cloned. Other uses of #YubiKey’s vulnerable Infineon embedded chip might also be at risk—such as passports and credit cards.

    But is the sky really falling? In #SBBlogwatch, we dig into the nuance. At @TechstrongGroup⁠’s @SecurityBlvd: securityboulevard.com/2024/09/ #EUCLEAK

  14. USB MFA SCA😱: #Infineon hardware and software blamed for timing side-channel attack on popular auth tokens.

    The most widely used #FIDO2 authentication device has a nasty flaw: It can be cloned. Other uses of #YubiKey’s vulnerable Infineon embedded chip might also be at risk—such as passports and credit cards.

    But is the sky really falling? In #SBBlogwatch, we dig into the nuance. At @TechstrongGroup⁠’s @SecurityBlvd: securityboulevard.com/2024/09/ #EUCLEAK

  15. USB MFA SCA😱: #Infineon hardware and software blamed for timing side-channel attack on popular auth tokens.

    The most widely used #FIDO2 authentication device has a nasty flaw: It can be cloned. Other uses of #YubiKey’s vulnerable Infineon embedded chip might also be at risk—such as passports and credit cards.

    But is the sky really falling? In #SBBlogwatch, we dig into the nuance. At @TechstrongGroup⁠’s @SecurityBlvd: securityboulevard.com/2024/09/ #EUCLEAK

  16. USB MFA SCA😱: #Infineon hardware and software blamed for timing side-channel attack on popular auth tokens.

    The most widely used #FIDO2 authentication device has a nasty flaw: It can be cloned. Other uses of #YubiKey’s vulnerable Infineon embedded chip might also be at risk—such as passports and credit cards.

    But is the sky really falling? In #SBBlogwatch, we dig into the nuance. At @TechstrongGroup⁠’s @SecurityBlvd: securityboulevard.com/2024/09/ #EUCLEAK

  17. i want to know, which companies/agencies were doing this highest level common criteria certification evaluation for the #infineon library that had this side-channel. #eucleak #ecdsa

  18. i want to know, which companies/agencies were doing this highest level common criteria certification evaluation for the #infineon library that had this side-channel. #eucleak #ecdsa

  19. i want to know, which companies/agencies were doing this highest level common criteria certification evaluation for the #infineon library that had this side-channel. #eucleak #ecdsa

  20. Można klonować klucze Yubikey 5. Podatne są klucze z firmware < 5.7. Wymagany fizyczny dostęp.

    Piekło zamarzło, Yubikey’e zhackowane – tak moglibyśmy opisać wczorajszy komunikat wydany przez Yubico, czyli producenta najpopularniejszych na świecie fizycznych kluczy bezpieczeństwa. Moglibyśmy, ale pomimo że jest w tym nieco prawdy, to nie ma powodu do paniki, przynajmniej dla większości użytkowników popularnych yubikey’ów. Dlaczego nie ma? Zacznijmy od teorii. Badacze z...

    #WBiegu #Atak #EUCLEAK #Infineon #Klonowanie #SideChannel #U2f #Yubikey

    sekurak.pl/mozna-klonowac-kluc

  21. Można klonować klucze Yubikey 5. Podatne są klucze z firmware < 5.7. Wymagany fizyczny dostęp.

    Piekło zamarzło, Yubikey’e zhackowane – tak moglibyśmy opisać wczorajszy komunikat wydany przez Yubico, czyli producenta najpopularniejszych na świecie fizycznych kluczy bezpieczeństwa. Moglibyśmy, ale pomimo że jest w tym nieco prawdy, to nie ma powodu do paniki, przynajmniej dla większości użytkowników popularnych yubikey’ów. Dlaczego nie ma? Zacznijmy od teorii. Badacze z...

    #WBiegu #Atak #EUCLEAK #Infineon #Klonowanie #SideChannel #U2f #Yubikey

    sekurak.pl/mozna-klonowac-kluc

  22. Można klonować klucze Yubikey 5. Podatne są klucze z firmware < 5.7. Wymagany fizyczny dostęp.

    Piekło zamarzło, Yubikey’e zhackowane – tak moglibyśmy opisać wczorajszy komunikat wydany przez Yubico, czyli producenta najpopularniejszych na świecie fizycznych kluczy bezpieczeństwa. Moglibyśmy, ale pomimo że jest w tym nieco prawdy, to nie ma powodu do paniki, przynajmniej dla większości użytkowników popularnych yubikey’ów. Dlaczego nie ma? Zacznijmy od teorii. Badacze z...

    #WBiegu #Atak #EUCLEAK #Infineon #Klonowanie #SideChannel #U2f #Yubikey

    sekurak.pl/mozna-klonowac-kluc

  23. Even more luck to those who will now try frantically to switch their PCs bitlocker TPM from a potentially vulnerable Optima to the fTPMs on their CPU … #eucleak

  24. Even more luck to those who will now try frantically to switch their PCs bitlocker TPM from a potentially vulnerable Optima to the fTPMs on their CPU … #eucleak

  25. Even more luck to those who will now try frantically to switch their PCs bitlocker TPM from a potentially vulnerable Optima to the fTPMs on their CPU … #eucleak

  26. Even more luck to those who will now try frantically to switch their PCs bitlocker TPM from a potentially vulnerable Optima to the fTPMs on their CPU … #eucleak

  27. Good luck to everyone out there trying to identify if their smartcard, building access card, TPM or HSM use the vulnerable ECDSA library from Infineon! #eucleak arstechnica.com/security/2024/

  28. Good luck to everyone out there trying to identify if their smartcard, building access card, TPM or HSM use the vulnerable ECDSA library from Infineon! #eucleak arstechnica.com/security/2024/

  29. Good luck to everyone out there trying to identify if their smartcard, building access card, TPM or HSM use the vulnerable ECDSA library from Infineon! #eucleak arstechnica.com/security/2024/

  30. Good luck to everyone out there trying to identify if their smartcard, building access card, TPM or HSM use the vulnerable ECDSA library from Infineon! #eucleak arstechnica.com/security/2024/

  31. 英飞凌的 ECDSA 实现存在侧信道攻击漏洞;影响 Yubikey 5;攻击需要设备物理访问。

    - Yubikey 5 系固件版本在 5.7.0 以下的设备及 YubiHSM 2 系固件版本在 2.4.0 的设备受到影响。
    - 物理持有受影响设备的骇客或能够恢复设备中的 ECDSA 私钥;完成此攻击可能还需要设备 PIN 等信息。
    - 用户可换用基于 RSA 的验证方式以规避此问题,组织则可考虑提高验证频率要求以使用户更早认知到 Yubikey 丢失情形。

    https://ninjalab.io/eucleak/

    1.
    yubico.com/~

    linksrc:
    https://t.me/bupt_moe/2237

    #Cryptography #Security #Yubikey #Infineon #EUCLEAK

    Telegram 原文

  32. (2 of 2) An outstanding question is: which other keys / firmware versions are affected? Likely any keys using Infineon SLE78, Optiga Trust M, orInfineon Optiga TPM plus the Infineon crypto libraries. I assume that Google's Titan keys have Google's own crypto libraries (but I don't actually know that).

    Links:

    Researcher:
    ninjalab.io/eucleak/

    Infineon:
    ?

    Yubico (affected):
    yubico.com/support/security-ad
    support.yubico.com/hc/en-us/ar

    Google (write their own firmware?):
    ?

    FEITIAN (Unaffected?):
    From NinjaLAb writeup PDF: "Feitian explains that the Feitian A22 JavaCard has been updated years ago and
    none of their products is impacted."

    Google (vulnerable hardware?)
    infosec.exchange/@maxeddy/1130
    "Also, Google confirmed to us that the current version of its Titan keys uses the SLE78 that NinjaLabs used in their attack. Google told us that it will start providing a version of the Titan that won't be vulnerable to the attack 'soon.' "

    HID (?):
    ?

    Kensington(?):
    ?

    Ledger (at least one report of using STMicroeelctronics, not Infineon):
    ?

    NitroKey (stated as unaffected in email):
    gist.github.com/roycewilliams/

    Nordic (?):
    ?

    Solo Keys (?):
    ?

    Thales (?):
    ?

    Thetis: (?):
    ?

    Trezor (at least one report of using Infineon):
    ?

    TrustKey (formerly eWBM)
    (probably unaffected, own MCU)
    trustkeysolutions.com/en/sub/p
    (No official response link)

    Commentary:
    abyssdomain.expert/@filippo/11

    News/threads:

    reddit.com/r/yubikey/comments/

    arstechnica.com/security/2024/

    "The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out by nation-states or other entities with comparable resources and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low."

    infosec.exchange/@dangoodin/11

    "While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability."

    news.ycombinator.com/item?id=4

    securityboulevard.com/2024/09/

    theverge.com/2024/9/4/24235635

    shkspr.mobi/blog/2024/09/some-

    bleepingcomputer.com/news/secu

    tomshardware.com/tech-industry

    wired.com/story/yubikey-vulner

    nytimes.com/wirecutter/reviews

    Wallets and their secure element hardware:
    bitcointalk.org/index.php?topi

    #YubiKey #EUCLeak #Infineon #YSA202403 #YSA_2024_03

  33. (2 of 2) An outstanding question is: which other keys / firmware versions are affected? Likely any keys using Infineon SLE78, Optiga Trust M, orInfineon Optiga TPM plus the Infineon crypto libraries. I assume that Google's Titan keys have Google's own crypto libraries (but I don't actually know that).

    Links:

    Researcher:
    ninjalab.io/eucleak/

    Infineon:
    ?

    Yubico (affected):
    yubico.com/support/security-ad
    support.yubico.com/hc/en-us/ar

    Google (write their own firmware?):
    ?

    FEITIAN (Unaffected?):
    From NinjaLAb writeup PDF: "Feitian explains that the Feitian A22 JavaCard has been updated years ago and
    none of their products is impacted."

    Google (vulnerable hardware?)
    infosec.exchange/@maxeddy/1130
    "Also, Google confirmed to us that the current version of its Titan keys uses the SLE78 that NinjaLabs used in their attack. Google told us that it will start providing a version of the Titan that won't be vulnerable to the attack 'soon.' "

    HID (?):
    ?

    Kensington(?):
    ?

    Ledger (at least one report of using STMicroeelctronics, not Infineon):
    ?

    NitroKey (stated as unaffected in email):
    gist.github.com/roycewilliams/

    Nordic (?):
    ?

    Solo Keys (?):
    ?

    Thales (?):
    ?

    Thetis: (?):
    ?

    Trezor (at least one report of using Infineon):
    ?

    TrustKey (formerly eWBM)
    (probably unaffected, own MCU)
    trustkeysolutions.com/en/sub/p
    (No official response link)

    Commentary:
    abyssdomain.expert/@filippo/11

    News/threads:

    reddit.com/r/yubikey/comments/

    arstechnica.com/security/2024/

    "The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out by nation-states or other entities with comparable resources and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low."

    infosec.exchange/@dangoodin/11

    "While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability."

    news.ycombinator.com/item?id=4

    securityboulevard.com/2024/09/

    theverge.com/2024/9/4/24235635

    shkspr.mobi/blog/2024/09/some-

    bleepingcomputer.com/news/secu

    tomshardware.com/tech-industry

    wired.com/story/yubikey-vulner

    nytimes.com/wirecutter/reviews

    Wallets and their secure element hardware:
    bitcointalk.org/index.php?topi

    #YubiKey #EUCLeak #Infineon #YSA202403 #YSA_2024_03

  34. (2 of 2) An outstanding question is: which other keys / firmware versions are affected? Likely any keys using Infineon SLE78, Optiga Trust M, orInfineon Optiga TPM plus the Infineon crypto libraries. I assume that Google's Titan keys have Google's own crypto libraries (but I don't actually know that).

    Links:

    Researcher:
    ninjalab.io/eucleak/

    Infineon:
    ?

    Yubico (affected):
    yubico.com/support/security-ad
    support.yubico.com/hc/en-us/ar

    Google (write their own firmware?):
    ?

    FEITIAN (Unaffected?):
    From NinjaLAb writeup PDF: "Feitian explains that the Feitian A22 JavaCard has been updated years ago and
    none of their products is impacted."

    Google (vulnerable hardware?)
    infosec.exchange/@maxeddy/1130
    "Also, Google confirmed to us that the current version of its Titan keys uses the SLE78 that NinjaLabs used in their attack. Google told us that it will start providing a version of the Titan that won't be vulnerable to the attack 'soon.' "

    HID (?):
    ?

    Kensington(?):
    ?

    Ledger (at least one report of using STMicroeelctronics, not Infineon):
    ?

    NitroKey (stated as unaffected in email):
    gist.github.com/roycewilliams/

    Nordic (?):
    ?

    Solo Keys (?):
    ?

    Thales (?):
    ?

    Thetis: (?):
    ?

    Trezor (at least one report of using Infineon):
    ?

    TrustKey (formerly eWBM)
    (probably unaffected, own MCU)
    trustkeysolutions.com/en/sub/p
    (No official response link)

    Commentary:
    abyssdomain.expert/@filippo/11

    News/threads:

    reddit.com/r/yubikey/comments/

    arstechnica.com/security/2024/

    "The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out by nation-states or other entities with comparable resources and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low."

    infosec.exchange/@dangoodin/11

    "While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability."

    news.ycombinator.com/item?id=4

    securityboulevard.com/2024/09/

    theverge.com/2024/9/4/24235635

    shkspr.mobi/blog/2024/09/some-

    bleepingcomputer.com/news/secu

    tomshardware.com/tech-industry

    wired.com/story/yubikey-vulner

    nytimes.com/wirecutter/reviews

    Wallets and their secure element hardware:
    bitcointalk.org/index.php?topi

    #YubiKey #EUCLeak #Infineon #YSA202403 #YSA_2024_03