home.social
Sign in Create account

#ysa202403 — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #ysa202403, aggregated by home.social.

  1. Royce Williams @[email protected] ·

    (2 of 2) An outstanding question is: which other keys / firmware versions are affected? Likely any keys using Infineon SLE78, Optiga Trust M, orInfineon Optiga TPM plus the Infineon crypto libraries. I assume that Google's Titan keys have Google's own crypto libraries (but I don't actually know that).

    Links:

    Researcher:
    ninjalab.io/eucleak/

    Infineon:
    ?

    Yubico (affected):
    yubico.com/support/security-ad
    support.yubico.com/hc/en-us/ar

    Google (write their own firmware?):
    ?

    FEITIAN (Unaffected?):
    From NinjaLAb writeup PDF: "Feitian explains that the Feitian A22 JavaCard has been updated years ago and
    none of their products is impacted."

    Google (vulnerable hardware?)
    infosec.exchange/@maxeddy/1130
    "Also, Google confirmed to us that the current version of its Titan keys uses the SLE78 that NinjaLabs used in their attack. Google told us that it will start providing a version of the Titan that won't be vulnerable to the attack 'soon.' "

    HID (?):
    ?

    Kensington(?):
    ?

    Ledger (at least one report of using STMicroeelctronics, not Infineon):
    ?

    NitroKey (stated as unaffected in email):
    gist.github.com/roycewilliams/

    Nordic (?):
    ?

    Solo Keys (?):
    ?

    Thales (?):
    ?

    Thetis: (?):
    ?

    Trezor (at least one report of using Infineon):
    ?

    TrustKey (formerly eWBM)
    (probably unaffected, own MCU)
    trustkeysolutions.com/en/sub/p
    (No official response link)

    Commentary:
    abyssdomain.expert/@filippo/11

    News/threads:

    reddit.com/r/yubikey/comments/

    arstechnica.com/security/2024/

    "The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out by nation-states or other entities with comparable resources and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low."

    infosec.exchange/@dangoodin/11

    "While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability."

    news.ycombinator.com/item?id=4

    securityboulevard.com/2024/09/

    theverge.com/2024/9/4/24235635

    shkspr.mobi/blog/2024/09/some-

    bleepingcomputer.com/news/secu

    tomshardware.com/tech-industry

    wired.com/story/yubikey-vulner

    nytimes.com/wirecutter/reviews

    Wallets and their secure element hardware:
    bitcointalk.org/index.php?topi

    #YubiKey #EUCLeak #Infineon #YSA202403 #YSA_2024_03

    #yubikey #eucleak #infineon #ysa202403 #ysa_2024_03
  2. Royce Williams @[email protected] ·

    (2 of 2) An outstanding question is: which other keys / firmware versions are affected? Likely any keys using Infineon SLE78, Optiga Trust M, orInfineon Optiga TPM plus the Infineon crypto libraries. I assume that Google's Titan keys have Google's own crypto libraries (but I don't actually know that).

    Links:

    Researcher:
    ninjalab.io/eucleak/

    Infineon:
    ?

    Yubico (affected):
    yubico.com/support/security-ad
    support.yubico.com/hc/en-us/ar

    Google (write their own firmware?):
    ?

    FEITIAN (Unaffected?):
    From NinjaLAb writeup PDF: "Feitian explains that the Feitian A22 JavaCard has been updated years ago and
    none of their products is impacted."

    Google (vulnerable hardware?)
    infosec.exchange/@maxeddy/1130
    "Also, Google confirmed to us that the current version of its Titan keys uses the SLE78 that NinjaLabs used in their attack. Google told us that it will start providing a version of the Titan that won't be vulnerable to the attack 'soon.' "

    HID (?):
    ?

    Kensington(?):
    ?

    Ledger (at least one report of using STMicroeelctronics, not Infineon):
    ?

    NitroKey (stated as unaffected in email):
    gist.github.com/roycewilliams/

    Nordic (?):
    ?

    Solo Keys (?):
    ?

    Thales (?):
    ?

    Thetis: (?):
    ?

    Trezor (at least one report of using Infineon):
    ?

    TrustKey (formerly eWBM)
    (probably unaffected, own MCU)
    trustkeysolutions.com/en/sub/p
    (No official response link)

    Commentary:
    abyssdomain.expert/@filippo/11

    News/threads:

    reddit.com/r/yubikey/comments/

    arstechnica.com/security/2024/

    "The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out by nation-states or other entities with comparable resources and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low."

    infosec.exchange/@dangoodin/11

    "While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability."

    news.ycombinator.com/item?id=4

    securityboulevard.com/2024/09/

    theverge.com/2024/9/4/24235635

    shkspr.mobi/blog/2024/09/some-

    bleepingcomputer.com/news/secu

    tomshardware.com/tech-industry

    wired.com/story/yubikey-vulner

    nytimes.com/wirecutter/reviews

    Wallets and their secure element hardware:
    bitcointalk.org/index.php?topi

    #YubiKey #EUCLeak #Infineon #YSA202403 #YSA_2024_03

    #yubikey #eucleak #infineon #ysa202403 #ysa_2024_03
  3. Royce Williams @[email protected] ·

    (2 of 2) An outstanding question is: which other keys / firmware versions are affected? Likely any keys using Infineon SLE78, Optiga Trust M, orInfineon Optiga TPM plus the Infineon crypto libraries. I assume that Google's Titan keys have Google's own crypto libraries (but I don't actually know that).

    Links:

    Researcher:
    ninjalab.io/eucleak/

    Infineon:
    ?

    Yubico (affected):
    yubico.com/support/security-ad
    support.yubico.com/hc/en-us/ar

    Google (write their own firmware?):
    ?

    FEITIAN (Unaffected?):
    From NinjaLAb writeup PDF: "Feitian explains that the Feitian A22 JavaCard has been updated years ago and
    none of their products is impacted."

    Google (vulnerable hardware?)
    infosec.exchange/@maxeddy/1130
    "Also, Google confirmed to us that the current version of its Titan keys uses the SLE78 that NinjaLabs used in their attack. Google told us that it will start providing a version of the Titan that won't be vulnerable to the attack 'soon.' "

    HID (?):
    ?

    Kensington(?):
    ?

    Ledger (at least one report of using STMicroeelctronics, not Infineon):
    ?

    NitroKey (stated as unaffected in email):
    gist.github.com/roycewilliams/

    Nordic (?):
    ?

    Solo Keys (?):
    ?

    Thales (?):
    ?

    Thetis: (?):
    ?

    Trezor (at least one report of using Infineon):
    ?

    TrustKey (formerly eWBM)
    (probably unaffected, own MCU)
    trustkeysolutions.com/en/sub/p
    (No official response link)

    Commentary:
    abyssdomain.expert/@filippo/11

    News/threads:

    reddit.com/r/yubikey/comments/

    arstechnica.com/security/2024/

    "The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out by nation-states or other entities with comparable resources and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low."

    infosec.exchange/@dangoodin/11

    "While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability."

    news.ycombinator.com/item?id=4

    securityboulevard.com/2024/09/

    theverge.com/2024/9/4/24235635

    shkspr.mobi/blog/2024/09/some-

    bleepingcomputer.com/news/secu

    tomshardware.com/tech-industry

    wired.com/story/yubikey-vulner

    nytimes.com/wirecutter/reviews

    Wallets and their secure element hardware:
    bitcointalk.org/index.php?topi

    #YubiKey #EUCLeak #Infineon #YSA202403 #YSA_2024_03

    #ysa_2024_03 #ysa202403 #infineon #eucleak #yubikey
  4. Royce Williams @[email protected] ·

    (2 of 2) An outstanding question is: which other keys / firmware versions are affected? Likely any keys using Infineon SLE78, Optiga Trust M, orInfineon Optiga TPM plus the Infineon crypto libraries. I assume that Google's Titan keys have Google's own crypto libraries (but I don't actually know that).

    Links:

    Researcher:
    ninjalab.io/eucleak/

    Infineon:
    ?

    Yubico (affected):
    yubico.com/support/security-ad
    support.yubico.com/hc/en-us/ar

    Google (write their own firmware?):
    ?

    FEITIAN (Unaffected?):
    From NinjaLAb writeup PDF: "Feitian explains that the Feitian A22 JavaCard has been updated years ago and
    none of their products is impacted."

    Google (vulnerable hardware?)
    infosec.exchange/@maxeddy/1130
    "Also, Google confirmed to us that the current version of its Titan keys uses the SLE78 that NinjaLabs used in their attack. Google told us that it will start providing a version of the Titan that won't be vulnerable to the attack 'soon.' "

    HID (?):
    ?

    Kensington(?):
    ?

    Ledger (at least one report of using STMicroeelctronics, not Infineon):
    ?

    NitroKey (stated as unaffected in email):
    gist.github.com/roycewilliams/

    Nordic (?):
    ?

    Solo Keys (?):
    ?

    Thales (?):
    ?

    Thetis: (?):
    ?

    Trezor (at least one report of using Infineon):
    ?

    TrustKey (formerly eWBM)
    (probably unaffected, own MCU)
    trustkeysolutions.com/en/sub/p
    (No official response link)

    Commentary:
    abyssdomain.expert/@filippo/11

    News/threads:

    reddit.com/r/yubikey/comments/

    arstechnica.com/security/2024/

    "The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out by nation-states or other entities with comparable resources and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low."

    infosec.exchange/@dangoodin/11

    "While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability."

    news.ycombinator.com/item?id=4

    securityboulevard.com/2024/09/

    theverge.com/2024/9/4/24235635

    shkspr.mobi/blog/2024/09/some-

    bleepingcomputer.com/news/secu

    tomshardware.com/tech-industry

    wired.com/story/yubikey-vulner

    nytimes.com/wirecutter/reviews

    Wallets and their secure element hardware:
    bitcointalk.org/index.php?topi

    #YubiKey #EUCLeak #Infineon #YSA202403 #YSA_2024_03

    #yubikey #eucleak #infineon #ysa202403 #ysa_2024_03