Close Menu
Best in TechnologyBest in Technology
  • News
  • Phones
  • Laptops
  • Gadgets
  • Gaming
  • AI
  • Tips
  • More
    • Web Stories
    • Global
    • Press Release

Subscribe to Updates

Get the latest tech news and updates directly to your inbox.

What's On
I tried to parody the most absurd AI products, but the tech industry beat me to it

I tried to parody the most absurd AI products, but the tech industry beat me to it

12 July 2026
The Pixel 11 is almost here, and these are the 3 upgrades I’m begging Google to make

The Pixel 11 is almost here, and these are the 3 upgrades I’m begging Google to make

12 July 2026
What is Copilot? Everything you need to know about Microsoft’s AI assistant

What is Copilot? Everything you need to know about Microsoft’s AI assistant

12 July 2026
Facebook X (Twitter) Instagram
Just In
  • I tried to parody the most absurd AI products, but the tech industry beat me to it
  • The Pixel 11 is almost here, and these are the 3 upgrades I’m begging Google to make
  • What is Copilot? Everything you need to know about Microsoft’s AI assistant
  • Scientists’ Side Hustle? Using AI and Quantum Computing to Generate New Peptides
  • The Best Robotic Pool Cleaners of 2026: Beatbot, iGarden, Dreame
  • NBA The Run Adds Campaign Mode In 2027
  • I bought into a brighter future, but my digital life bills monthly subscriptions
  • Here’s How Apple Is Updating Its Child Safety Features in iOS 27
Facebook X (Twitter) Instagram Pinterest Vimeo
Best in TechnologyBest in Technology
  • News
  • Phones
  • Laptops
  • Gadgets
  • Gaming
  • AI
  • Tips
  • More
    • Web Stories
    • Global
    • Press Release
Subscribe
Best in TechnologyBest in Technology
Home » YubiKeys Are a Security Gold Standard—but They Can Be Cloned
News

YubiKeys Are a Security Gold Standard—but They Can Be Cloned

News RoomBy News Room5 September 20244 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
YubiKeys Are a Security Gold Standard—but They Can Be Cloned
Share
Facebook Twitter LinkedIn Pinterest Email

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-sized device vulnerable to cloning when an attacker gains temporary physical access to it, researchers said Tuesday.

The cryptographic flaw, known as a side channel, resides in a small microcontroller used in a large number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, such as the SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.

Patching Not Possible

YubiKey maker Yubico issued an advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse engineered the YubiKey 5 series and devised the cloning attack. All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable.

“An attacker could exploit this issue as part of a sophisticated and targeted attack to recover affected private keys,” the advisory confirmed. “The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM; knowledge of the accounts they want to target; and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge, including username, PIN, account password, or authentication key.”

Side channels are the result of clues left in physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task that leaks cryptographic secrets. In this case, the side channel is the amount of time taken during a mathematical calculation known as a modular inversion. The Infineon cryptolibrary failed to implement a common side-channel defense known as constant time as it performs modular inversion operations involving the Elliptic Curve Digital Signature Algorithm. Constant time ensures the time-sensitive cryptographic operations execute is uniform rather than variable depending on the specific keys.

More precisely, the side channel is located in the Infineon implementation of the Extended Euclidean Algorithm, a method for, among other things, computing the modular inverse. By using an oscilloscope to measure the electromagnetic radiation while the token is authenticating itself, the researchers can detect tiny execution time differences that reveal a token’s ephemeral ECDSA key, also known as a nonce. Further analysis allows the researchers to extract the secret ECDSA key that underpins the entire security of the token.

In Tuesday’s report, NinjaLab cofounder Thomas Roche wrote:

In the present work, NinjaLab unveils a new side-channel vulnerability in the ECDSA implementation of Infineon 9 on any security microcontroller family of the manufacturer. This vulnerability lies in the ECDSA ephemeral key (or nonce) modular inversion, and, more precisely, in the Infineon implementation of the Extended Euclidean Algorithm (EEA for short). To our knowledge, this is the first time an implementation of the EEA is shown to be vulnerable to side-channel analysis (contrarily to the EEA binary version). The exploitation of this vulnerability is demonstrated through realistic experiments and we show that an adversary only needs to have access to the device for a few minutes. The offline phase took us about 24 hours; with more engineering work in the attack development, it would take less than one hour.

After a long phase of understanding Infineon implementation through side-channel analysis on a Feitian 10 open JavaCard smartcard, the attack is tested on a YubiKey 5Ci, a FIDO hardware token from Yubico. All YubiKey 5 Series (before the firmware update 5.7 11 of May 6th, 2024) are affected by the attack. In fact all products relying on the ECDSA of Infineon cryptographic library running on an Infineon security microcontroller are affected by the attack. We estimate that the vulnerability exists for more than 14 years in Infineon top secure chips. These chips and the vulnerable part of the cryptographic library went through about 80 CC certification evaluations of level AVA VAN 4 (for TPMs) or AVA VAN 5 (for the others) from 2010 to 2024 (and a bit less than 30 certificate maintenances).

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleThe Garmin Fenix 8 is almost out, so the 7X has a huge price cut
Next Article How to use Microsoft Excel: a guide for beginners

Related Articles

I tried to parody the most absurd AI products, but the tech industry beat me to it
News

I tried to parody the most absurd AI products, but the tech industry beat me to it

12 July 2026
The Pixel 11 is almost here, and these are the 3 upgrades I’m begging Google to make
News

The Pixel 11 is almost here, and these are the 3 upgrades I’m begging Google to make

12 July 2026
What is Copilot? Everything you need to know about Microsoft’s AI assistant
News

What is Copilot? Everything you need to know about Microsoft’s AI assistant

12 July 2026
Scientists’ Side Hustle? Using AI and Quantum Computing to Generate New Peptides
News

Scientists’ Side Hustle? Using AI and Quantum Computing to Generate New Peptides

12 July 2026
The Best Robotic Pool Cleaners of 2026: Beatbot, iGarden, Dreame
News

The Best Robotic Pool Cleaners of 2026: Beatbot, iGarden, Dreame

12 July 2026
I bought into a brighter future, but my digital life bills monthly subscriptions
News

I bought into a brighter future, but my digital life bills monthly subscriptions

12 July 2026
Demo
Top Articles
5 laptops to buy instead of the M4 MacBook Pro

5 laptops to buy instead of the M4 MacBook Pro

17 November 2024133 Views
ChatGPT o1 vs. o1-mini vs. 4o: Which should you use?

ChatGPT o1 vs. o1-mini vs. 4o: Which should you use?

15 December 2024111 Views
Costco partners with Electric Era to bring back EV charging in the U.S.

Costco partners with Electric Era to bring back EV charging in the U.S.

28 October 2024100 Views

Subscribe to Updates

Get the latest tech news and updates directly to your inbox.

Latest News
NBA The Run Adds Campaign Mode In 2027 Gaming

NBA The Run Adds Campaign Mode In 2027

News Room12 July 2026
I bought into a brighter future, but my digital life bills monthly subscriptions News

I bought into a brighter future, but my digital life bills monthly subscriptions

News Room12 July 2026
Here’s How Apple Is Updating Its Child Safety Features in iOS 27 News

Here’s How Apple Is Updating Its Child Safety Features in iOS 27

News Room12 July 2026
Most Popular
The Spectacular Burnout of a Solar Panel Salesman

The Spectacular Burnout of a Solar Panel Salesman

13 January 2025137 Views
5 laptops to buy instead of the M4 MacBook Pro

5 laptops to buy instead of the M4 MacBook Pro

17 November 2024133 Views
ChatGPT o1 vs. o1-mini vs. 4o: Which should you use?

ChatGPT o1 vs. o1-mini vs. 4o: Which should you use?

15 December 2024111 Views
Our Picks
Scientists’ Side Hustle? Using AI and Quantum Computing to Generate New Peptides

Scientists’ Side Hustle? Using AI and Quantum Computing to Generate New Peptides

12 July 2026
The Best Robotic Pool Cleaners of 2026: Beatbot, iGarden, Dreame

The Best Robotic Pool Cleaners of 2026: Beatbot, iGarden, Dreame

12 July 2026
NBA The Run Adds Campaign Mode In 2027

NBA The Run Adds Campaign Mode In 2027

12 July 2026

Subscribe to Updates

Get the latest tech news and updates directly to your inbox.

Facebook X (Twitter) Instagram Pinterest
  • Privacy Policy
  • Terms of use
  • Advertise
  • Contact Us
© 2026 Best in Technology. All Rights Reserved.

Type above and press Enter to search. Press Esc to cancel.