A new “EUCLEAK” flaw found in FIDO devices using the Infineon SLE78 security microcontroller, like Yubico’s YubiKey 5 Series, allows attackers to extract Elliptic Curve Digital Signature Algorithm (ECDSA) secret keys and clone the FIDO device.

NinjaLab’s Thomas Roche, who discovered the flaw and devised the EUCLEAK side-channel attack, notes that the side channel can retrieve an ECDSA secret key using EM acquisitions.

However, the attack requires extended physical access, specialized equipment, and a high level of understanding of electronics and cryptography.

These prerequisites significantly mitigate the risk, limiting it mostly to attacks from highly sophisticated, state-sponsored threat actors against high-value targets. With that said, EUCLEAK is not considered a threat to general users, even to those who use theoretically vulnerable devices.

Yubico responds to EUCLEAK

The flaw impacts YubiKey 5 Series devices running firmware versions older than 5.7.0, which uses Infineon’s flawed cryptographic library.

The models impacted by EUCLEAK are:

• YubiKey 5 Series versions prior to 5.7
• YubiKey 5 FIPS Series prior to 5.7
• YubiKey 5 CSPN Series prior to 5.7
• YubiKey Bio Series versions prior to 5.7.2
• Security Key Series all versions prior to 5.7
• YubiHSM 2 versions prior to 2.4.0
• YubiHSM 2 FIPS versions prior to 2.4.0

The vendor rated the issue as moderate, assigning a CVSS score of only 4.9, which reflects its low risk.

Also, Yubico notes in its advisory that attackers attempting to recover credentials from impacted keys would require the user PIN or biometric verification for full exploitation, making successful attacks even harder.

YubiKey owners can check the firmware version of the security keys using YubiKey Manager or YubiKey Authenticator.

Unfortunately, if you are using a vulnerable version, there is no way to upgrade the firmware to the latest 5.7.0 (YubiKey) or 2.4.0 (YubiHSM) versions to mitigate this flaw.

The vendor recommends using RSA signing keys instead of elliptic curve (ECC) signing keys and limiting the maximum session duration from the identity provider settings to require more frequent FIDO authentications.

Other impacted products

NinjaLab confirmed that EUCLEAK also impacts Infineon TPMs (SLB96xx), used for secure boot, authentication, and cryptographic operations, and Infineon’s Optiga Trust M security microcontroller, used in IoT devices.

Infineon TPMs are used in the smart enclaves of old (between 2013 and 2018) smartphones and tablets from Samsung and OnePlus, and also some dated (from mid-2010s) laptop models from Lenovo, Acer, Dell, HP, and LG.

The Feitian A22 JavaCard, used in smart cards and authentication systems, is also impacted by using the Infineon SLE78 microcontroller.

Other potentially impacted devices include e-passports, cryptocurrency hardware wallets (cold wallets), IoT devices, and any FIDO device that uses Infineon’s SLE78.