The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains brief physical access to it, researchers said Tuesday.
The cryptographic flaw, known as a side channel, resides in a small microcontroller that’s used in a vast number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.
@dangoodin It's significant, sure, but I'm skeptical of using the term "brief" when it also requires (carefully) removing the current device housing, running the attack with phished credentials against a service that wouldn't rate limit such attempts, and then replacing it with a new housing as well.
I suppose someone who might be a potential target could take some extra physical security steps to make tampering evident, like encasing it in a custom color of liquid+cured resin.