Millions of people use YubiKeys as part of a multi-factor authentication system to keep sensitive accounts locked down.
A password is relatively easy to phish, but a physical unit like a YubiKey makes entry almost impossible.
NinjaLab rooted through ECDSA, reverse-engineered some of its cryptographic library, and designed its side-channel attack.
Yubico security keys are shown at ShowStoppers during the 2017 Consumer Electronic Show (CES) in Las Vegas, Nevada on January 5, 2017.© Photo credit should read DAVID MCNEW/AFP via Getty Images
The new vulnerability makes it possible, provided theyve got a lot of time, brains, and cash.
Yubicodisclosed the vulnerabilityon its website alongside a detailed report fromsecurity researchers at NinjaLab.
An attacker could exploit this issue as part of a sophisticated and targeted attack to recover affected private keys.
Note that the cost of this setup is about [$10,000], NinjaLab said.
Using a fancier oscilloscope could push the cost of the whole operation up an additional $30,000.
However, we did not check (yet) that the EUCLEAK attack applies to any of these products.
NinjaLab stressed repeatedly in its research that exploiting this vulnerability takes extraordinary resources.
News from the future, delivered to your present.
Are you scared to walk down the streets of NYC and also have too much money?
There’s an app for that.
Im Obsessed With J.D.
