Some thoughts on the YubiKey EUCLEAK Vulnerability


It looks like everyone's favourite FIDO token provider might have an unpatchable vulnerability! Much Sturm und Drang from the usual sources. But how bad is it really? Not so bad - but it does expose some weaknesses in the very idea of having physical tokens.

First up, as the research paper's abstract says:

The attack requires physical access to the secure element

So, straight off the bat, this reduces the likelihood of attack. Someone would need to actively target you. Of course, if you're the sort of person who secures all their secrets and cryptowallets with a FIDO token, you may be a juicy target!

Secondly, the attack relies on:

the adversary steal[ing] the login and password of a victim’s application account protected with FIDO

So, you need to lose your username, password, and token for this attack to be successful. Again, this is unlikely to happen as a "drive-by" attack.

Once the attacker gets your FIDO token, they need to analyse it using "expensive equipment". A cost of approximately $11,000 according to Ars.

That moves the attack away from the hands of casual criminals. It isn't an insurmountable barrier for organised crime or nation states.

Finally, Appendix A discusses how difficult it is to actually get the equipment close enough to the circuitry:

[…] capturing the EM signal with a small EM probe would not work if this probe is too far from the chip. We hence have to open the YubiKey plastic case to access its logic board. […] In both cases however, the device needs to be re-packaged if the adversary wants to give it back to legitimate user without him noticing. We did not study further this issue.

Here's what it looks like when that probe is placed next to the circuitry:

Photo of electrical equipment placed very close to a circuit board.

If you suddenly find your Yubikey smashed or cracked, then you may have been a victim of this attack!

A reasonable way to defend against this is to get some glittery nail polish. No, seriously! Put a blob of glitter polish on the seam of your device. Something like this:

Nails painted with polish. An intricate pattern has formed.

Take a photo. If the baddies grab your YubiKey and crack it open, they won't easily be able to get the pattern correct when they re-seal it. Regularly compare your photo to your device.

The Real Issue With FIDO Tokens

Physical tokens require physical security. I've moved to a an Encrypter Ring. I literally wear my FIDO token. I am extremely likely to notice someone removing my ring (or my finger).

Photo of my fingers stretched out so you can see the width of the ring.

Is your token on your keyring? Where is your keyring right now? In your pocket or hanging up somewhere? Most people either leave their FIDO token laying around out of sight or have it permanently plugged in to their machine. I'm not sure which is worse.

The other major issue is that it is impossible to revoke a FIDO token from all your accounts at once!

You've used your token to register with a few dozen sites, you either lose your key or discover it has been tampered with. What do you do?

There is no way to tell which sites you have used a FIDO token with. You have to remember (or keep a list somewhere). You will need to manually go to each site and revoke the stolen token. If you've forgotten one, you can't revoke it from your key, which means attackers could have unfettered access to that account.

What should I do?

The discoverers of this vulnerability take great pains to say:

it is still safer to use your YubiKey or other impacted products as FIDO hardware authentication token to sign in to applications rather than not using one.

I think they are correct. But there are still a few things you should do to secure yourself against this class of attack.

  1. Ensure the physical security of your token. Either wear it as jewellery, implant it in your skin, or reduce the likelihood of it being taken.
  2. Ensure the physical integrity of your token. Use nail-varnish or something similar to help you detect if it has been physically compromised.
  3. Ensure that you know which sites have been secured with a Yubikey. Make a note of it in your password manager or other secure vault.
  4. Ensure that you are less of a target. Don't brag about your security. Certainly don't post on the Internet about which security products you use and the countermeasures you take. Oh shit.

Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

4 thoughts on “Some thoughts on the YubiKey EUCLEAK Vulnerability”

  1. said on infosec.exchange:

    @Edent I, um, thanks very much for this article. It's extremely clear that the main thing I should do is, as you say, record what key is used in what accounts. But...

    If someone gets into my house or physically steals my keys I have bigger problems 🤣 besides which, taking a copy of my keys, which provide access to my house, is trivially easier (a photo would be enough) and at least as dangerous. So if I'm comfortable with my house key security model, then my yubikey is still better than that.

    So basically: I fully agree with your assessment. Thanks for clearly explaining that I can ignore this concern.

    Reply | Reply to original comment on infosec.exchange
  2. Joker_vD says:

    Physical tokens require physical security

    Yep. Which is why e.g. having your password written down on a sticker on your monitor may or may not be a bad idea, depending on your threat model. It's almost impossible to steal a sticker over the network, but a personal visit compromises it immediately.

    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">