Security pros reacting to the Sept. 3 news that researchers discovered a vulnerability in YubiKey 5 authentication devices that left them susceptible to cloning via a side-channel attack said that while it does take a great deal of expertise to execute such an attack on a cryptographic library, the experts were concerned because of the sheer volume of YubiKey users.
YubiKey claims it has sold more than 22 million units across 160 countries. Top tech companies such as Amazon, Facebook, Google, Microsoft, and Twitter use YubiKeys every day to secure employee accounts.
NinjaLabs researcher Thomas Roche wrote in a blog post that all YubiKey 5 Series with firmware versions below 5.7 are impacted by the “Eucleak” vulnerability, as are the Infineon microchips that run the Infineon cryptographic library used in the affected YubiKey devices.
Roche reported that the responsible disclosure started April 19 and Infineon confirmed on July 26 that it implemented and tested a patch to its library, eliminating the attack threat. The vulnerability was undetected for 14 years, wrote Roche.
YubiKey also released a statement on Sept. 3, which described the issue as a side-channel vulnerability in the Elliptical Curve Digital Signature Algorithm (ECDSA) implementation in the Infineon cryptographic library. YubiKey said ECDSA is used for generating cryptographic signatures based on elliptic curves.
According to YubiKey, a sophisticated attacker could use the side-channel vulnerability to recover ECDSA private keys. An attacker requires physical possession and the ability to observe the vulnerable operation with specialized equipment, such as an oscilloscope, to perform this attack. To observe the vulnerable operation, the attacker may also require additional knowledge such as account name, account password, device PIN, or YubiHSM authentication key.
Overall, the attacks require about $11,000 worth of equipment and a high-level of understanding of electrical and cryptographic engineering
Callie Guenther, senior manager of threat research at Critical Start, said the Eucleak vulnerability is a rare, high-sophisticated attack, likely indicative of state-sponsored actors, insiders or advanced criminal groups targeting high-value assets. Guenther, an SC Media columnist, said this attack requires physical access, specialized equipment, and deep knowledge of the victim's accounts, suggesting it would be used in highly targeted operations, such as espionage or covert access, rather than opportunistic attacks.
“Intelligence teams typically don't monitor for such side-channel threats due to their low likelihood and complexity,” said Guenther. “However, the severity of potential consequences — like key cloning — means this attack class should not be ignored, especially in environments where critical data or sensitive operations are at risk. It serves as a reminder that even low-probability attacks can be devastating if executed successfully.”
Jason Soroko senior vice president of product at Sectigo, said this kind of side-channel attack poses a significant risk to users, particularly when targeting hardware-based cryptographic implementations like YubiKeys. Soroko said these attacks exploit physical attributes, such as electromagnetic emissions during cryptographic processes to infer sensitive data like private keys.
“In the Eucleak case, while the attack is complex and requires physical access to the device, the potential for cloning YubiKey security keys is concerning because of the widespread use of this hardware for authentication,” said Soroko. “What makes this most concerning is that field patching of hardware is often not possible, meaning that the vulnerability will exist as long as the device is still used. Such attacks on crypto libraries are not common and also difficult to achieve. We would be most afraid of attacks that can be automated putting it into the hands of less sophisticated attackers.”
Critical Start’s Guenther said security teams should take the following steps to protect their organizations:
- Firmware Updates: Ensure all YubiKeys and similar devices are updated to the latest firmware version that no longer uses the vulnerable Infineon cryptographic library (version 5.7 or later). Devices using earlier firmware are vulnerable.
- Physical Security: Protect hardware tokens from being accessed by unauthorized personnel. Since this attack requires physical access, limiting who can handle devices is crucial.
- Session Management: Security teams should enforce shorter session lifetimes and require frequent re-authentication, making it harder for attackers to use cloned keys unnoticed.
- Key Rotation and Monitoring: Keep track of where YubiKeys are registered, and if a key gets lost or potentially compromised, revoke its access immediately. Organizations should adopt a process to quickly rotate credentials when a key is suspected to be compromised.
- User Education: Inform users about the potential risks associated with their hardware tokens and ensure they are aware of proper security hygiene, such as using PINs or biometric verification where applicable.
