Yubico, renowned for its YubiKey 5 series hardware tokens used for two-factor authentication, faced a significant issue with a cryptographic flaw allowing cloning of the devices. This vulnerability was identified as a side channel in the Infineon microcontroller used across several authentication products. Because updating the YubiKey firmware isn't feasible, all keys with firmware versions older than 5.7 remain permanently at risk. The exploitation of this flaw requires physical access and sophisticated technical knowledge. Although the implications are concerning, there has been no reported misuse of this flaw thus far.
Source: https://www.wired.com/story/yubikey-vulnerability-cloning/
TPRM report: https://scoringcyber.rankiteo.com/company/yubico
"id": "yub004090624",
"linkid": "yubico",
"type": "Vulnerability",
"date": "9/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Cybersecurity',
'name': 'Yubico',
'type': 'Company'}],
'attack_vector': 'Side Channel',
'description': 'Yubico faced a significant issue with a cryptographic flaw '
'allowing cloning of the YubiKey 5 series devices. This '
'vulnerability was identified as a side channel in the '
'Infineon microcontroller used across several authentication '
"products. Because updating the YubiKey firmware isn't "
'feasible, all keys with firmware versions older than 5.7 '
'remain permanently at risk. The exploitation of this flaw '
'requires physical access and sophisticated technical '
'knowledge. Although the implications are concerning, there '
'has been no reported misuse of this flaw thus far.',
'impact': {'systems_affected': 'YubiKey 5 series devices with firmware '
'versions older than 5.7'},
'post_incident_analysis': {'root_causes': 'Cryptographic flaw in Infineon '
'microcontroller'},
'title': 'Cryptographic Flaw in YubiKey 5 Series',
'type': 'Cryptographic Vulnerability',
'vulnerability_exploited': 'Cryptographic Flaw in Infineon Microcontroller'}