Unveiling EAL6+ Side-Channel Vulnerability in Infineon's Cryptographic Library: Implications for Security Devices

A critical side-channel vulnerability has recently been uncovered in Infineon's cryptographic library, impacting a range of devices, including the YubiKey 5 Series, Trezor 3 & 5, JuBiter, Keevo Model 1, all Secux Models, imKey Pro, Hashwallet and HyperMate. This vulnerability was brought to light due to comprehensive security evaluations. It poses a significant threat as it could illicitly allow malicious actors to obtain private keys through illicit physical access to the device.

A critical vulnerability, named "EUCLEAK," has been discovered in the process of generating ECDSA keys. This vulnerability stems from a non-constant-time modular inversion in the Extended Euclidean Algorithm. Because of this flaw, attackers could exploit it through an electromagnetic side-channel attack. This type of attack involves capturing electromagnetic signals emitted during cryptographic operations and using them to deduce the private key. It's crucial to address this vulnerability to prevent potential security breaches.

Certain models within the YubiKey 5 Series, which rely on a specific cryptographic library, are potentially susceptible to a particular form of attack. This attack method necessitates physical access and specialized equipment, rendering it a difficult but achievable threat for targeted intrusion into valuable credentials. It is crucial to understand that security devices such as the YubiKey, which utilizes the Fast Identity Online (FIDO) protocol for user authentication, are particularly exposed to this attack category.

The attack involves several stages:

1. To measure electromagnetic emissions during cryptographic operations, it is necessary to have physical access to the device. This access allows for the direct observation and analysis of the electromagnetic radiation emitted while executing cryptographic algorithms.

2. Studying side-channel data to reconstruct the private key is a critical and challenging undertaking within cryptography and cybersecurity. This process involves analyzing various unintended channels of information, such as power consumption or electromagnetic radiation, to gain insight into cryptographic algorithms and potentially deduce the private key, which is essential for maintaining secure communication and data protection.

3. Using a stolen key to duplicate the security device allows an individual to evade the cryptographic security protocols.

Yubico has responded proactively to a recent discovery by updating its devices. To minimize potential risks, it is moving away from the vulnerable Infineon library and transitioning to a proprietary solution. Meanwhile, Infineon is said to be in the process of developing a patch for the vulnerability. However, as of the latest reports, the updated library has not yet received Common Criteria certification.

The recent discovery of a new vulnerability highlights the ongoing challenges of maintaining robust cryptographic security in the face of increasingly sophisticated cyber attacks. This serves as a stark reminder of the critical importance of remaining vigilant and proactive in cybersecurity, particularly when it comes to ensuring that devices responsible for handling sensitive data are equipped with timely security updates.