Researchers have discovered that YubiKey security keys can be cloned through a side-channel attack. The attack uses a vulnerability in a third-party cryptographic library, Infineon, to make a clone of a YubiKey security key. The clone can then be used to gain access to a victim’s account. However, the attack is difficult to pull off. The hacker must obtain the username and password of an account, as well as have physical access to the victim’s Yubikey device. NinjaLab, the company whose researchers discovered the vulnerability, has informed both Yubico and Infineon about their findings. Infineon is currently working on a patch.
Read more: https://www.securityweek.com/crypto-vulnerability-allows-cloning-of-yubikey-security-keys/