YubiKeys are vulnerable to unpatchable cloning attacks thanks to newly discovered physical side channel

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains temporary physical access to it, researchers said Tuesday.

The cryptographic flaw, known as a side channel, resides in a small microcontroller used in a large number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, such as the SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.

Patching not possible

YubiKey-maker Yubico issued an advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse-engineered the YubiKey 5 series and devised the cloning attack. All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable.

[…]

In this case, the side channel is the amount of time taken during a mathematical calculation known as a modular inversion. The Infineon cryptolibrary failed to implement a common side-channel defense known as constant time as it performs modular inversion operations involving the Elliptic Curve Digital Signature Algorithm. Constant time ensures the time sensitive cryptographic operations execute is uniform rather than variable depending on the specific keys.

More precisely, the side channel is located in the Infineon implementation of the Extended Euclidean Algorithm, a method for, among other things, computing the modular inverse. By using an oscilloscope to measure the electromagnetic radiation while the token is authenticating itself, the researchers can detect tiny execution time differences that reveal a token’s ephemeral ECDSA key, also known as a nonce. Further analysis allows the researchers to extract the secret ECDSA key that underpins the entire security of the token.

[…]

The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out only by nation-states or other entities with comparable resources and then only in highly targeted scenarios.

[…]

A key question that remains unanswered at the moment is what other security devices rely on the three vulnerable Infineon secure modules and use the Infineon cryptolibrary? Infineon has yet to issue an advisory and didn’t respond to an email asking for one. At the moment, there is no known CVE for tracking the vulnerability.

Source: YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel | Ars Technica

Balloon-Based Sensor That Pinpoints Location Of Drone Operators Emerges In Ukraine

Ukraine has developed a balloon-carried electronic surveillance system designed to detect enemy drone operators, which can then be targeted, offering a more comprehensive solution than tackling individual drones. While the current status of the system, known as Aero Azimuth, is unclear, its unveiling points to a resurgence in interest in elevated sensors mounted on aerostats.

[…]

While the Azimuth system already existed in ground-based form, this seems to the the first airborne application, which makes use of an aerostat from another Ukrainian company, Aerobavovna. Also included in the Aero Azmiuth system are a trailer with a winch for launching and recovering the balloon, a gas cylinder system to inflate the envelope, plus tools for repair and maintenance.

The basic Azimuth uses passive signals intelligence (SIGINT) equipment to detect and then locate the radio-frequency signals emitted by enemy (Russian) drone operators. These signals include communication channels, telemetry, and data exchange. The information gathered by Azimuth is then related to troops, who can directly target the drone operators in question.

[…]

By elevating the Azimuth system on an aerostat, that detection range can reportedly be extended to 37 miles, while the same targets can be triangulated at a distance of 15-19 miles, according to Kvertus spokespeople. These figures are when the balloon is operating at “average flight altitude,” with the optimum altitude meanwhile reported as being around 1,000-2,300 feet.

[…]

Source: Balloon-Based Sensor That Pinpoints Location Of Drone Operators Emerges In Ukraine

China’s Connected Car Crashes Are a Warning

[…] What happens when connected cars become disconnected cars? […]

The phenomenon was chronicled in Rest of World, which spoke to multiple owners of EVs produced by financially troubled Chinese automakers. China kickstarted its EV industry with aggressive subsidies that lured dozens, if not hundreds of companies to produce cars. When those subsidies ceased, an automotive extinction event unfolded, with a reported 20-plus brands calling it quits

[…]

The largest Chinese automaker to fail yet has been WM Motor, which reportedly sold around 100,000 cars between 2019 and 2022. It filed for bankruptcy in October 2023, and in doing so ceased offering software support for customers’ cars. With company servers offline, widespread failures were reported, affecting cars’ stereos, charging status indicators, odometers, and app-controlled remote functions such as air conditioning and locking.

Though WM Motor is said to have brought servers back online so that these vehicles can fully function again, it doesn’t seem to have delivered any software updates since its bankruptcy filing almost a year ago. Its app also remains unavailable on smartphone app stores, locking potential buyers of used WM Motors vehicles out of some features. It seemingly hasn’t flown afoul of China’s consumer protection laws, which mandate 10 years of parts and service support—but apparently not software. As many as 160,000 Chinese car owners are estimated to be in a similar boat, as an increasing number of automakers encounter financial trouble.

[…]

Source: China’s Connected Car Collapse Is a Warning for the American /Market

And what happens when a manufacturer just calls your car End of Life?

Dutch DPA fines Clearview €30.5 million for violating the GDPR

Clearview AI is back in hot — and expensive — water, with the Dutch Data Protection Authority (DPA) fining the company €30.5 million ($33.6 million) for violating the General Data Protection Regulation (GDPR). The release explains that Clearview created “an illegal database with billions of photos of faces,” including Dutch individuals, and has failed to properly inform people that it’s using their data. In early 2023, Clearview’s CEO claimed the company had 30 billion images.

Clearview must immediately stop all violations or face up to €5.1 million ($5.6 million) in non-compliance penalties. “Facial recognition is a highly intrusive technology, that you cannot simply unleash on anyone in the world,” Dutch DPA chairman Aleid Wolfsen stated. “If there is a photo of you on the Internet — and doesn’t that apply to all of us? — then you can end up in the database of Clearview and be tracked.” He adds that facial recognition can help with safety but that “competent authorities” who are “subject to strict conditions” should handle it rather than a commercial company.

The Dutch DPA further states that since Clearview is breaking the law, using it is also illegal. Wolfsen warns that Dutch companies using Clearview could also be subject to “hefty fines.” Clearview didn’t issue an objection to the Dutch DPA’s fine, so it is unable to launch an appeal.

This fine is far from the first time an entity has stood up against Clearview. In 2020, the LAPD banned its use, and the American Civil Liberties Union (ACLU) sued Clearview, with the settlement ending sales of the biometric database to any private companies. Italy and the UK have previously fined Clearview €20 million ($22 million) and £7.55 million ($10 million), respectively, and instructed the company to delete any data of its residents. Earlier this year, the EU also barred Clearview from untargeted face scraping on the internet.

Source: Clearview faces a €30.5 million for violating the GDPR