Critical flaw in YubiKey two-factor authentication tokens allows potential cloning
A critical security vulnerability has been discovered in YubiKey two-factor authentication tokens, allowing potential cloning of the devices. The flaw, originating from the Infineon cryptographic library, affects various YubiKey products, including the YubiKey 5, YubiKey Bio, Security Key, and YubiHSM 2 series. This issue impacts nearly all older YubiKey tokens with firmware versions before 5.7 (or 5.7.2 for YubiKey Bio and 2.4.0 for YubiHSM 2).
Yubico has rated the severity of the flaw as "moderate," citing the need for physical access to the device, specialized equipment, and detailed knowledge of targeted accounts, including usernames, PINs, and authentication keys. Despite the complexity of the exploitation process, the firmware on these older devices cannot be updated, leaving them permanently vulnerable. The flaw has been present in Infineon’s top security chips for over 14 years, as identified by security firm NinjaLab.
Newer YubiKey models, which do not use the Infineon cryptographic library, are not affected by this vulnerability. Researchers have also cautioned that other devices utilizing the Infineon cryptographic library or Infineon’s SLE78, Optiga Trust M, and Optiga TPM microcontrollers might be at risk.
Yubikey is an interesting and popular help in physical 2FA, but it's still well behind a company like Nitrokey (https://www.nitrokey.com/products/nitrokeys)