Physical Access Required – Yet a Serious Threat
The EUCLEAK attack requires physical access to the device and involves opening the target to place an electromagnetic (EM) probe. While this makes a practical attack more difficult, the result is recovery of the ECDSA private key. In the case of FIDO 2FA tokens, this means an attacker could clone a victim’s token; though it’s important to note that the attacker would also need the victim’s username and password. In other scenarios, just having the ECDSA key may be sufficient for a full compromise.
That said, using a hardware token like YubiKey, even one potentially vulnerable to side-channel attacks, is still significantly more secure than relying on software-only authentication. But of course, it’s better to use a token without known vulnerabilities.
The Attack in a Nutshell
Blackbox attacks often involve extensive reverse engineering, making it advantageous to start with a similar target that has known parameters and fewer countermeasures in place. In this case, the initial investigation focused on profiling a programmable Feitian card that uses the same Infineon chip as the YubiKey. By using the Feitian card, the researchers could set and control the ECDSA private key, providing a clear baseline for analysis. Additionally, Thomas first examined the ECDSA verification process, which generally operates without countermeasures since it doesn’t involve protecting secrets. This contrasts with ECDSA signing, which employs the private key and thus has built-in countermeasures for protection.
Once he started looking at measurements of ECDSA, timing leakages became apparent after just a few traces, specifically in the modular inversion of the value k. This is very interesting, because knowledge of k instantly gives away the ECDSA private key. But the real challenge was mapping the timing leakages to the bits of k.
The Brute-Force Journey
In order to decode the leakage, it needs to be clear what algorithm one is looking at. Thomas essentially used trial and error to match observations with potential algorithms. After much analysis, he identified the Extended Euclidean Algorithm (EEA) and division as the vulnerable components. Without going into the details, he could distinguish by how many bits one intermediate value differs (in the paper: r0 and r1), distinguish the sign of another intermediate (r), and distinguish whether an intermediate is 0 (l).
Each ECDSA trace revealed a series of these constraints, because EEA and division run in nested loops. Using this information, he built a set of templates for these behaviors from an ECDSA verification and matched them to the ECDSA signing operation, effectively turning it into a Simple Power Analysis (SPA) template attack.
Since this only recovers a series of constraints, and not the full value of k, he performed many (partial) EEA simulations to match candidates of k to the observations. As it turns out, this recovered not k, but k’, a masked version of k. An important detail here is that k was masked with only 32 bits of random.
To unmask k’ and recover k, Thomas used Pollard’s Kangaroo algorithm instead of brute-forcing the entire keyspace. In case of errors during classification, he gathered multiple EM traces, ensuring a higher success rate through redundancy. With k, he could calculate the ECDSA private key.
What Comes Next?
We all know that attacks never get worse; they only improve. It is therefore interesting to consider what improvements to the attack could look like:
- Single-Trace Attacks: With more sophisticated signal processing, the attack could be refined to require just a single trace, increasing the practicality of the method.
- Minimally Invasive Probing: It may be possible to perform the attack with only a small hole in the device, which could be sealed afterward, leaving minimal evidence.
- Power Side-Channel Attacks: In the worst case, the attack could evolve into a VCC-based attack, where the device is simply plugged into an acquisition box for a few minutes to collect the necessary data with no physical modifications or evidence.
Public Response
Yubico has already issued a statement addressing the vulnerability (available here). The CVE-2024-45678 has been assigned to this issue, with more details available on the National Vulnerability Database.
Recognizing NinjaLab’s Contributions
We would like to commend the research conducted by NinjaLab. Their work has been a valuable contribution to the security landscape. For more in-depth details, you can read the full EUCLEAK paper or attend Thomas Roche’s talk at the upcoming Hardwear.io conference in the Netherlands.
The author would like to thank Vishwas Raj Jain, Praveen Vadnala and Marc Witteman for valuable discussions.