ReportWire

Tag: two-factor authentication

  • YubiKeys Are a Security Gold Standard—but They Can Be Cloned

    YubiKeys Are a Security Gold Standard—but They Can Be Cloned

    [ad_1]

    The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-sized device vulnerable to cloning when an attacker gains temporary physical access to it, researchers said Tuesday.

    The cryptographic flaw, known as a side channel, resides in a small microcontroller used in a large number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, such as the SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.

    Patching Not Possible

    YubiKey maker Yubico issued an advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse engineered the YubiKey 5 series and devised the cloning attack. All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable.

    “An attacker could exploit this issue as part of a sophisticated and targeted attack to recover affected private keys,” the advisory confirmed. “The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM; knowledge of the accounts they want to target; and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge, including username, PIN, account password, or authentication key.”

    Side channels are the result of clues left in physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task that leaks cryptographic secrets. In this case, the side channel is the amount of time taken during a mathematical calculation known as a modular inversion. The Infineon cryptolibrary failed to implement a common side-channel defense known as constant time as it performs modular inversion operations involving the Elliptic Curve Digital Signature Algorithm. Constant time ensures the time-sensitive cryptographic operations execute is uniform rather than variable depending on the specific keys.

    More precisely, the side channel is located in the Infineon implementation of the Extended Euclidean Algorithm, a method for, among other things, computing the modular inverse. By using an oscilloscope to measure the electromagnetic radiation while the token is authenticating itself, the researchers can detect tiny execution time differences that reveal a token’s ephemeral ECDSA key, also known as a nonce. Further analysis allows the researchers to extract the secret ECDSA key that underpins the entire security of the token.

    In Tuesday’s report, NinjaLab cofounder Thomas Roche wrote:

    In the present work, NinjaLab unveils a new side-channel vulnerability in the ECDSA implementation of Infineon 9 on any security microcontroller family of the manufacturer. This vulnerability lies in the ECDSA ephemeral key (or nonce) modular inversion, and, more precisely, in the Infineon implementation of the Extended Euclidean Algorithm (EEA for short). To our knowledge, this is the first time an implementation of the EEA is shown to be vulnerable to side-channel analysis (contrarily to the EEA binary version). The exploitation of this vulnerability is demonstrated through realistic experiments and we show that an adversary only needs to have access to the device for a few minutes. The offline phase took us about 24 hours; with more engineering work in the attack development, it would take less than one hour.

    After a long phase of understanding Infineon implementation through side-channel analysis on a Feitian 10 open JavaCard smartcard, the attack is tested on a YubiKey 5Ci, a FIDO hardware token from Yubico. All YubiKey 5 Series (before the firmware update 5.7 11 of May 6th, 2024) are affected by the attack. In fact all products relying on the ECDSA of Infineon cryptographic library running on an Infineon security microcontroller are affected by the attack. We estimate that the vulnerability exists for more than 14 years in Infineon top secure chips. These chips and the vulnerable part of the cryptographic library went through about 80 CC certification evaluations of level AVA VAN 4 (for TPMs) or AVA VAN 5 (for the others) from 2010 to 2024 (and a bit less than 30 certificate maintenances).

    [ad_2]

    Dan Goodin, Ars Technica

    Source link

  • The US Government Is Asking Big Tech to Promise Better Cybersecurity

    The US Government Is Asking Big Tech to Promise Better Cybersecurity

    [ad_1]

    The pledge offers examples of how companies can meet the goals, although it notes that companies “have the discretion to decide how best” to do so. The document also emphasizes the importance of companies publicly demonstrating “measurable progress” on their goals, as well as documenting their techniques “​​so that others can learn.”

    CISA developed the pledge in consultation with tech companies, seeking to understand what would be feasible for them while also meeting the agency’s goals, according to Goldstein. That meant making sure the commitments were feasible for companies of all sizes, not just Silicon Valley giants.

    The agency originally tried using its Joint Cyber Defense Collaborative to prod companies into signing the pledge, according to the tech industry official, but that backfired when companies questioned the use of an operational cyberdefense collaboration group for “a policy and legal issue,” the industry official says.

    “Industry expressed frustration about trying to use the JCDC to obtain pledges,” the official says, and CISA “wisely pulled back on that effort.”

    CISA then held discussions with companies through the Information Technology Sector Coordinating Council and tweaked the pledge based on their feedback. Originally, the pledge contained more than seven goals, and CISA wanted signatories to commit to “firm metrics” for showing progress, according to the industry official. In the end, this person says, CISA removed several goals and “broadened the language” about measuring progress.

    John Miller, senior vice president of policy, trust, data, and technology at the Information Technology Industry Council, a major industry trade group, says that change was smart, because concrete progress metrics—like the number of users using multi-factor authentication—could be “easily misconstrued.”

    Goldstein says the number of pledge signatories is “exceeding my expectations about where we’d be” at this point. The industry official says they’re not aware of any company that has definitively refused to sign the pledge, in part because vendors want to “keep open the option of signing on” after CISA’s launch event at RSA. “Everyone’s in a kind of wait-and-see mode.”

    Legal liability is a top concern for potential signatory companies. “If there ends up being, inevitably, some type of security incident,” Miller says, “anything [a] company has said publicly could be used in lawsuits.”

    That said, Miller predicts that some global companies facing strict new European security requirements will sign the US pledge to “get that credit” for something they already have to do.

    CISA’s Secure by Design campaign is the centerpiece of the Biden administration’s ambitious plan to shift the burden of cybersecurity from users to vendors, a core theme of the administration’s National Cybersecurity Strategy. The push for corporate cyber responsibility follows years of disruptive supply-chain attacks on critical software makers like Microsoft, SolarWinds, Kaseya, and Change Healthcare, as well as a mounting list of widespread software vulnerabilities that have powered ransomware attacks on schools, hospitals, and other essential services. White House officials say the pattern of costly and often preventable breaches demonstrates the need for increased corporate accountability.

    [ad_2]

    Eric Geller

    Source link

  • How to Turn Off Facebook’s Two-Factor Authentication Change

    How to Turn Off Facebook’s Two-Factor Authentication Change

    [ad_1]

    Meta changed how two-factor authentication works for Facebook and Instagram last year. You might have received notifications about this, but it was easy to miss in the platform’s sea of red alerts. OK, so what’s different? “Any devices you’ve frequently used Facebook on in the past two years will be automatically trusted,” reads Meta’s updated settings page. Your smartphone and laptop may not need a 2FA code to log in, unless you go into your settings and opt out.

    Over time, Meta has made multiple tweaks to how it deploys 2FA. In 2018, it started to allow 2FA codes generated by third-party apps. A few years later, the company began requiring more vulnerable accounts to activate 2FA protection. The company faces a tricky balance between making it easy to log in to your account and protecting users from losing control of their online identities.

    Enabling 2FA is a basic way to improve the security of any online profile, since it adds an extra layer of difficulty for hackers trying to break into your account. “The role two-factor plays is, basically, to assume that at some point your password is going to be known by someone else,” said Casey Ellis, founder and chief strategy officer at Bugcrowd, a crowdsourced security company that has previously collaborated with Facebook. “You don’t have control over when or how that happens.” For users, this fallback measure is often as easy as copying and pasting a quick code from within a smartphone app, like Google Authenticator.

    Anyone with a social media account on Facebook or Instagram needs to go ahead and turn on two-factor authentication in their privacy settings. No shame if you haven’t, but do it right now by logging in to your Account Center, clicking Password and security, then Two-factor authentication.

    Now that you’ve got it all set up, here’s what was changed with Meta’s 2FA process: It’s no longer activated anywhere you often used Facebook or Instagram in the past two years, from previous-generation smartphones to hand-me-down laptops.

    What’s the reasoning for this adjustment? “As part of our continuous work to balance account security and accessibility, we’re letting people know that we’ll be treating the devices they frequently use to log in to Facebook as trusted,” said Erin McPike, a Meta spokesperson.

    Facebook via Reece Rogers

    [ad_2]

    Reece Rogers

    Source link