Security

Popular MFA Keys Vulnerable to Side-Channel Attacks

Written by Bill Toulas
Last updated May 18, 2024

A recently released security report compiled by researchers V. Lomme and T. Roche details how a novel side-channel attack against widely-used MFA keys would work out. Side-channel attacks are typically exploiting the flow of information stemming from an indirect source or subsystem, translating it to the “useful target” - like the decryption key, for example.

In this particular case, it would be the ECDSA (Elliptic Curve Digital Signature Algorithm) private key, which is exactly what could be used for the creation of a cloned MFA key.

Source: ninjalab.io

The vulnerability that is exploited for this attack has been given the identifier “CVE-2021-3011,” and the side-channel element is an electromagnetic wave. The target, and point of vulnerability, is the NXP A7005a chip, which is the main microcontroller that controls thousands of operations inside these keys.

The devices that are using the particular chip are the following:

Before you throw away your MFA key, you should note that an attacker would need special knowledge (relation between electromagnetic radiation and cryptographic operations processing), custom software, and expensive equipment to pull this attack off. Of course, the very key would need to be in possession of the attacker, too, so we’re talking about a physical act here. That said, if your Yubikey stays in your pocket, you have nothing to fear.

Source: ninjalab.io

As the researchers detail, one would have to actually open the device to access the NXP A7005a microcontroller, so even if someone “borrows” your key, the marks left from the opening of its casing would make the fiddling pretty obvious. These keys are pretty hard to cleave in most cases, so there’s no discreet way of pulling this off.

This moderate attack potential has convinced the vendors not to do much on the mitigation front, so while the bug was accepted and acknowledge, there are no plans about it. Also, because the issue is not on the vendor’s side, there were no bounty rewards approved for the reporting of the issue.

Finally, in the case of the Titan keys, Google’s FIDO U2F counters would recognize cloned devices anyway, so even successful attacks wouldn’t yield anything useful for the actors.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: