Security is hard.
The TL;DR is: Do not lose possesion of your private key.
https://ninjalab.io/eucleak/
The attack requires physical access to the secure element (few local electromagnetic side-channel acquisitions, i.e. few minutes, are enough) in order to extract the ECDSA secret key. In the case of the FIDO protocol, this allows to create a clone of the FIDO device.
All YubiKey 5 Series (with firmware version below 5.7) are impacted by the attack and in fact all Infineon security microcontrollers (including TPMs) that run the Infineon cryptographic library (as far as we know, any existing version) are vulnerable to the attack.
https://www.yubico.com/support/security-advisories/ysa-2024-03/
#2FA #SideChannel #ConstantTime
SpaceLifeForm
npub12r…s4565
2025-09-10 21:45:19 UTC
Author Public Key
npub12rdzyj5dp0fgunzn3z67l7z42fg7rs07l6tjh7n0k86ze3kzvdqsls4565Seen on
wss://relay.momostr.pinkPublished at
2025-09-10 21:45:19 UTCEvent JSON
{
"id": "471f6825875ca321406ef54b38a305c17ba4382aa4f56f19228ff1613d8c9b30",
"pubkey": "50da224a8d0bd28e4c5388b5eff8555251e1c1fefe972bfa6fb1f42cc6c26341",
"created_at": 1757540719,
"kind": 1,
"tags": [
[
"t",
"2fa"
],
[
"t",
"constanttime"
],
[
"t",
"sidechannel"
],
[
"proxy",
"https://infosec.exchange/@SpaceLifeForm/115182188580055061",
"web"
],
[
"proxy",
"https://infosec.exchange/users/SpaceLifeForm/statuses/115182188580055061",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/SpaceLifeForm/statuses/115182188580055061",
"pink.momostr"
],
[
"-"
]
],
"content": "Security is hard.\n\nThe TL;DR is: Do not lose possesion of your private key.\n\nhttps://ninjalab.io/eucleak/\n\nThe attack requires physical access to the secure element (few local electromagnetic side-channel acquisitions, i.e. few minutes, are enough) in order to extract the ECDSA secret key. In the case of the FIDO protocol, this allows to create a clone of the FIDO device.\n\nAll YubiKey 5 Series (with firmware version below 5.7) are impacted by the attack and in fact all Infineon security microcontrollers (including TPMs) that run the Infineon cryptographic library (as far as we know, any existing version) are vulnerable to the attack.\n\nhttps://www.yubico.com/support/security-advisories/ysa-2024-03/\n\n#2FA #SideChannel #ConstantTime",
"sig": "aad99481d79666c2d45e8c1ade4271b4c786b4bff0929bc5c738e608f0b9a6291a3585ccd1bd473ba64686086653ce4f0dfef0ebe21c00a79e9a7109e4708d78"
}