My well-used -- and now vulnerable -- YubiKey 5C security key.

Adrian Kingsley-Hughes/ZDNET

Security researchers have uncovered a flaw in YubiKey 5 two-factor authentication security keys, making them vulnerable to cloning. If you're a YubiKey 5 user, here's what you need to know.

What is the YubiKey 5 flaw?

Researchers at NinjaLabs discovered the attack. This sophisticated attack leverages a cryptographic bug, known as a side-channel attack, present in a tiny chip -- the Infineon SLE78 -- within the key. The process requires physical access to the key, disassembling it using solvents or a hot air gun, connecting the chip to $11,000 worth of equipment, and extracting private keys from the key.

To gain access to the key owner's accounts, the attacker would also need usernames, account passwords, PIN codes, or any other authentication keys used to secure the account.

Ars Technica has a good breakdown of the vulnerability.

Which YubiKey 5 keys are affected?

Yubico, the makers of YubiKey security keys, has published an advisory highlighting the affected keys:

  • YubiKey 5 Series versions prior to 5.7
  • YubiKey 5 FIPS Series prior to 5.7
  • YubiKey 5 CSPN Series prior to 5.7
  • YubiKey Bio Series versions prior to 5.7.2
  • Security Key Series all versions prior to 5.7
  • YubiHSM 2 versions prior to 2.4.0
  • YubiHSM 2 FIPS versions prior to 2.4.0

These keys are not affected:

  • YubiKey 5 Series version 5.7.0 and newer
  • YubiKey 5 FIPS Series 5.7 and newer (FIPS submission in process)
  • YubiKey Bio Series versions 5.7.2 and newer
  • Security Key Series versions 5.7.0 and newer
  • YubiHSM 2 versions 2.4.0 and newer
  • YubiHSM 2 FIPS versions 2.4.0 and newer

The 5.7 firmware for YubiKeys was released in May of this year, so all keys bought before this time are affected.

How do I tell if my keys are affected?

Download the Yubico Authenticator app (available for Linux, Mac, Windows, iOS, and Android). This app will identify the model and version of any YubiKey connected to the device running the app.

Yubico Authenticator highlights a vulnerable security key.

Adrian Kingsley-Hughes/ZDNET

Can affected YubiKeys be patched?

No. As part of securing the keys from being tampered with, the firmware cannot be updated on the security keys.

Are other security devices affected?

The Infineon SLE78 is used in a wide variety of devices, from passports to bank cards, but it is unclear if these are vulnerable.

Should I panic?

No. 

For most users, this is not a significant issue. The process of stealing a key and cloning it to hack online accounts is too complex and costly for most attackers. 

That said, this should concern those working with highly sensitive or valuable information, such as government organizations, financial institutions, healthcare institutions, journalists, or political activists. The use of these older, vulnerable keys by people in these sectors should be phased out.