PSA-2024-1
Summary
A side-channel vulnerability has been discovered in Infineon’s cryptographic library used in OFFPADs.
How to exploit this vulnerability has been published in a detailed disclosure report from NinjaLab. The report describes a targeted and sophisticated attack that successfully extracts private keys from an Infineon Secure Element. To execute the attack the attackers need physical possession of the OFFPAD, specialized equipment and knowledge of the accounts they want to target. The attackers also need knowledge of the user PIN or biometrics on the OFFPAD. Infineon hardware is not affected, and product security certificates were not revoked.
Infineon has updated the cryptographic library in co-operation with the researchers at NinjaLab, customers, and the German certification body. The update is currently in the process of being certified and rolled out. The severity of the issue is moderate and has a CVSS score of 4.8.
How to do the hack
To perform a successful attack the attacker needs to do the following:
- Get access to the OFFPAD.
- Physically open the OFFPAD.
- Connect the equipment needed to execute the electromagnetic side-channel attack to the Secure Element.
- Activate the software that contains the vulnerability by performing authentications using the private keys.
Implications
Authentication
If the hack is executed successfully the hacker will be able to duplicate FIDO credentials and perform authentications using those credentials.
For this hack to be successful over time, the owner of the OFFPAD must not discover that the OFFPAD has been compromised. This means that the OFFPAD needs be reassembled and returned to the owner without visual marks from the hack.
In general, if the OFFPAD is lost or compromised the owner must immediately deregister the OFFPAD on all services and applications. The FIDO specification requires servers to have a mechanism to detect duplicated logins from the same FIDO credential. This would prevent the attack from being undiscoverable over time.
Attestation
Attestation provides services and applications with information about the authenticator protecting the private keys. This provides a means to enforce security policies for FIDO authenticators and to choose which authenticators to trust.
If the hack is executed successfully the hacker can create a fraudulent OFFPAD with a valid FIDO attestation and as a result bypass the policies established.
Severity
As stated by the researchers at NinjaLab this type of side-channel attack cannot evolve into a massive security breach. The hack needs to be re-executed for each targeted device, and it requires physical access to it. The engineering effort to do the hack is considerable, it requires highly specialized equipment, a complex post processing and data analysis phase, and is therefore difficult to execute out in the field. PONE Biometrics regards the threat to the OFFPAD as moderate and the CVSS score is 4.8.
Mitigations
The most effective mitigation for this vulnerability is to always make sure you have the OFFPAD in your possession, and if it is lost or stolen you should immediately deregister it from the application and services you use it with.
Frequently Asked Questions
How easy is this vulnerability to exploit?
Exploiting this vulnerability requires specialized equipment and the process is complex. The hacker needs physical access to the OFFPAD, knowledge about the account and either the PIN or Biometrics of the user.
Can I update my OFFPAD when Infineon has released the updated library?
The OFFPAD does not support updates to the software running on it. We believe that this is the best way to keep your credentials safe.
Is my OFFPAD still secure?
Yes, the OFFPAD is still secure. In their report, the researchers emphasize that “we strongly encourage to continue to use an EUCLEAK vulnerable product rather than switching to a solution that does not involve a secure element.”
Is there a replacement program for OFFPADs?
Keeping the OFFPAD in your possession and deregistering it if it is stolen or lost is an effective way to mitigate this vulnerability. Hence, we have not activated a replacement program. If you have security concerns using your OFFPAD, please contact us at support@ponebiometrics.com