Internet Archive Lost The Fight - ThreatWire

Threat Wire - Security, Privacy, and Internet Freedom News!

11 Sept 202407:18

Summary

TLDRThe latest episode of Threatwire discusses a critical UB key cloning vulnerability discovered by Ninja Lab, affecting all UB key 5 series with firmware below 5.7. The attack requires physical access and sophisticated equipment, making it less practical for remote exploitation. Twitter faces a ban in Brazil for non-compliance with misinformation regulations, leading to fines and account freezes. The Internet Archive's National Emergency Library faces copyright infringement lawsuits, with a recent ruling upholding the original decision against it.

Takeaways

🔒 Security teams are concerned about a new YubiKey cloning attack, discovered by Ninja Lab.
🛡️ The attack targets YubiKey 5 series with firmware below 5.7, meaning keys released before May 2024 are vulnerable.
📅 This side-channel vulnerability has existed for 14 years in YubiKey and similar FIDO hardware.
⚠️ The attack cannot be done remotely and requires physical access to the YubiKey device.
🔬 Ninja Lab's method involved advanced equipment like electromagnetic probes and oscilloscopes, costing up to €45,000, but a €10,000 setup is viable.
🔑 The attack exploits electromagnetic radiation to clone the elliptic curve digital signature algorithm (ECDSA) used in FIDO protocols.
💻 The vulnerability affects all products using Infineon security microcontrollers with cryptographic libraries.
📉 Yubico assigned the vulnerability a CVSS score of 4.9, citing the attack’s complexity and difficulty of execution as reasons for the relatively low score.
🚫 Twitter (X) was banned in Brazil in August 2024 for failing to comply with court orders regarding misinformation, and users bypassing the ban face hefty fines.
📚 The U.S. Court of Appeals ruled against the Internet Archive’s National Emergency Library project, stating it violated copyright laws and was not considered fair use.

Q & A

What is the UB key cloning attack?
-The UB key cloning attack is a side-channel attack discovered by Ninja Lab that allows attackers to clone UB key 5 series with firmware below 5.7. The vulnerability is found in the electromagnetic radiation emitted during the authentication process, which can be used to clone the elliptic curve digital signature algorithm (ECDSA) key.
How practical is the UB key cloning attack?
-While the UB key cloning attack is theoretically possible, it is not practical for everyday hackers. It requires physical access to the UB key, expensive equipment costing around €10,000 to €45,000, and advanced cryptographic and reverse engineering skills. Therefore, the attack is complex and not easily executable.
What are the security implications of this vulnerability?
-This vulnerability undermines the fundamental security guarantee of FIDO-compliant keys, which are used in sensitive environments like military and corporate networks. It challenges the assumption that the cryptographic material stored in UB keys cannot be copied or read by any other device.
Why was the UB key vulnerability assigned a CVSS score of 4.9?
-The UB key vulnerability received a CVSS score of 4.9 due to its complexity, limited practicality, and the fact that it requires physical access and expensive equipment. While the vulnerability is significant, the barriers to exploiting it reduce its severity in most contexts.
How did Ninja Lab conduct the UB key cloning attack?
-Ninja Lab used an electromagnetic probe, a micromanipulator, digital microscope, oscilloscopes, and reverse-engineered the cryptographic library of the UB key hardware. This allowed them to capture electromagnetic side-channel data during the authentication process to generate a cloned key.
What is the significance of the UB key attack for the broader FIDO hardware ecosystem?
-The attack affects not only UB keys but also other products using Infineon security microcontrollers with the same cryptographic library. This means the vulnerability could impact a wider range of FIDO-compliant hardware authentication devices.
What other major events were discussed in the transcript?
-Other topics included Twitter's ban from Brazil after non-compliance with misinformation orders, fines, and account freezes, as well as the court ruling against the Internet Archive's Open Library project, which was deemed to infringe on publishers' copyrights.
Why was Twitter banned in Brazil?
-Twitter was banned in Brazil due to its failure to comply with a court order to ban accounts spreading misinformation. The company's refusal led to escalating legal actions, including the threat of employee arrests and eventual shutdown of its operations in Brazil.
What is the significance of the Internet Archive court ruling?
-The ruling against the Internet Archive jeopardizes its Open Library project, which digitizes and makes books available online. The courts ruled that this infringes on publishers' copyrights, potentially impacting the Archive's ability to continue this initiative.
What impact did Twitter's ban have on its users in Brazil?
-Twitter had over 20 million users in Brazil, its fifth-largest international market. The ban means that any person trying to access the platform via VPN could face fines of up to $9,000 per day, significantly impacting Brazilian fan culture and access to the service.