NinjaLab

A flaw in Infineon’s security microcontrollers made it possible to extract secret keys using a lab setup that cost just $11,000. 📟🔑👊🏻👨‍💻 More details on: LinkedIn: linkedin.com/posts/dlaskov_… Substack: it4sec.substack.com/p/a-flaw-in-in…

@it4sec Here is the link to the #talk by Thomas m.youtube.com/watch?v=yIkc8D… #hardwear_io @NinjaLabFr

Malek Sfaxi (aka @YoursSto), our new ninja currently intern at @NinjaLabFr , co-organizes the @N0PSctf , a 36 hours capture-the-flag challenge which will happen from 31 of May to 1 of June 2025. Feel free to participate ! nops.re

We are proud to announce that a conference paper about #EUCLEAK (SCA attack against Infineon secure elements affecting Yubikeys: ninjalab.io/eucleak/) has been accepted to @IEEESSP 2025. Thomas will be there next week to present his work, if you are in SF, come and say hi!

In case you missed it…Breaking Down the EUCLEAK Attack! 🤯 Thomas Roche at #hw_ioNL2024 explained it’s impact on YubiKey 5 Series and Infineon Security Systems YouTube Link: youtu.be/yIkc8DzANUs?si… #EUCLEAKAttack #sidechannel #hardwaresecurity

Thanks to Laurent Imbert (@CNRS research director and PhD advisor), @lirmm_ and @umontpellier for having allowed that 🙏

Today Camille Mutschler, the first @NinjaLabFr employee, successfully defended her PhD thesis about post-quantum cryptography and side-channel attacks, in front of a jury of world-renowned cryptography researchers ! Congratulations to her 👩‍💻👩‍🎓🥳

For people attending @EUCyberWeek this week in Rennes, do not miss today the presentation of my associate Thomas Roche about his last research work #EUCLEAK, a side-channel vulnerability impacting the ECDSA implementation of all secure elements of @Infineon

⏰ Speaker Announcement - SecSea 2K24 🚨 🎤 Thomas Roche @NinjaLabFr présentera EUCLEAK, une vulnérabilité découverte après 14 ans chez Infineon, impactant les clés FIDO comme YubiKey. 📅 Vendredi 11 octobre à 14h 🎟️: helloasso.com/associations/h… #SecSea2024 #EUCLEAK #Cryptography

Press release from BSI about 𝐄𝐔𝐂𝐋𝐄𝐀𝐊 vulnerability. German only, here is the Google translated version: translate.google.com/translate?js=n…

We are very excited to share our last research work: 𝐄𝐔𝐂𝐋𝐄𝐀𝐊, authored by Thomas Roche. An electromagnetic Side-Channel Vulnerability in the ECDSA implementation of all Infineon security microcontrollers, notably impacting all YubiKey 5 Series. ninjalab.io/eucleak/

⚠️ Unearthing a Side-Channel Vulnerability Undetected for 14 Years! 🚨 Join Thomas Roche at #hw_ioNL2024 to dive deep into a critical side-channel flaw in Infineon Technologies' secure elements—missed in 80+ high-level Common Criteria assessments More: hardwear.io/netherlands-20…

@fabian_bader We checked on a vulnerable YubiKey 5C: on the acquired traces the ECDSA signature with the attestation key is easily identifiable and then EUCLEAK must apply. In fact this was already covered by Yubico advisory (see section "Attestation"): yubico.com/support/securi…

@NinjaLabFr Oh that's definitely problematic since then the attestation of all of those keys is invaluable. Don't know if you are able to check this in more depth but if yes it would be very much appreciated

@fabian_bader We didn't try but it should be possible on vulnerable FIDO devices

@NinjaLabFr Hi @NinjaLabFr were you also able to extract the private key that is used by those security keys for attestation of e.g. FIDO credentials?

@jasperrrry A PIN is not necessarily enforced on FIDO devices

@RenaudDUBOIS10 This attack is very specific to Infineon implementation. It is not running inside a phone secure enclave (AFAIK).

@NinjaLabFr Amazing. Do you think this exploit could be used by a malware processus spying the execution time required by the secure enclave of a phone to perform Webauthn authentications ?

@shitestfan EdDSA is not impacted as it does not need to compute a modular inverse.

For a complete list of Yubico impacted products: yubico.com/support/securi…

We are happy to share our last research work 𝐈𝐧𝐬𝐩𝐞𝐜𝐭𝐨𝐫 𝐆𝐚𝐝𝐠𝐞𝐭, co-authored by Camille Mutschler, Laurent Imbert and Thomas Roche, published in the international Journal IACR Communications in Cryptology. More info here: #InspectorGadget" target="_blank" rel="nofollow noopener">ninjalab.io/news/#Inspecto…

The @NinjaLabFr team will be present next week in Amsterdam for the 22nd Smart Card Research and Advanced Application Conference @CardisConf 2023, where Thomas Roche is program co-chair. Looking forward to seeing you there 🌷 sbd-research.nl/cardis-2023/in…