New EUCLEAK attack on secure elements reveals private key

I saw this recently and was curious if there’s any long term implications for Onlykey users:

Researchers were able to extract the private key from any Yubikey 5 series via a side-channel attack. It requires physical access to the key but only for a few minutes.

As far as I can tell the Onlykey has a different secure element so the specific weakness (in Infineon security microcontrollers and their library) doesn’t apply. However perhaps the general approach might still apply if similar timings could be observed in an Onlykey?

The researchers stress that this attack would have to be highly targeted and requires sophisticated equipment so overall you are still more secure to use a security key than not.

Correct, OnlyKey was not affected we use a different secure element. We recently wrote an article here that elaborates on the Yubikey vulnerability Securing the Future: Comparing YubiKey and OnlyKey in the Evolving Mul

There are additional security features with OnlyKey, #1 OnlyKey doesn’t even process private keys until its unlocked with the correct PIN so even attempting this type of attack would not be possible without first knowing the OnlyKey PIN, there are also additional side-channel protections built into OnlyKey.

1 Like