Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response

Breach Roundup: YubiKey 5 Is Vulnerable to Cloning

Also: Ohio City Sues Researcher, Irish DPC Ends Case Against GrokAI
Breach Roundup: YubiKey 5 Is Vulnerable to Cloning
Image: Shutterstock

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, YubiKey 5 has a flaw, an Ohio city sued a researcher, the Irish regulator ended its GrokAI case, open-source AI tools exposed data, Starlink blocked X in Brazil, FCC banned Kaspersky, Intel addressed a researcher's claim, and Transport for London is still affected by a cyber incident.

See Also: 57 Tips to Secure Your Organization

YubiKey 5 Is Vulnerable to Cloning

The secure element embedded into the world's most widespread FIDO hardware token contains a flaw that makes it susceptible to cloning. Researchers at NinjaLab discovered a flaw in microcontrollers manufactured by Infineon, which is the secure element Yubico uses in older versions of its YubiKey 5 Series hardware keys.

There's no reason for panic. As Yubico said in a security advisory, the severity is "moderate." Executing the side-channel attack would, at minimum, require the attacker to have physical possession of the victim's YubiKey and specialized equipment to capture the electromagnetic signals needed to execute a side-channel attack. The attack involves measuring electromagnetic emissions to extract the private key generated by the Elliptic Curve Digital Signature Algorithm embedded on the microcontroller. The vulnerability has apparently existed for 14 years without anyone - at least publicly - knowing about it.

Researchers said attackers would also need to steal the account logon information for which potential victims have made a YubiKey their second-factor authentication. Still, if attackers, likely nation-state hackers, successfully put together all the moving parts, they would be able to log onto accounts protected by one of the most secure second-factor authentication methods around.

The attack requires advanced technical knowledge as well as specialized equipment that costs around $11,000. The flaw is present in all YubiKey 5 devices running firmware versions before 5.7. Firmware updates are not possible for these devices, leaving them permanently vulnerable, Yubico said.

Ohio City Sues Researcher for Disclosing Data Leak

The city of Columbus, Ohio, sued security researcher David Leroy Ross, also known as Connor Goodwolf, after he disclosed the extent of a ransomware attack that the city initially downplayed. Columbus was hit by the Rhysida ransomware group on July 18, but it claimed the attack was halted before significant damage occurred.

On Aug. 16, the city expanded its offer of free credit monitoring to all individuals who had shared personal information with the city, after initially limiting the monitoring to employees. This lawsuit came after Ross informed local media that the impact of the attack was far greater than the city admitted.

After failing to extort Columbus, Rhysida leaked 3.1 terabytes of data on its dark web site, claiming it was stolen from the city's systems. The city had earlier claimed that the stolen data was corrupted, but Ross provided evidence showing that the data, including sensitive information such as Social Security numbers and police reports, was intact.

The city argues in its lawsuit "only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web," should be able to do that.

Last week, a Franklin County judge granted a temporary restraining order against Ross, barring him from disseminating the leaked data, though he can still discuss the incident with the media.

Irish DPC Ends Case Against GrokAI

The Irish Data Protection Commission said Wednesday that social media platform X - formerly Twitter - stopped fighting a lawsuit over its use of public posts by European users to train its Grok generative artificial intelligence model.

The victory for the Irish agency may not be a momentous one. TechCrunch reported that X agreed to remove from Grok training dataset tweets made by Europeans between May 7, 2024, and August 1, 2024.

The Irish agency sued X in August over its use of European customer data to train its large language model (see: Irish DPC Sues X Over Harvesting Data for Grok AI Bot).

Still left outstanding, the Irish DPC said, are "core issues that arise in the context of processing for the purpose of developing and training an AI model." It requested that the European Data Protection Board provide an opinion on matters including "the extent to which personal data is processed at various stages of the training and operation of an AI model, including both first-party and third-party data." The Brussels-based board should also ponder "the related question of what particular considerations arise, in relation to the assessment of the legal basis being relied upon by the data controller to ground that processing," Irish regulators said.

X has promised that the system will "answer spicy questions that are rejected by most other AI systems" and touted its "anti-woke" properties.

Austrian privacy rights group NOYB also filed complaints against the company, citing violations of the General Data Protection Regulation (see: X's Grok AI Plan Invites More European Scrutiny).

Open-Source AI Tools Expose Sensitive Data: Report

Companies integrating open-source generative AI tools are inadvertently exposing sensitive data to the public web, says a report by Legit Security. Naphtali Deutsch, a researcher at the firm, identified vulnerabilities in open-source AI services, including the Flowise platform and vector databases. Flowise, a Y-Combinator-backed, low-code program, allows users to build AI applications. The researcher found that it contained security flaws that hackers could exploit to access sensitive data such as passwords, configurations and API keys. The password protection on the servers is often insufficient, the report says.

Deutsch also discovered that several vector databases, which store critical data for AI tools, were exposed - with no authentication required for access - allowing leakage of private emails, financial data and personal information. To address these risks, the researcher advised companies to monitor and restrict access to AI services, use private networks, log and audit tool activity, mask sensitive data and regularly update software.

Elon Musk's Starlink agreed to block access in Brazil to Musk's other company, X, formerly Twitter, despite earlier resistance to following an order from Brazilian Supreme Court Justice Alexandre de Moraes. A panel of Supreme Court justices voted on Monday to uphold the order.

Satellite-connectivity internet provider Starlink informed telecom regulator Anatel that it would not comply until the order was reversed. But after de Moraes froze Starlink's assets, the company announced it would obey, citing legal obligations. It denounced the asset freeze as being "illegal."

Musk has criticized de Moraes. The justice froze Starlink's accounts to enforce X's unpaid fines, arguing the companies are economically linked. De Moraes suspended X from Brazilian networks for failing to appoint a local legal representative amid a fight by the justice to force the social media platform into pulling down posts linked to disinformation

FCC Bans Kaspersky Software in US Telecom Networks

The U.S. Federal Communications Commission banned the use of Kaspersky software in U.S. networks, following the company being added to the Covered List of national security risks. The ban will be effective on Sept. 29. It prohibits telecom operators from using Kaspersky's cybersecurity tools and antivirus software and requires them to remove it from their systems.

This follows the U.S. Department of Commerce's June determination that Kaspersky poses "undue and unacceptable risks" to national security. Kaspersky announced in July it would shut down U.S. operations (see: Kaspersky to Shut US Business, Lay Off Remaining 50 Workers).

Intel Responds to Claim of SGX Security Key Compromise

Intel addressed concerns after security researcher Mark Ermolov claimed to have extracted cryptographic keys critical to Intel's Software Guard Extensions technology. Ermolov's team reportedly accessed the SGX Root Provisioning Key and Root Sealing Key, which could undermine the platform's security model by allowing the decryption of sealed data and the creation of fake attestation reports.

Intel said that the research was conducted on systems with physical access that lacked the latest mitigations, and it targeted older, end-of-life processors such as Apollo Lake and Gemini Lake. The extracted key is encrypted, and Intel emphasized that breaking this encryption would only affect individual systems.

Transport for London Still Feels Cyberattack

The London transport authority, which owns and operates the city subway system, continues to feel the effects of a cyberattack first detected Monday. Although Transport for London initially said operations were unaffected by the incident, it has now acknowledged that the attack deteriorated its ability to offer Dial-a-Ride, a public transport service for wheelchair users and others with disabilities. "We are currently able to process only a limited number of essential booking requests," the transport authority said Thursday. The authority's contactless payment account login page remains offline as of publication.

Security researcher Kevin Beaumont earlier said that Transport for London "shut down outbound internet access and restricted systems inbound. The Register reported Thursday that APIs used to display live Tube arrival times "are also currently offline, judging by sites such as Citymapper."

Other Coverage From Last Week

With reporting from Information Security Media Group's Akshaya Asokan in Southern England; Rashmi Ramesh in Bengaluru, India; and David Perera in Washington, D.C.


About the Author

Anviksha More

Anviksha More

Senior Subeditor, ISMG Global News Desk

More has seven years of experience in journalism, writing and editing. She previously worked with Janes Defense and the Bangalore Mirror.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.