Yubico · Yubico Yubikey Neo · CVE-2021-3011
**Name of the Vulnerable Software and Affected Versions**
NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9
Google Titan Security Key based on an NXP A7005a chip
Yubico YubiKey Neo
Feitian K9, K13, K21, and K40
NXP JavaCard smartcards, including:
J3A081, J2A081, J3A041, J3D145 M59, J2D145 M59, J3D120 M60, J3D082 M60, J2D120 M60, J2D082 M60, J3D081 M59, J2D081 M59, J3D081 M61, J2D081 M61, J3D081 M59 DF, J3D081 M61 DF, J3E081 M64, J3E081 M66, J2E081 M64, J3E041 M66, J3E016 M66, J3E016 M64, J3E041 M64, J3E145 M64, J3E120 M65, J3E082 M65, J2E145 M64, J2E120 M65, J2E082 M65, J3E081 M64 DF, J3E081 M66 DF, J3E041 M66 DF, J3E016 M66 DF, J3E041 M64 DF, and J3E016 M64 DF
**Description**
An electromagnetic-wave side-channel issue allows attackers to extract the ECDSA private key after extensive physical access, and consequently produce a clone. This issue was demonstrated on the Google Titan Security Key, based on an NXP A7005a chip. Other FIDO U2F security keys and several NXP JavaCard smartcards are also impacted.
**Recommendations**
For NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9, consider disabling the `checkPassword()` function or restricting access to the vulnerable `CryptoLib` module until a patch is available.
For Google Titan Security Key based on an NXP A7005a chip, avoid using the device for sensitive operations until a fix is provided.
For Yubico YubiKey Neo and Feitian K9, K13, K21, and K40, restrict access to these devices to minimize the risk of exploitation.
For NXP JavaCard smartcards, consider temporarily disabling the use of these smartcards for authentication purposes until a patch or fix is available.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.