Researchers at NinjaLabs discovered the attack. This sophisticated attack leverages a cryptographic bug, known as a side-channel attack, present in a tiny chip — the Infineon SLE78 — within the key. The process requires physical access to the key, disassembling it using solvents or a hot air gun, connecting the chip to $11,000 worth of equipment, and extracting private keys from the key.
Also: The best security keys of 2024
To gain access to the key owner’s accounts, the attacker would also need usernames, account passwords, PIN codes, or any other authentication keys used to secure the account.
Ars Technica has a good breakdown of the vulnerability.
Source: Robotics - zdnet.com