Most hardware security failures occur at the chip level; in firmware, supply chains, companion software, or user behavior. In the majority of documented incidents, the Secure Element is bypassed rather than broken. The preceding articles in this series have made this case in detail.
However, the chip itself has been broken into too. We've found documented records of direct physical attacks against secure elements. These attacks target the chip's own cryptographic operations, extract secret keys, and succeed despite the hardware defenses the chip was specifically engineered to provide.
This article covers the most significant documented cases involving electromagnetic side-channel research.
What is an electromagnetic side-channel attack?
An electromagnetic side-channel attack is a technique that monitors a chip's radio emissions during cryptographic operations to infer the secret keys it uses.
This attack exploits the fact that a physical chip performing cryptographic operations leaks information through observable physical phenomena (power consumption, timing variation, electromagnetic emissions) that correlate with the secret values being processed.
In a perfect constant-time cryptographic algorithm, all operations take the same amount of time and draw the same power regardless of the input data. This is the standard defense against timing and power side-channels. The manufacturer must make the signal uniform so that nothing is observed.
The challenge is that achieving true constant-time behavior across a full cryptographic implementation is challenging, and minor deviations are easy to introduce and difficult to detect.
The NXP A700X is a secure element from NXP Semiconductors' P5x family, a line of secure microcontrollers used in banking smart cards, identity documents, and hardware authentication tokens. The A700X is the chip embedded in the Google Titan Security Key, Google's hardware two-factor authentication token used to protect Google accounts and FIDO U2F authentication. It was also found in Yubico's YubiKey NEO and in Feitian's authentication tokens.
The chip's job is to generate and store a private ECDSA key during device registration, then use that key to sign authentication challenges. The FIDO U2F protocol is explicitly designed so that the private key never leaves the device. No legitimate interface exists to export it.
How the attack was executed
To understand the NXP ECDSA implementation without source code, the researchers first used the NXP J3D081, an open-source JavaCard platform that uses the same cryptographic library as the A700X.
They reverse-engineered the algorithm's structure on the J3D081, which provided the reference data needed to find the vulnerable computation on the target A700X chip.
Physical preparation: A hot air gun and a scalpel were used to remove the Titan's plastic casing, exposing the NXP A700X. The EM probe was positioned close to the chip surface. The device remained fully functional throughout because no permanent modification was required.
Data collection: Approximately 6,000 ECDSA signing operations were triggered by sending authentication challenges to the Titan. Each operation produced an EM trace. The full collection took approximately six hours.
Key recovery: The EM traces were processed offline using lattice-based key recovery algorithms. The ECDSA private key was successfully extracted. The researchers then used the recovered key to construct a software clone that could impersonate the physical Titan for any registered account.
Equipment used: Langer near-field EM probe, Thorlabs three-axis micro-manipulator, Pico Technology PicoScope oscilloscope. Total equipment is approximately $13,000.
Physical access required: Several hours with the device. The Titan's plastic casing must be opened, leaving visible evidence of tampering. The device remains functional afterward and can be returned to the victim.
What this attack reveals
The NXP A700X attack is a direct, successful extraction of a private key from a chip designed to prevent such extraction. The FIDO U2F protocol's security guarantee—that the key never leaves the device—was defeated by reading information leaking from the chip's physical implementation of that algorithm.
NXP's P5x family had received CC certification, with the last evaluation in 2015. The attack's relevance to current hardware is limited. Its relevance to understanding what CC certification can miss is not.
Case 2: Infineon SLE78 / EUCLEAK (YubiKey 5 Series)
The Infineon SLE78 is one of the most widely deployed secure element families worldwide. It is the chip inside the YubiKey 5 Series, the world's most popular hardware security key. It also appears across a broad range of security-critical applications:
Electronic passports,
Banking smart cards,
Automotive key systems,
IoT authentication infrastructure,
Cryptocurrency hardware wallets.
The SLE78 holds CC EAL6+ certification, the second-highest assurance level available and the standard for the most security-demanding commercial applications. It has passed approximately 80 separate CC evaluations across various product configurations.
Infineon's cryptographic library is proprietary. It is compiled into the chip's firmware and not publicly documented.
Finding the vulnerability: the open platform approach
Thomas Roche of NinjaLab, building on the same methodology used in the 2021 Google Titan research, began by studying Feitian—an open, programmable platform based on a similar Infineon SLE78 chip that uses the same cryptographic library as the YubiKey 5.
With the vulnerability characterized on the open Feitian platform, Roche moved to the actual YubiKey 5Ci.
Physical preparation: The YubiKey's outer casing was opened, and the EM probe was positioned close to the SLE78's surface. The device remained functional.
Data collection: EM traces were collected during ECDSA signing operations, the same operation that occurs each time the YubiKey is used to authenticate.
Key recovery: Each trace captured the EM emissions during the modular inversion step. The ECDSA private key was successfully recovered using lattice-based algorithms.
Equipment cost: Approximately €10,000, including the laptop used for offline processing.
Physical access window: A few minutes with the device are sufficient to collect the necessary EM acquisitions. Offline processing requires additional time but no further physical access.
What this research reveals
This means the YubiKey could be cloned. A sophisticated attacker with temporary physical access to the device, a probe setup, and the necessary offline computation time could produce a software copy that generates valid authentication responses for any account the YubiKey was registered with.
The evaluation methodology may not have included sufficiently sensitive EM measurement equipment. The CC EAL evaluators may have focused their analysis on different mathematical operations within the signing routine.
EUCLEAK is the clearest public evidence that CC EAL6+ certification means the evaluation tested the chip against known techniques and defined threat models.
What both side-channel cases establish
Taken together, the NXP A700X attack and EUCLEAK form a documented record of direct physical attacks against secure and secure-adjacent chips. Each targeted a different manufacturer with the same technique and succeeded.
Chip
Technique
Year
Key finding
NXP P5x family (CC EAL4+)
EM side-channel (SCA)
2021
ECDSA private key extracted; FIDO token cloned without detection. Fault in non-constant-time scalar multiplication in NXP ECC cryptolib.
Infineon SLE78 (CC EAL6+)
EM side-channel (timing via EEA)
2024
ECDSA private key extracted from an EAL6+ certified chip. Vulnerability undetected across 14 years and ~80 CC evaluations.
This is the fundamental challenge of secure element design: correct cryptography is necessary but not enough. The implementation must also be constant-time, properly shielded, and resistant to side-channel analysis.
Conclusions
Both attacks described in this article required the researcher to have the target device in hand for minutes or hours, use specialized and expensive laboratory equipment (€10,000–$13,000 minimum), and have expert-level knowledge of electromagnetic side-channel analysis and lattice-based cryptanalysis. Neither can be performed remotely, nor do they leave the device appearing undamaged.
For you, the average hardware wallet user, your realistic enemy is not a nation-state lab with a Langer probe and a signal processing suite. It is phishing, social engineering, malicious software, and compromised seed phrase storage.
