"All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable [to a cloning attack performed on the physical key].
-
"All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable [to a cloning attack performed on the physical key]. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable." I am unhappy
YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
Sophisticated attack breaks security assurances of the most popular FIDO key.
Ars Technica (arstechnica.com)
-
@mcc at least exploitation requires your PIN
-
@mcc The actual exploit is _extremely_ unlikely as it involves literally taking the thing apart and $12k of specialized hardware to do. Then putting it back together and returning it to you, before you notice.
It also involves already knowing your username and password to an impacted service.
-
@cthos Twelve thousand dollars is not a lot of money. That is in reach of a municipal police department.
-
@mcc True, but why would they subtly disassemble and reassemble your yubikey without your knowledge, to clone it for a service they've already stolen your login info for?
Way easier to just compel you to unlock the account with a court order.
(Granted I'm probably not thinking of every potential threat model here)
-
@cthos The advisory, as quoted in the article states:
"Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key."
This to me does not say "the password is required". It says that the password may be required in some cases.
If the login and password are enough to get in without the yubikey, then why have a yubikey at all? I thought the point was to be a second auth factor.
-
Erin 💽✨replied to mcc last edited by [email protected]