• harsh3466@lemmy.ml
    link
    fedilink
    English
    arrow-up
    65
    ·
    2 months ago

    It’s due to a cryptographic library implementation in a controller used in the yubikey. It’s a third party controller, and this isn’t exclusive to yubikeys either, a shitload of other stuff uses the same controller and is likely vulnerable to the same attack.

    Also, the attack requires around $10k worth of equipment and physical access to the yubikey, so while a valid attack vector, it’s also not something to get into a panic about.

        • Can i create such a thing for qubes os? Would be cool the have decryption screen look like windows login and if duress password entered it boots to a live windows image instead and obviously sends out relevent alerts etc. I suppose u would also want a second duress password that just shreds everything as well.

    • BrikoX@lemmy.zipOP
      link
      fedilink
      English
      arrow-up
      16
      ·
      2 months ago

      It’s definitely not something a regular user should panic over. But it’s a huge deal since a lot of high security, sensitive targets also rely on the same library.

      • harsh3466@lemmy.ml
        link
        fedilink
        English
        arrow-up
        11
        ·
        2 months ago

        Definitely. Not to be ignored, but for lots of yubikey users, also not something to be overly worried about.

    • tburkhol@lemmy.world
      link
      fedilink
      English
      arrow-up
      16
      ·
      2 months ago

      Also, at least for the Yubi implementation, fixable in software, firmware >= 5.7 not vulnerable. Also not upgradeable, so replace keys if you’re worried about nation-state attacks.

      • harsh3466@lemmy.ml
        link
        fedilink
        English
        arrow-up
        7
        ·
        2 months ago

        I went into the article thinking I’d need to replace my keys, and after reading decided I’m a very unlikely target for this attack. My threat model doesn’t include nation states, so I’m gonna keep using my yubikeys for the foreseeable future.

        I have been thinking about new hardware key(s) that can handle more than 20 passkeys, but that’s not a high priority for me right now.

    • socsa@piefed.social
      link
      fedilink
      arrow-up
      4
      ·
      2 months ago

      It’s pretty concerning if my backup key can just be cloned that easily. It means now I need to invest in a much better safe, which I guess was probably always a good idea.

      • smeg@feddit.uk
        link
        fedilink
        English
        arrow-up
        11
        ·
        2 months ago

        if my backup key can just be cloned that easily

        Do you consider $10,000 of equipment plus breaking your safe and extracting your pin to be easy? Who did you get on the wrong side of!?

    • Bjornir@programming.dev
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      Couldn’t you just use the yubikey like normal if you have physical access to it instead of copying it ?

      • jqubed@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 months ago

        In fact reading through the article it sounds like they would need to use it to extract the secret. I guess the end goal for this would be to maintain surreptitious access to something after returning the key to the target, either to build a criminal case or for espionage purposes.

        Given that the vulnerability may also apply to other secure access card/devices I suppose it could also be used if a nation-state wanted to use an impostor to access secure facilities.