While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, such as the SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.
Both. The cryptolibrary in question is also use in other cryptographic applications too, so it’s a huge mess.
harsh3466@lemmy.ml 2 weeks ago
It’s due to a cryptographic library implementation in a controller used in the yubikey. It’s a third party controller, and this isn’t exclusive to yubikeys either, a shitload of other stuff uses the same controller and is likely vulnerable to the same attack.
Also, the attack requires around $10k worth of equipment and physical access to the yubikey, so while a valid attack vector, it’s also not something to get into a panic about.
tux0r@feddit.org 2 weeks ago
xkcd
bonn2@lemm.ee 2 weeks ago
And this is why Duress passwords exist
muntedcrocodile@lemm.ee 2 weeks ago
Can i create such a thing for qubes os? Would be cool the have decryption screen look like windows login and if duress password entered it boots to a live windows image instead and obviously sends out relevent alerts etc. I suppose u would also want a second duress password that just shreds everything as well.
tburkhol@lemmy.world 2 weeks ago
Also, at least for the Yubi implementation, fixable in software, firmware >= 5.7 not vulnerable. Also not upgradeable, so replace keys if you’re worried about nation-state attacks.
hashferret@lemmy.world 2 weeks ago
for reference 5.7 began shipping with keys May of this year.
harsh3466@lemmy.ml 2 weeks ago
I went into the article thinking I’d need to replace my keys, and after reading decided I’m a very unlikely target for this attack. My threat model doesn’t include nation states, so I’m gonna keep using my yubikeys for the foreseeable future.
I have been thinking about new hardware key(s) that can handle more than 20 passkeys, but that’s not a high priority for me right now.