Also, at least for the Yubi implementation, fixable in software, firmware >= 5.7 not vulnerable. Also not upgradeable, so replace keys if you’re worried about nation-state attacks.
Comment on YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
harsh3466@lemmy.ml 2 months agoIt’s due to a cryptographic library implementation in a controller used in the yubikey. It’s a third party controller, and this isn’t exclusive to yubikeys either, a shitload of other stuff uses the same controller and is likely vulnerable to the same attack.
Also, the attack requires around $10k worth of equipment and physical access to the yubikey, so while a valid attack vector, it’s also not something to get into a panic about.
tburkhol@lemmy.world 2 months ago
hashferret@lemmy.world 2 months ago
for reference 5.7 began shipping with keys May of this year.
harsh3466@lemmy.ml 2 months ago
I went into the article thinking I’d need to replace my keys, and after reading decided I’m a very unlikely target for this attack. My threat model doesn’t include nation states, so I’m gonna keep using my yubikeys for the foreseeable future.
I have been thinking about new hardware key(s) that can handle more than 20 passkeys, but that’s not a high priority for me right now.
tux0r@feddit.org 2 months ago
xkcd
bonn2@lemm.ee 2 months ago
And this is why Duress passwords exist
muntedcrocodile@lemm.ee 2 months ago
Can i create such a thing for qubes os? Would be cool the have decryption screen look like windows login and if duress password entered it boots to a live windows image instead and obviously sends out relevent alerts etc. I suppose u would also want a second duress password that just shreds everything as well.