Is this because FIDO2 is flawed, the yubikey hardware design is flawed or both?
YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
Submitted 2 months ago by BrikoX@lemmy.zip to privacyguides@lemmy.one
Comments
tkw8@lemm.ee 2 months ago
harsh3466@lemmy.ml 2 months ago
It’s due to a cryptographic library implementation in a controller used in the yubikey. It’s a third party controller, and this isn’t exclusive to yubikeys either, a shitload of other stuff uses the same controller and is likely vulnerable to the same attack.
Also, the attack requires around $10k worth of equipment and physical access to the yubikey, so while a valid attack vector, it’s also not something to get into a panic about.
tburkhol@lemmy.world 2 months ago
Also, at least for the Yubi implementation, fixable in software, firmware >= 5.7 not vulnerable. Also not upgradeable, so replace keys if you’re worried about nation-state attacks.
BrikoX@lemmy.zip 2 months ago
While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, such as the SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.
Both. The cryptolibrary in question is also use in other cryptographic applications too, so it’s a huge mess.
pineapplelover@lemm.ee 2 months ago
I spent so much on these keys wth
jqubed@lemmy.world 2 months ago
It doesn’t affect their newest keys, but you can’t upgrade an older key to fix it:
All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable.
USSEthernet@startrek.website 2 months ago
Which is why I’m now second guessing why I even bought them to begin with. Any time a security flaw is found I need to spend another $50-60. Seem crazy and wasteful.
jqubed@lemmy.world 2 months ago
Reading the article I think most people don’t need to worry about upgrading because of this flaw; this would be a very targeted attack. And I can understand not letting the firmware upgrade; I’m pretty sure I’ve seen examples of nation-state hacks for phones that involve attackers installing an “upgraded firmware” that disables security protections to access otherwise secured info. But yeah, cost is definitely a risk with this design.
MaxHardwood@lemmy.ca 2 months ago
Despite this affecting only FIDO and barely any Yubikeys are being used for that, it’s important to keep in mind that exploits and attacks get worse over time. For now it’s just FIDO and requires complex hardware and practically destroying the key. I wouldn’t be surprised if this exploit is just the beginning.
smeg@feddit.uk 2 months ago
Given this massive caveat I’d almost call that headline misleading
b3an@lemmy.world 2 months ago
The fact that this happened is surprising in general, but not super practical.
What’s the big deal? A: It affects other types of hardware which also used these crypto libraries. Some are easier to address than others.