YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel

⁨19⁩ ⁨likes⁩

Submitted ⁨⁨2⁩ ⁨months⁩ ago⁩ by ⁨leo@lemmy.linuxuserspace.show⁩ to ⁨news@lemmy.linuxuserspace.show⁩

https://arstechnica.com/?p=2046777

Comments

Sort:hotnew top

stoy@lemmy.zip ⁨2⁩ ⁨months⁩ ago

The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key.

Meh, doesn’t seem that realistic of an attack yet, but I know that could change.

source
- sonori@beehaw.org ⁨2⁩ ⁨months⁩ ago
  To be fair given some of the places and things YubiKeys protect, especially local government, finance, hospitals, and the like, this is one of the cases where a physical attack isn’t beyond the realm of possibility.
  
  source
  - stoy@lemmy.zip ⁨2⁩ ⁨months⁩ ago
    Yeah, I was thinking that when I wrote the comment, and aimed it at people working for a smaller company or using it in their personal life, I should have been clear on this.
    
    source
    -> View More Comments
Telorand@reddthat.com ⁨2⁩ ⁨months⁩ ago
This only affects devices with firmware 5.6 and below—anything before May 2024. If you buy a key now, the vulnerability will be patched.

source
- leo@lemmy.linuxuserspace.show ⁨2⁩ ⁨months⁩ ago
  Good to know!
  
  source