News Older YubiKeys compromised by unpatchable 2FA bug — side-channel attack is critical, but expensive and difficult to execute

[Admin]

Many two-factor authentication keys from Yubico have become vulnerable to a side-channel attack resulting in cloning 2FA keys, due to a weakness with integrated Infineon security chips.

Older YubiKeys compromised by unpatchable 2FA bug — side-channel attack is critical, but expensive and difficult to execute : Read more

 

[Dingledooda]

Just waiting for people who don't read the article or Security Advisory to start yelling the sky is falling and everyone's Yubikeys are now useless lol.

 

[Pierce2623]

A “vulnerability” that requires you to have access to the key and a massive super specialized rig for 24 hours undetected is NOT a real vulnerability for something like this.

 

[newtechldtech]

A “vulnerability” that requires you to have access to the key and a massive super specialized rig for 24 hours undetected is NOT a real vulnerability for something like this.

it is ... if they are after your bank account for example.

 

[Dingledooda]

it is ... if they are after your bank account for example.

If they are after your bank account they arn't going to break into your home and steal your Yubikey, open it and spend the time cloning it, putting it back together (somehow in a way you don't know it was ever opened) then break back into your home and replace it (hoping you didn't notice it was gone) then at some point in the future use their clone to clean out your bank account.

If they've broken into your home and have the Yubikey then that's it they're just gonna use it to clean out your bank account, they arn't gonna bother with cloning it and returning it because there isnt any point.

 

[tamalero]

A “vulnerability” that requires you to have access to the key and a massive super specialized rig for 24 hours undetected is NOT a real vulnerability for something like this.

it is if you're a giant company ( corporate spy), a government or military related operation (like Raytheon , aka good old spy ops)

 

[purposelycryptic]

it is ... if they are after your bank account for example.

To take advantage of the vulnerability, they already need to have stolen your key. The key that is your form of 2FA. They already have everything they need at that point, assuming they also have your login information (and without that, the key itself would be useless).

This vulnerability only allows them to duplicate the key, using expensive hardware, highly specific technical expertise, and at least a day's worth of time. There is absolutely no reason to go through all that if they just want access to your bank account, since they would already have the key, and therefore access to your bank account.

The only scenarios in which this would be useful is those in which you covertly duplicate the key without the target realizing it happened, which would involve stealing the key, disassembling the key (which you can't really do non-destructively), spending a day to get access to it so you can clone it, then somehow reassembling it into its original state and returning it to its original location without anyone noticing anything happened.

And even then, it wouldn't be useful for robbing your bank account, since you would immediately notice something is wrong, and deauthorize the key; they could achieve the exact same thing with the original one. So the only actions it would be beneficial for is ones the target won't realize are happening, which would mainly be espionage, specifically long term access to confidential data via the target's accounts.

It's still not a good thing, but it only presents an increased risk for those in very specific circumstances.

 

[speculatrix]

Just waiting for people who don't read the article or Security Advisory to start yelling the sky is falling and everyone's Yubikeys are now useless lol.

who hasn't been to a KGB party and got blackout drunk for 36 hours allowing them time to copy the contents of your laptop and duplicate your 2FA token?

 

[DS426]

A “vulnerability” that requires you to have access to the key and a massive super specialized rig for 24 hours undetected is NOT a real vulnerability for something like this.

Agreed, or more importantly, a compromised device due to physical possession makes any vulnerabilities effectively irrelevant; while vulns would make it easier and faster for the adversary to accomplish their goal of cloning or using the device itself, this is basically a purely academic security problem. Foreign government spies and military are going to be the only ones with the combination of resources and goals/need to carry out this kind of an attack. As for those with the highest level of secrets to protect, I'd assume they'd be using a different product anyways (more proprietary and/or not even commercially available on public marketplaces). As for healthcare and others mentioned in the article, no, not seeing a need to buy new Yubikeys just to resolve the "vulnerability."

Even for thieves wanting to get into big bank accounts, social engineering and other methods would be more practical, reliable, and ultimately effectively, especially when you're talking about a scope between one or two people as casting a wider net is surely almost always more profitable on a profit-time-rate basis ($/day or however one presents the measurement).

 

[wingfinger]

I was thinking about one of these a while ago.

There was a question as to whether to keep it with you or to keep it at home.

If you leave it at home, someone could enter without permission and steal your key.

If you keep it with you..... They don't look too robust to be on a keyring. It could become damaged, and that could be troublesome. And, they aren't super cheap. Otherwise, you could lose it or your keyring somehow. Then it can be acquired without theft.

I also thought that people might be less suspicious of unusual activity if they knew a key was involved.

If you don't use one of these specialized keys, one might use your phone. But people can call up telecom companies and convince them to ship them a new phone with "your" number. (It's their number that they let you use.)

Then there is good ol bad email authentication, and passwords.

The problem is not solved.

Guess what, it's the future now and everything has to be done online.

When something goes wrong, the problem isn't that they were fooled, it is that your account was stolen.

Sometimes you are not responsible for actions on stolen accounts, but this is, after, they agree.

 

[chapas]

I think the vulnerability is still real, IF Yubico is a serious company they would recall the venerable keys with lower firmwares, that would be the thing to do.