82
submitted 3 months ago by floofloof@lemmy.ca to c/technology@beehaw.org
top 21 comments
sorted by: hot top controversial new old
[-] HeyLow 45 points 3 months ago

I see this as a non issue since it requires physical access to the key and would require them to know your email or have access to your computer.

That list of people would already be able to access your key any time anyway so they wouldn't need to clone it 🤷🏻‍♀️

[-] Butterbee@beehaw.org 39 points 3 months ago

Yeah I don't see this being an issue at all. They have to physically have my key? Oh no. Then they already have my key. And I will have disabled the key on my accounts. Unless they what, steal the key from me, take it to the lab, clone it with 11k worth of equipment, then sneak it back into my purse before I notice it's gone? That's some nation state espionage stuff and that is not in my threat model.

[-] BCsven@lemmy.ca 12 points 3 months ago

Totally a non issue unless a government arrested somebody with the intent to gain their key because : "The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. "

[-] Bitrot@lemmy.sdf.org 3 points 3 months ago

If they arrest someone to gain access to their key, they don’t need this attack to use their key. They can just use their key.

[-] BCsven@lemmy.ca 1 points 3 months ago

Sorry I was thinking of when you have yubikey setup with PIN code for access. But yeah, I guess the attack vector is clandestine theft and replace.

[-] chemicalwonka@discuss.tchncs.de 15 points 3 months ago* (last edited 3 months ago)

This is the problem of the security model by obscurity, if they had opted for an open source model both in hardware and firmware (like Nitrokey) maybe they wouldn't be having this problem.

[-] Godort@lemm.ee 20 points 3 months ago

I'm not sure I necessarily agree. Your assessment is correct, but I don't really think this situation is security by obscurity. Like most things in computer security, you have to weight the pros and cons to each approach.

Yubico used components that all passed Common Criteria certification and built their product in a read-only configuration to prevent any potential shenanigans with vulnerable firmware updates. This approach almost entirely protects them from supply-chain attacks like what happened with ZX a few months back.

To exploit this vulnerability you need physical access to the device, a ton of expensive equipment, and an incredibly deep knowledge in digital cryptography. This is effectively a non-issue for your average Yubikey user. The people this does affect will be retiring and replacing their Yubikeys with the newest models ASAP.

[-] sweng@programming.dev 1 points 3 months ago

Is Yubico actually claiming it is more secure by not being open source?

[-] Melody@lemmy.one 14 points 3 months ago* (last edited 3 months ago)

It feels like this vulnerability isn't notable for the majority of users who don't typically include "Being compromised by a Nation-State-Level Actor."

That being said; I do hope they get it fixed; and it looks like there's already mitigations in place like protecting the authentication by another factor such as a PIN. That helps; for people who do have the rare threat model issue in play.

The complexity of the attack also seems clearly difficult to achieve in any time frame; and would require likely hundreds of man-hours of work to pull off.

If we assume they're funded enough to park a van of specialty equipment close enough to you; steal your key and clone it; then return it before you notice...nothing you can do can defend against them.

[-] Bitrot@lemmy.sdf.org 4 points 3 months ago* (last edited 3 months ago)

One thing the article doesn’t make very clear is that for 2FA the PIN requirement comes from the site itself. If the site requires User Verification, the PIN is required. If not, it is not prompted even if set and this attack is possible. The response to the site just says they knew it.

It is different for Passkeys. They are stored on the device and physically locked behind the PIN, but this is just an attack on 2FA where the username and password are known. (In depth it’s more than that, but for most people walking around with a Yubikey…)

It also seems limited in scope to the targeted site and not that everything else protected by that specific Yubikey. That limits how useful this is in general, which is another reason it is sort of nation-state level or an extremely targeted attack. It’s not something your local law enforcement are going to use.

I think the YubiHSM is a much more appealing target, but that isn’t so much a consumer device and has its own authentication methods.

[-] cmnybo@discuss.tchncs.de 8 points 3 months ago

For the price they charge, they should be made so that opening the case will destroy the contents. They could have at least potted them.

[-] TheButtonJustSpins@infosec.pub 5 points 3 months ago
[-] cmnybo@discuss.tchncs.de 21 points 3 months ago

Encasing the circuit board in epoxy. It makes it very difficult to access components without destroying it. It's also great for water proofing and increasing the mechanical robustness.

[-] TheButtonJustSpins@infosec.pub 7 points 3 months ago

Thanks! That makes a lot of sense.

[-] IllNess@infosec.pub 7 points 3 months ago

No negatives listed on the Wiki page. Are there any? Does potting increase the likely hood of overheating?

[-] cmnybo@discuss.tchncs.de 11 points 3 months ago

There is potting compound with high thermal conductivity for things that produce a lot of heat. A YubiKey hardly uses any power, so heat should not be an issue.

The main downsides of potting are that it makes repair practically impossible and it can add a lot of weight if there is a large volume to be filled.

[-] IllNess@infosec.pub 2 points 3 months ago

that makes sense. Thank you.

[-] BCsven@lemmy.ca 5 points 3 months ago

Potting Grrrr. My fancy track lighting has been potted. It sucks because absolutely no place (even China) sells the 48v LED driver with the odd body shape to bypass the internal mounting screws, and the potting means I can't access the board to desolder a resostor or something

[-] xylem@beehaw.org 4 points 3 months ago

Physical anti-tamper, while important for this type of device, wouldn't have helped for this particular attack. It's an electromagnetic side channel, so they don't even have to be touching the the thing to collect data.

[-] Apollo2323@lemmy.dbzer0.com 2 points 3 months ago

If it was something that was not possible to patch , was it necessary to released to the world?

[-] Godort@lemm.ee 9 points 3 months ago

Absolutely. If you are the CISO in a place where security is a top priority with adversaries that may have access to the equipment and knowledge to exploit this, you will absolutely want to retire the keys ASAP and replace them with the new model that is not vulnerable to this.

this post was submitted on 04 Sep 2024
82 points (100.0% liked)

Technology

37794 readers
286 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS