It’s due to a cryptographic library implementation in a controller used in the yubikey. It’s a third party controller, and this isn’t exclusive to yubikeys either, a shitload of other stuff uses the same controller and is likely vulnerable to the same attack.
Also, the attack requires around $10k worth of equipment and physical access to the yubikey, so while a valid attack vector, it’s also not something to get into a panic about.
It’s definitely not something a regular user should panic over. But it’s a huge deal since a lot of high security, sensitive targets also rely on the same library.
Also, at least for the Yubi implementation, fixable in software, firmware >= 5.7 not vulnerable. Also not upgradeable, so replace keys if you’re worried about nation-state attacks.
I went into the article thinking I’d need to replace my keys, and after reading decided I’m a very unlikely target for this attack. My threat model doesn’t include nation states, so I’m gonna keep using my yubikeys for the foreseeable future.
I have been thinking about new hardware key(s) that can handle more than 20 passkeys, but that’s not a high priority for me right now.
It’s pretty concerning if my backup key can just be cloned that easily. It means now I need to invest in a much better safe, which I guess was probably always a good idea.
Can i create such a thing for qubes os? Would be cool the have decryption screen look like windows login and if duress password entered it boots to a live windows image instead and obviously sends out relevent alerts etc. I suppose u would also want a second duress password that just shreds everything as well.
Couldn’t you just use the yubikey like normal if you have physical access to it instead of copying it ?
In fact reading through the article it sounds like they would need to use it to extract the secret. I guess the end goal for this would be to maintain surreptitious access to something after returning the key to the target, either to build a criminal case or for espionage purposes.
Given that the vulnerability may also apply to other secure access card/devices I suppose it could also be used if a nation-state wanted to use an impostor to access secure facilities.