56

YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel(arstechnica.com)

posted
*
by
Avatar
GreenEngineering3475@lemmy.world
in
Avatar
hardware@lemmy.world
8 comments
hidereport

Edit: Yubico has issued a security advisory on the vulnerability https://www.yubico.com/support/security-advisories/ysa-2024-03/

Sort:
HotTopControversialNewOld
Avatar
Alphane Moon@lemmy.worldM
29 points

“The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key.”

permalink
report
reply
Avatar
jelloeater - Ops Mgr@lemmy.world
10 points

Seems like a “blast door” type problem…

permalink
report
parent
reply
Avatar
𝕸𝖔𝖘𝖘@infosec.pub
4 points

That sounds like the attacker would need to basically already know how to unlock it…

permalink
report
parent
reply
Avatar
Desistance@lemmy.world
15 points

Not much of a vulnerability when you need physical access.

permalink
report
reply
Avatar
Mayor Poopington@lemmy.world
10 points

It’s like saying a bank is vulnerable if you have enough drills and guns

permalink
report
parent
reply
Avatar
lemmyng@lemmy.ca
8 points

On the contrary. China for example is known for accessing traveler electronics both during customs/immigration checks and in their hotels. Unless the victim carries their key on their person at all times without fault it can be cloned without them knowing.

permalink
report
parent
reply
Avatar
eyeon@lemmy.world
5 points

i have physical access to my own yubikey and can’t make a backup copy. someone else who only temporarily has access to it being able to do so is definitely a vulnerability.

permalink
report
parent
reply
Avatar
higgsboson@dubvee.org
1 point
*
Deleted by creator
permalink
report
parent
reply
Avatar
WolvenSpectre@lemmy.ca
7 points

Its not much of a vulnerability, like locks, its not if it can be picked, it is how difficult it is to be picked, but the difference here is that the vulnerability is that a nation state actor, or a high capability actor can compromise it, and “it” being the thing that keeps your accounts safe.

So this is like the lock that protects all your accounts can be shimmed if it ever gets out of your control type of an issue, so not to stop using them, but to keep them secured or on your person at all times.

I hope YubiKey offers a fair upgrade program for their next series of keys and maybe a new FIDO Standard.

permalink
report
reply

Hardware

!hardware@lemmy.world

Create post

All things related to technology hardware, with a focus on computing hardware.

Rules (Click to Expand):

  1. Follow the Lemmy.world Rules - https://mastodon.world/about

  2. Be kind. No bullying, harassment, racism, sexism etc. against other users.

  3. No Spam, illegal content, or NSFW content.

  4. Please stay on topic, adjacent topics (e.g. software) are fine if they are strongly relevant to technology hardware. Another example would be business news for hardware-focused companies.

  5. Please try and post original sources when possible (as opposed to summaries).

  6. If posting an archived version of the article, please include a URL link to the original article in the body of the post.

Some other hardware communities across Lemmy:

Icon by “icon lauk” under CC BY 3.0

Community stats

  • 1.7K

    Monthly active users

  • 1.6K

    Posts

  • 2K

    Comments

Community moderators