Ethical Hackers Academy ®’s Post

If you add a PIN or fingerprint (YubiKey 5 Bio), they can't get through. Fixed. “Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key. The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out only by nation-states or other entities with comparable resources and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low.“

BREAKING; having physical access to my housekeys might compromise access to my front door once taken by malicious actors

Important, as Yubikey is widely known and sometimes set as THE FIDO device: This is not a FIDO issue, users shall widen the horizon to alternatives, ie SWISSBIT.

Robust asset management process around hardware tokens, including clear helpdesk knowledge-basing, in tandem with a healthy user awareness programme, should result in appropriate revocation of certificates for all lost hardware… In other words, encourage a culture, where honesty & integrity always overrides the shame of admitting mistakes (like losing a hardware device). Or train your staff to ask why that guy is following them around trying to stick an EM probe in their pocket or briefcase. The article is a great read for anyone interested in side chaining attacks. Another reason why sound engineers or musicians make great secops people.

I didn't study cryptography and I won't pretend to understand the attack in detail. There are way smarter people out there. But here are my 5 cents as a sanity check: From my understanding, this is not a cryptographic flaw, but a design choice. It's pretty much the same choice Microsoft took when it comes to TPMs. You can extract the decryption key from the TPM if you choose auto unlock. It's convenient and better than nothing! You want more security? Set a PIN and use the computed value from TPM and PIN! If you would want to make YubiKeys really secure, you'd have to disallow using them without any other knowledge factor. If you store a private key in hardware and don't compute it through any password/pin (other factor NOT stored on a HSM) to receive the relevant result for decryption, you will always be able to read the private key from the hardware easily or through a complex side-channel attack. In my mind thats logical and I see everything around that as security through obscurity. Any value from HSMs has to be computed with an unknown knowledge factor to be secure. Curious to hear your thoughts.

The recent cryptographic flaw in YubiKeys is a significant concern, as it could potentially allow attackers to clone these critical security devices. This vulnerability underscores the importance of staying informed about the latest security issues and regularly updating your defenses. For more on how to protect yourself against such threats, check out my profile where I share up-to-date insights and strategies in cybersecurity.

It looks like this only involves the PKi part on the Yubikey. With the right CMS you are able to easy revoke the user cert when the key is lost or stolen. I don't see the risk.

YubiKey is really the choice for endpoint security in company

Commenting for visibility to my network. Any thoughts? ------- 🔍 Follow The ITSM Practice Podcast on LinkedIn for daily insights on ITSM and IT Security. 🎧 Check out The ITSM Practice Podcast on Spotify: https://shorturl.at/8Ao5T #itil #itsecurity 

Thank you for sharing