Iain McLaren/What happened with YubiKeys and why it is interesting (but a bit of a non-event) from a security perspective

Created Wed, 04 Sep 2024 00:00:00 +0000 Modified Wed, 04 Sep 2024 00:00:00 +0000
362 Words

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

(1) What are YubiKeys and what are they used for?

YubiKeys are little hardware dongles (see the picture in the article below) that are commonly used for two-factor authentication. They are built based on the FIDO (Fast IDentity Online) standard.

YubiKeys are commonly used like house keys, but for computers. Secure laptops and technology systems can be set up in such a way that users can only access these systems if the user has plugged in their YubiKey.

(2) What is the problem: YubiKeys can be copied.

Regular house keys can be copied if we take them to a locksmith. YubiKeys are designed so they cannot be copied even if the attacker has physical access to the YubiKey.

Like locksmiths can clone house keys, security researchers have discovered a way of cloning YubiKeys.

(3) What is the solution: Replace the YubiKeys.

This appears to be a problem with the ‘firmware’ or built-in software on the YubiKey. For security reasons, YubiKeys are designed in a way that do not allow this firmware to be updated.

The only solution is to replace the YubiKey with a new YubiKey with the latest firmware that does not have this problem, and securely dispose of old YubiKeys.

(4) Is this a major problem if our company uses YubiKeys?

Probably not. As the article points out, actually exploiting this problem requires physical access to the YubiKey, and seems to be very difficult and expensive in practice:

“The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out only by nation-states or other entities with comparable resources and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low.”

Very few people and organisations are targets of dedicated nation-state actors willing to invest this amount of time and resources.

As always happens when issues like this are identified, security researchers will try to find ways of exploiting this problem in simpler and cheaper ways. In the meantime, YubiKey users can replace their YubiKeys and securely dispose of their old YubiKeys.