Yubikey Vulnerability - How Bad Is It?
As the internet lights up with speculation following the disclosure of a vulnerability discovered by Ninjalab in Yubikeys running firmware < 5.7, a few organisations are asking whether this exposes them to any real risk, whether there's a patch (there isn't) or whether they need to physically replace all of the devices in their business (in the majority of cases, they don't).
To breakdown the attack methodology (thanks to the ArsTechnica summary).
- The adversary steals the login and password of a victim’s application account protected with FIDO (e.g., via a phishing attack).
- The adversary gets physical access to the victim’s device during a limited time frame without the victim noticing. (this access would involve dismantling the Yubikey itself to expose the logic board inside so they can physically connect equipment to monitor the activity of the device for a significant time period - think hours, not minutes)
- Using the stolen credentials in step one, the attacker would then need to repeatedly send successful logon events repeatedly while performing side-channel measurements.
- The device would then need to be returned to the victim without them noticing - if the user noticed the loss of the device, then a simple password reset or revocation of the Yubikey would mitigate against the attack.
- Before returning the device it would need to be re-assembled in casing that looks identical to the original to prevent the interference being noticed.
Lets look at some of the equipment required to perform the attack:
- The Langer ICR Near Field Microprobe - https://www.langer-emv.de/en/product/near-field-microprobes-icr-hh-h-field/26/icr-hh500-6-near-field-microprobe-2-mhz-to-6-ghz/108
- The Thorlabs PT3 - https://www.thorlabs.com/thorproduct.cfm?partnumber=PT3#ad-image-0
- Dino-Lite AM4113TL - https://www.dino-lite.eu/en/am4113tl
- Pico Technology PicoScope 6424E oscilloscope - https://www.picotech.com/oscilloscope/6000/picoscope-6000-overview
- LeCroy WavePro 254HD oscilloscope - https://www.teledynelecroy.com/oscilloscope/wavepro-hd-oscilloscope/wavepro-254hd
Very little of this equipment is something you'd have "lying around", and furthermore it's couldn't be easily transported in, say, a laptop bag. Factor in the time to perform the side-channel attack itself (which given the similarity to the attack on the Google Titan by the same researchers took between 10-16 hours), and for the majority of users we'd be more concerned about the possibility of a "wrench attack" than a nefarious actor cloning your Yubikey....