• stoy@lemmy.zip
    link
    fedilink
    English
    arrow-up
    15
    ·
    2 months ago

    The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key.

    Meh, doesn’t seem that realistic of an attack yet, but I know that could change.

    • Sonori@beehaw.org
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      2 months ago

      To be fair given some of the places and things YubiKeys protect, especially local government, finance, hospitals, and the like, this is one of the cases where a physical attack isn’t beyond the realm of possibility. I’m not cloning a Yubikey with specialized kit to break into a small business, but if it plus a password lets me log in as an accountant at an bank or investment firm on the target’s day off, well then it might be worth it for an attacker.

      • stoy@lemmy.zip
        link
        fedilink
        English
        arrow-up
        4
        ·
        2 months ago

        Yeah, I was thinking that when I wrote the comment, and aimed it at people working for a smaller company or using it in their personal life, I should have been clear on this.

        • Telorand@reddthat.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          2 months ago

          All they would have to do to mitigate the threat is buy new keys. The vulnerability doesn’t exist in their keys since May.

  • Telorand@reddthat.com
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 months ago

    This only affects devices with firmware 5.6 and below—anything before May 2024. If you buy a key now, the vulnerability will be patched.