View previous topic :: View next topic |
Author |
Message |
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3848
|
Posted: Sun Sep 08, 2024 6:16 pm Post subject: YubiKey < 5.7 (2024/05) side channel attack |
|
|
Ars Technica
Thks 4 ur attention, interest & support. _________________ USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3687 Location: Rasi, Finland
|
Posted: Sun Sep 08, 2024 6:34 pm Post subject: |
|
|
first_citazen wrote: | the adversary gets physical access to the victim’s device during a limited time frame...
if this is happening you have bigger problems than your key being cloned... |
rhavenn wrote: | So....this functionally boils down to: don't let anyone make a copy of your Yubikey. No sh**. This has got to be one of the most hyper-targeted spear phishing attack vectors. I'm glad someone figured this out and now that it's known to be possible a fix can be made, but for 99.99999% of the people who even use Yubikey's this is a non-issue.
TLDR: If a random hot guy / girl asks to see your Yubikey at the bar...say no. |
pokrface wrote: | Yeah, I'm not rushing out to replace the Yubikey that I keep plugged into the USB-C outlet on the mac studio literally sitting on the desk in front of me. If an attacker gets that key, they've broken into my house and shot me. At that point, they can have it.
| Comments are golden.
To me this sounds like a non-issue to most. And not really an issue for Gentoo. _________________ ..: Zucca :..
My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
spica Guru
Joined: 04 Jun 2021 Posts: 329
|
Posted: Mon Sep 09, 2024 7:55 am Post subject: |
|
|
I guess since thinkpad's smartcard readers are enshielded with a metal cover, and even they're sitting on a separate bus, someone has already taken care of this, and the approach highlighted in the article is applicable to uncovered devices like usb dongles etc |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 881
|
Posted: Mon Sep 09, 2024 12:51 pm Post subject: |
|
|
It's indeed not as bad as it seems. Since yubikeys are a security product they have to take it seriously, but in practice there is no problem.
They need to have your yubikey, which at itself should be a difficult thing to do. After that they have to open it and return it to you in a way you won't notice what happened.
If you've ever seen a yubikey, you'll know that opening it will damage it in such a way you are going to notice it _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
|