Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
YubiKey < 5.7 (2024/05) side channel attack
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 3848

PostPosted: Sun Sep 08, 2024 6:16 pm    Post subject: YubiKey < 5.7 (2024/05) side channel attack Reply with quote

Ars Technica
Thks 4 ur attention, interest & support.
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
Back to top
View user's profile Send private message
Zucca
Moderator
Moderator


Joined: 14 Jun 2007
Posts: 3687
Location: Rasi, Finland

PostPosted: Sun Sep 08, 2024 6:34 pm    Post subject: Reply with quote

first_citazen wrote:
the adversary gets physical access to the victim’s device during a limited time frame...

if this is happening you have bigger problems than your key being cloned...
rhavenn wrote:
So....this functionally boils down to: don't let anyone make a copy of your Yubikey. No sh**. This has got to be one of the most hyper-targeted spear phishing attack vectors. I'm glad someone figured this out and now that it's known to be possible a fix can be made, but for 99.99999% of the people who even use Yubikey's this is a non-issue.

TLDR: If a random hot guy / girl asks to see your Yubikey at the bar...say no.
pokrface wrote:
Yeah, I'm not rushing out to replace the Yubikey that I keep plugged into the USB-C outlet on the mac studio literally sitting on the desk in front of me. If an attacker gets that key, they've broken into my house and shot me. At that point, they can have it.
Comments are golden.
To me this sounds like a non-issue to most. And not really an issue for Gentoo.
_________________
..: Zucca :..

My gentoo installs:
init=/sbin/openrc-init
-systemd -logind -elogind seatd

Quote:
I am NaN! I am a man!
Back to top
View user's profile Send private message
spica
Guru
Guru


Joined: 04 Jun 2021
Posts: 329

PostPosted: Mon Sep 09, 2024 7:55 am    Post subject: Reply with quote

I guess since thinkpad's smartcard readers are enshielded with a metal cover, and even they're sitting on a separate bus, someone has already taken care of this, and the approach highlighted in the article is applicable to uncovered devices like usb dongles etc
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 881

PostPosted: Mon Sep 09, 2024 12:51 pm    Post subject: Reply with quote

It's indeed not as bad as it seems. Since yubikeys are a security product they have to take it seriously, but in practice there is no problem.

They need to have your yubikey, which at itself should be a difficult thing to do. After that they have to open it and return it to you in a way you won't notice what happened.
If you've ever seen a yubikey, you'll know that opening it will damage it in such a way you are going to notice it :wink:
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum