Ok, here's the deal on the "YubiKey cloning attack" stuff:
:eyes_opposite: Yes, a way to recover private keys from #YubiKey 5 has been found by researchers.
But the attack *requires*:
👉 *physically opening the YubiKey enclosure*
👉 physical access to the YubiKey *while it is authenticating*
👉 non-trivial electronics lab equipment
I cannot stress this enough:
✨ In basically every possible scenario you are safer using a YubiKey or a similar device, than not using one. ✨
This entry was edited (2 months ago)
Michał "rysiek" Woźniak · 🇺🇦
•Context:
https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/
> The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key.
YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
Ars TechnicaMichał "rysiek" Woźniak · 🇺🇦
•This is not to say this is not a big deal: it does make information security people reevaluate certain assumptions related to YubiKeys.
But it is a big deal to a very, very limited number of people.
If this was really a big deal for you, you'd know already and would not need anyone to tell you so.
And even *if* it was a big deal for you, then it would still not be a *practical* attack – just something to ponder and discuss with your infoseccy peers.
So, keep calm and use security keys! 🔑
grin
•Also it feels uneasy that it has been certified that high for that long, but there are no miracles, even in security certifications.
Michał "rysiek" Woźniak · 🇺🇦
•