Skip to main content


Ok, here's the deal on the "YubiKey cloning attack" stuff:

:eyes_opposite: Yes, a way to recover private keys from #YubiKey 5 has been found by researchers.

But the attack *requires*:

👉 *physically opening the YubiKey enclosure*

👉 physical access to the YubiKey *while it is authenticating*

👉 non-trivial electronics lab equipment

I cannot stress this enough:

✨ In basically every possible scenario you are safer using a YubiKey or a similar device, than not using one. ✨

#InfoSec #YubiKey5

This entry was edited (2 months ago)

Context:
https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

> The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key.

This entry was edited (2 months ago)

This is not to say this is not a big deal: it does make information security people reevaluate certain assumptions related to YubiKeys.

But it is a big deal to a very, very limited number of people.

If this was really a big deal for you, you'd know already and would not need anyone to tell you so.

And even *if* it was a big deal for you, then it would still not be a *practical* attack – just something to ponder and discuss with your infoseccy peers.

So, keep calm and use security keys! 🔑

Along with my agreement and thanks for the detailed posts I'd like to point out that governmental actors can get the key, do their stuff and get it back, as the time it requires seems to be short.
Also it feels uneasy that it has been certified that high for that long, but there are no miracles, even in security certifications.
I am not that sure about the time it requires being "short". But it definitely is a consideration, yes.