Conversation

Notices

1. nixCraft 🐧 (nixcraft@mastodon.social)'s status on Wednesday, 04-Sep-2024 19:10:57 JST nixCraft 🐧

   Are you using YubiKey 5 Series with firmware version below 5.7 as FIDO hardware tokens (2FA)? There is a bad news for all users. YubiKeys are vulnerable to side channel attach and there is no firmware update possible to fix this issue. The attack is difficult to carry out as it requires physical access to your key and specialised equipment. https://ninjalab.io/eucleak/

   • Daniele T. (dan_t@mastodon.social)'s status on Wednesday, 04-Sep-2024 19:30:01 JST Daniele T.

     in reply to

     @nixCraft can the firmware be updated somehow or do people have to buy new keys? I don't own one, just curious how it works.

   • hansvschoot (hansvschoot@mastodon.social)'s status on Wednesday, 04-Sep-2024 19:46:40 JST hansvschoot

     in reply to

     @nixCraft IMHO most security goes out the window when you have physical access AND specialised equipment...
     So good that this is found and fixed in newer models, but unless you are guarding state secrets, admin access to high-value targets, or nuclear launch codes, you can probably still use it without losing too much sleep

   • nixCraft 🐧 (nixcraft@mastodon.social)'s status on Wednesday, 04-Sep-2024 19:57:25 JST nixCraft 🐧

     in reply to

     • Daniele T.

     @dan_t No, you can't update firmware on those keys. You have to buy a new one.

   • nixCraft 🐧 (nixcraft@mastodon.social)'s status on Wednesday, 04-Sep-2024 20:00:47 JST nixCraft 🐧

     in reply to

     • hansvschoot

     @hansvschoot haha, that is true. threat models and risk assessments are different for each person.