Generally I agree, but if you have a backup yubikey somewhere you better be extra sure it's (physically) secure. Sounds like worst case scenario they clone a backup and you never know it's been cloned and you don't know you need to cycle new keys. If someone physically steals your physical yubikey you at least know it's a good idea to detach that from your accounts.
@@iotkualt even with a backup, there's a lot of ifs that have to pan out in their favor to be able to clone your key, but if they have access to your backup key without you knowing about it, that does mean they might be in a position to do some of the other things necessary to actually clone it. It is within some people's threat model, seriously. Just … not most of us.
@@attribute-4677 have you not seen how mobile numbers are ported illegally, these guys steal the tablets directly from the cellular stores to achieve this. If you are a target the stealing of an yubi key is the easy part. Especially if I can clone it and return it and you would be unaware.
Back in 1996, the world saw one of the first big side-channel attacks when a group of researchers cracked an RSA encryption key using nothing but power analysis. It’s wild to see how those same techniques are still relevant today with devices like Yubikey.
Might be kind of a stupid suggestion, but from what I read... you not only have to have physical access to the Yubikey, the attacker also needs to open the case up to expose the logic board in order to make an electromagnetic reading with a probe or something like that right? So... aren't there any tamper proof stuff to detect that this happened? Like, something as simple as one of those tamper proof tapes? I mean, there's likely a way to go through those too, but just adding up stuff to make it even harder to pull this off undetected.
Yes, but the sort of entity that is capable of just somehow pulling off the rest of this can probably have prepared a replacement yubikey housing and have someone from another team replicate every scratch on it while another extracts the data. They're also going to need your PIN and other credentials.
I dont love that this is a firmware issue. Im finding the concept of hardware security increasingly appealing "This can't happen because it is physically impossible". Like data diodes for example. You could spend months trying to secure a network and you'll fail or someone will plug in a USB they found in the parking lot because they were dropped on their head as a kid OR you could solder a data diode for outbound communication onto the machine, then rip out all the other ports and wifi/bluetooth chips. If its critical for something to behave a specific way and never behave in another way... make it a physical property of that thing.
Once you say it can be done, a bored hacker will figure it out. Don't say it will take thousands of dollars and a city state level hack team.. You’ve just made a challenge to some ADHD hackers in his parent’s basement who will have the hack running in two weeks using an old Raspberry Pi and a Lumia 920.
you are right its just matter of time when someone figures out more efficient way to do it. Also i guess one time investment could help in compromising multiple keys. I think yubikeys are still small set of users so there could be other vulnerable devices which have higher threats
What does ADHD have to do with it? As a matter fact, ADHD would likely keep someone from actually spending the time to accomplish something so focused… 😂
Even if the keys on the beside table. There are 10 different ways of getting it. So be sure to store it somewhere outnof sight and reach. Locked. Don't leave it in PC port either.
Have long-assumed this must be the case and wondered when someone would make it obvious to those for whom it already was sufficiently not. Remember the nsa's ANT catalog from 2015 or so? Still published on Wikipedia for anyone wanting a refresher. That considered, why would anyone assume they aren't a big enough target for a nation that snoops on all of us to see to it yubikeys ordered online arrive pre-cloned? Shipping them precloned from Amazon probably covers 80% of them.
i got a sextortion mail. the email told they had footage of me but me webcam is on top of my pc case & because of that it is 55cm high & looks to the left
If someone gets physical hold of your Yubikey, you’ve got bigger problems
Generally I agree, but if you have a backup yubikey somewhere you better be extra sure it's (physically) secure. Sounds like worst case scenario they clone a backup and you never know it's been cloned and you don't know you need to cycle new keys. If someone physically steals your physical yubikey you at least know it's a good idea to detach that from your accounts.
Why go to all that effort if you already have the physical yubikey and pin? This is an academic exercise rather than a threat.
@@debugin1227 You don't want the victim to find out their yubikey has been taken over, so leaving it in his possession will be much more stealthy.
@@iotkualt even with a backup, there's a lot of ifs that have to pan out in their favor to be able to clone your key, but if they have access to your backup key without you knowing about it, that does mean they might be in a position to do some of the other things necessary to actually clone it.
It is within some people's threat model, seriously. Just … not most of us.
@@attribute-4677 have you not seen how mobile numbers are ported illegally, these guys steal the tablets directly from the cellular stores to achieve this. If you are a target the stealing of an yubi key is the easy part. Especially if I can clone it and return it and you would be unaware.
Back in 1996, the world saw one of the first big side-channel attacks when a group of researchers cracked an RSA encryption key using nothing but power analysis. It’s wild to see how those same techniques are still relevant today with devices like Yubikey.
Most new cryptographic chips now implement and anti-side-channel attack countermeasure. It's always going to be a cat and mouse game.
I bought a Yubikey very recently. This cannot be a coincidence. The jig is up, I'm done. Someone tell me how to disconnect from the simulation.
@@Silly-s8n
Just make sure no one steals it.
Always keep it with you. That's it. 😉
Passwords always win
huh?
just keep your yubikey in your mouth so you can eat it in case the feds getcha
@@THE_TROLLS_WIN_BOY
Why not use both?
Real 2FA ftw
Might be kind of a stupid suggestion, but from what I read... you not only have to have physical access to the Yubikey, the attacker also needs to open the case up to expose the logic board in order to make an electromagnetic reading with a probe or something like that right?
So... aren't there any tamper proof stuff to detect that this happened? Like, something as simple as one of those tamper proof tapes? I mean, there's likely a way to go through those too, but just adding up stuff to make it even harder to pull this off undetected.
Yes, but the sort of entity that is capable of just somehow pulling off the rest of this can probably have prepared a replacement yubikey housing and have someone from another team replicate every scratch on it while another extracts the data. They're also going to need your PIN and other credentials.
@@knghtbrd Do they need your PIN? Couldn't you just brute force it once you've replicated the data on the chip?
@@johnsmith8981 No, all keys have a timeout and self-destruct after a number of incorrect PIN attempts.
Is the fact that your yubikey disappeared for a while not enough evidence to suspect something?
Great stuff I need to make a reminder to myself to catch you every week.. I end up playing catch up for like a month
I dont love that this is a firmware issue. Im finding the concept of hardware security increasingly appealing "This can't happen because it is physically impossible". Like data diodes for example. You could spend months trying to secure a network and you'll fail or someone will plug in a USB they found in the parking lot because they were dropped on their head as a kid OR you could solder a data diode for outbound communication onto the machine, then rip out all the other ports and wifi/bluetooth chips.
If its critical for something to behave a specific way and never behave in another way... make it a physical property of that thing.
Thanks for sharing this information!
8:22 But you're not supposed to use email aliases on banking, financial, or important websites right?
😂 "in a world where every website sells your data...and a database will eventually be sold for ransome"
use multiple to create another key set?
Once you say it can be done, a bored hacker will figure it out. Don't say it will take thousands of dollars and a city state level hack team.. You’ve just made a challenge to some ADHD hackers in his parent’s basement who will have the hack running in two weeks using an old Raspberry Pi and a Lumia 920.
you are right its just matter of time when someone figures out more efficient way to do it. Also i guess one time investment could help in compromising multiple keys.
I think yubikeys are still small set of users so there could be other vulnerable devices which have higher threats
What does ADHD have to do with it? As a matter fact, ADHD would likely keep someone from actually spending the time to accomplish something so focused… 😂
@@levifig Ever seen someone with ADHD in hyperfocus?
Thank you
You're telling me the CIA wouldn't bruteforce it
I love the bumper music. What is the exact music.
Uncle Slam - Weirdo Man
This is epic cool
Your other Yubikeys are my Yubikeys!
yubi yubi~
If I were to buy my first Yubikey in the next few weeks, would it have this same vulnerability?
Even if the keys on the beside table. There are 10 different ways of getting it. So be sure to store it somewhere outnof sight and reach. Locked. Don't leave it in PC port either.
Not to mention its a horrible company. I sent back 2, they only paid me for 1.....
Have long-assumed this must be the case and wondered when someone would make it obvious to those for whom it already was sufficiently not. Remember the nsa's ANT catalog from 2015 or so? Still published on Wikipedia for anyone wanting a refresher. That considered, why would anyone assume they aren't a big enough target for a nation that snoops on all of us to see to it yubikeys ordered online arrive pre-cloned? Shipping them precloned from Amazon probably covers 80% of them.
why cant we clone yubi keys so we dont have to pay loads of money for security?
i got a sextortion mail. the email told they had footage of me but me webcam is on top of my pc case & because of that it is 55cm high & looks to the left
Queue XKCD #538