Lenovo
Eucleak: Is Your Yubikey Still Secure?
Eucleak: Is Your Yubikey Still Secure?
#Eucleak #Yubikey #Secure
“Lawrence Systems”
YubiKey 5, a popular two-factor authentication device, has been found to have a security vulnerability. In this video I explain how this flaw allows attackers to clone the device if they can get physical access to it.
The EUCLEAK write up and…
source
To see the full content, share this page by clicking one of the buttons below |
If they go through that much effort they can have the key. I am keeping my key as this is really extremely unlikely in the wild.
Still vulnerable to a rubber hose attack.
Good for state sponsored Agent 007 type attacks against high profile targets. Steal key, clone key, give back key before it's noticed it's gone and no one is none the wiser. PROFIT!!! It's perfect!😅
Thanks Tom. I think my biggest personal issue with using a Yubikey remains losing the physical key
where did you get that t-shirt?
I don't use Yubikey but use auth apps works just a good
Of course it is.
For 99% of people.
What do I think? If I find one of my two yubikeys missing, I'm opening up my password manager where the record of my yubikey uses is saved, revoking that key from all uses, and moving to my other yubikey until I fashion a replacement together.
Not rocket science.
Thanks
Worst.. Now, there is no guarantee that when you buy a Yubico key, its private key hasn’t been extracted before. Anyone in the chain from manufacture to the post could have your private key.
This is about as likely to happen as the physical TPM attacks on certain laptops with discrete TPM modules.. Just cause it can be done doesnt mean its going to be done. Cool from an acedemic perspective though, and it could lead to better security in the future
Do you know if Nitrokey is affected as well?
https://www.explainxkcd.com/wiki/index.php/538:_Security
as always, a relevant XKCD
first
isn't the PIN only required for Passkeys/Fido2 ? I though Fido U2F is not requiring any Pin and is basically just Plug&Play. I agree that for most of the people this vulnerability is not a big risk.
If someone wants to go through all of that to get into a Yubikey, they can have it.
I find this is more of an issue for corporations that provide the ubikey as a means for easy management of authentication. So, if I leave the company but I am able to still get hold of the private key I can still access things I should not, provided they don't change the access.
Something missed here as well is this only affects older keys. So if you are buying / have bought keys with firmware 5.7.0 and higher, this attack vector doesn't affect you. And if you are not the real 007, probably don't have to worry about this one. And if you are Trump, you are not using these even though there are programs specifically tailored to provide Yubikeys to election campaigns like his, instead getting compromised because they didn't use these keys at all and fall for phishing emails. Look it up.
great video, alot of reporting for a nothing burger
As soon as somebody has physical access “all bets are off”. It doesn’t matter what the technology is.
The point of the key is to stop account takeovers.
I am more interested in the new Beta 1 of TrueNAS Scale 24.10 Electric Eel. The switch from Kubernetes to Docker for apps rendered all my TrueCharts installed apps (now truecharts is defunct) not working / not installed. Only a measly 85 apps are in the store now.
Using mobile hardware key on Android and ios is my goto. I don't use my yubi key anymore.
If this is your threat model … oi. But it is a valid threat model for some people.
there website just keep loading on firefox browser poorly made website
To be Honest, I won't replace my older Yubikeys because they do their job. HOWEVER, I will be looking at purchasing new ones down the road and setting my current Yubikeys as backups.
Thanks for the clarity.
So if I understand the threat it's a destructive clone of my key after someone has everything need to use my key along with the physical key. I think I'm good for now.
I got three YubiKeys 5 series with NFC. I have one that with older firmware just before 5.7. However, that key never leaves the house and always attached to my Linux computer which I use to open my KeepassXC database. Plus my KeypassXC database is using triple factor which consists of a master password, keyfile and YubiKey.
I guess if you lose your key and a electromagnetic scientists happens to pick it up and find your accounts you might be screwed 🤷🏻♂️ lol
My OCD kind of wants to replace them cause that scenario would be my luck but then what happens if the next model gets patched from this vulnerability and the next one has another similar vulnerability that someone else discovers.
I feel like reading electrical signals from a key with an oscilloscope would be impossible to patch something like that but this attack is well beyond my pay grade.
Good video! I don't plan on replacing my keys. I keep lists of the few websites (that need this level of security) that I use my Yubikey on. If I loose any Yubikey, I go to those websites and remove that key. If I find that key, I strongly consider throwing it away, as I don't know if it has been stolen.
IMO, the situation discussed by this video shows the weakness of the "password-less" approach – with no other Factor of Authentication, and shows the strength of a 2FA (or Multi-Factor Authentication) where at least one is a truly secure/memorized secret and another is a separate physical and secure "thing" (like the Yubikey).
I have at least 3 yubikeys and I don't think I will be swapping them out just yet. To this day VERY few important sites support any kind of hardware token.
(I am looking at you … every single one of my financial institutions)
But I am pleased at how smooth they work for those few sites I am using them with
slow down motor mouth!
I won't lie. Many of these types of vulnerabilities that researchers such as these bring to light (many, not all!) are a bit over my head. Sure I understand what's going on after it's been explained. But I still find it crazy that they're able to imagine and then implement attacks of this nature to begin with.
Does this particular one worry me? Honestly, not at all. Especially with the fact that it seems to take some time to actually generate the EM activity enough to be able to capture the key. If it was something where it only took a few seconds, or even a couple minutes, that would be far more worrisome.
In the end, I guess a good takeaway would be that if you lose your Yubikey, don't hesitate to remove or disable it from any/every account you have it setup on. If it's a key provided by your employer, ensure that you alert your employer or the company's security team right away! (You should be doing this regardless. This just puts a little more onus on that now)
YubiKey 5C NFC was my worst buy in 2024. Why, because of security vulnerabilities? Nope, because its damn touch sensor doesn't work in environmental temperatures over 80F (26C)! I thought my case was special but Reddit proved me wrong.
Are you ok Tom?
Watched for the info, now I need the shirt.
This reminds me of XKCD 538.
Are you actually important enough to go through a super high-tech, high-knowledge attack… or is it easier to just smack you with a wrench until you give them access?
Seeing I didn't understand anything you said about how to get the info out of the key, I think I'm all set.
What if one epoxy seals the FIDO key ? Before Kingston swallowed up Ironkey, their security USBs were epoxy filled so that any attempt to open it would destructively destroy it. Why didn't a FIDO key maker think of that?
I also find this deeply disturbing that YubiKey is not offering any replacement program etc.
I can definitely see this being misused by some authorities. If I was political figure I’d probably rely on something else.
Would this be able to extract the PIV keys as well?
I need to replace mine anyways because i want to be able to use ED25519 keys with the yubikey (my firmware is too old) so I guess I'll probably wait awhile (take make sure the patched firmware is applied) & buy a new one.
putting on my tin foil propeller hat (it will protect me) 😜