What's the risk from fake Yubikeys?
I found this on a security-related Slack (shared with permission).

It launched an entertaining discussion about the risks of taking a potentially fake FIDO token.
We all know the risks of taking a free USB drive and shoving it in our computer, right?

USB sticks can install software, act as a keylogger, transmit data over WiFi, and even physically damage the electronics!
So a USB Yubikey could do all those things - but could it do anything malicious as an MFA token?
And - at the risk of invoking Cunningham's law - I think the answer is a cautious "no".
Other than the risks inherent in any USB device, what's the worst that could happen? A cloned device might let an attacker have a duplicate key. But that's useless unless they also have your username and password.
A device with a built in transmitter might send an OTP to an attacker but, again, useless without the other authentication factors.
The devices could be set up to deliberately fail - or be revoked. That could work as a denial of service attack against users. But most services allow you to have a backup authentication method.
There may be some sites which only use a token for login - eschewing passwords - but that's rare, I would hope.
A Yubikey can be hacked to send arbitrary keystrokes - but that's of limited usefulness. I guess an attacker could force open a browser window to download malicious software, but that would be fairly obvious to a user.
So, go on then, prove me wrong. What's the worst thing that can be done with a compromised Yubikey?
Alex B says:
Leo says:
Paul Bowsher says:
ryan says:
Alexela says:
More comments on Mastodon.