What's the risk from fake Yubikeys?
I found this on a security-related Slack (shared with permission).

It launched an entertaining discussion about the risks of taking a potentially fake FIDO token.
We all know the risks of taking a free USB drive and shoving it in our computer, right?

USB sticks can install software, act as a keylogger, transmit data over WiFi, and even physically damage the electronics!
So a USB Yubikey could do all those things - but could it do anything malicious as an MFA token?
And - at the risk of invoking Cunningham's law - I think the answer is a cautious "no".
Other than the risks inherent in any USB device, what's the worst that could happen? A cloned device might let an attacker have a duplicate key. But that's useless unless they also have your username and password.
A device with a built in transmitter might send an OTP to an attacker but, again, useless without the other authentication factors.
The devices could be set up to deliberately fail - or be revoked. That could work as a denial of service attack against users. But most services allow you to have a backup authentication method.
There may be some sites which only use a token for login - eschewing passwords - but that's rare, I would hope.
A Yubikey can be hacked to send arbitrary keystrokes - but that's of limited usefulness. I guess an attacker could force open a browser window to download malicious software, but that would be fairly obvious to a user.
So, go on then, prove me wrong. What's the worst thing that can be done with a compromised Yubikey?
Reply to original comment on mastodon.radio
|Link: shkspr.mobi/blog/2022/03/w…
Comments: news.ycombinator.com/item?id=305771…
Reply to original comment on twitter.com
|Alex B says:
Leo says:
How many modern operating systems do that nowadays?
Paul Bowsher says:
ryan says:
Reply to original comment on twitter.com
|Alexela says:
https://en.wikipedia.org/wiki/Thallium_poisoning#:~:text=Thallium%20poisoning%20is%20poisoning%20that,readily%20absorbed%20through%20the%20skin.
More comments on Mastodon.