What's the risk from fake Yubikeys?
I found this on a security-related Slack (shared with permission).
It launched an entertaining discussion about the risks of taking a potentially fake FIDO token.
We all know the risks of taking a free USB drive and shoving it in our computer, right?
USB sticks can install software, act as a keylogger, transmit data over WiFi, and even physically damage the electronics!
So a USB Yubikey could do all those things - but could it do anything malicious as an MFA token?
And - at the risk of invoking Cunningham's law - I think the answer is a cautious "no".
Other than the risks inherent in any USB device, what's the worst that could happen? A cloned device might let an attacker have a duplicate key. But that's useless unless they also have your username and password.
A device with a built in transmitter might send an OTP to an attacker but, again, useless without the other authentication factors.
The devices could be set up to deliberately fail - or be revoked. That could work as a denial of service attack against users. But most services allow you to have a backup authentication method.
There may be some sites which only use a token for login - eschewing passwords - but that's rare, I would hope.
A Yubikey can be hacked to send arbitrary keystrokes - but that's of limited usefulness. I guess an attacker could force open a browser window to download malicious software, but that would be fairly obvious to a user.
So, go on then, prove me wrong. What's the worst thing that can be done with a compromised Yubikey?
Christopher M0YNG said on mastodon.radio:
@Edent it could present as a Fido token, but also be a "traditional" malicious device?
HackerNewsTop10 said on twitter.com:
What's the Risk from Fake Yubikeys? Link: shkspr.mobi/blog/2022/03/w… Comments: news.ycombinator.com/item?id=305771…
Alex B says:
I'd be most concerned about it having a dual role, e.g. as USB mass storage device that in turn causes the automatic installation of malware operating systems that autorun code from removable media.
Leo says:
How many modern operating systems do that nowadays?
Paul Bowsher says:
It could have a very small (<10000) pre-defined private keys to dole out instead of generating a completely random one. You then give out a public key to someone who then assumes they’re sending you something private, but if the attacker intercepts the ciphertext they have a very simple brute force run on their hands. Yubikeys aren’t just MFA, they’re tiny HSMs and used very widely in public key cryptography.
ryan says:
I've purchased more than one USB "WIFI" or "BT" or similar adapter from Aliexpress/Wish that will present as a USB hub of some sort, a ~64MB flash drive, and a USB HID that will try to rapidly run it or send keystrokes (I had one that would as soon as you plugged it in, open the Run window with Win+R and try to type in E:\setup.exe. Why E? No idea)
🏳️🌈 Q (it/its) 🏳️🌈 said on twitter.com:
The web is moving towards webauthn passwordless, at least for low(er) importance services, so I thin there might be more scope for harm in the future
Alexela says:
If someone puts poison on Yubikey that is highly toxic by the touch of skin, that would be the worst thing. But maybe it's just a Netflix material. 🙂 https://en.wikipedia.org/wiki/Thallium_poisoning#:~:text=Thallium%20poisoning%20is%20poisoning%20that,readily%20absorbed%20through%20the%20skin.
More comments on Mastodon.