What's the risk from fake Yubikeys?
By @edent
on
8 comments 300 words, read ~6,215 times.I found this on a security-related Slack (shared with permission).
It launched an entertaining discussion about the risks of taking a potentially fake FIDO token.
We all know the risks of taking a free USB drive and shoving it in our computer, right?
USB sticks can install software, act as a keylogger, transmit data over WiFi, and even physically damage the electronics!
So a USB Yubikey could do all those things - but could it do anything malicious as an MFA token?
And - at the risk of invoking Cunningham's law - I think the answer is a cautious "no".
Other than the risks inherent in any USB device, what's the worst that could happen? A cloned device might let an attacker have a duplicate key. But that's useless unless they also have your username and password.
A device with a built in transmitter might send an OTP to an attacker but, again, useless without the other authentication factors.
The devices could be set up to deliberately fail - or be revoked. That could work as a denial of service attack against users. But most services allow you to have a backup authentication method.
There may be some sites which only use a token for login - eschewing passwords - but that's rare, I would hope.
A Yubikey can be hacked to send arbitrary keystrokes - but that's of limited usefulness. I guess an attacker could force open a browser window to download malicious software, but that would be fairly obvious to a user.
So, go on then, prove me wrong. What's the worst thing that can be done with a compromised Yubikey?
@Edent it could present as a Fido token, but also be a "traditional" malicious device?
What's the Risk from Fake Yubikeys?
Link: shkspr.mobi/blog/2022/03/w…
Comments: news.ycombinator.com/item?id=305771…
I'd be most concerned about it having a dual role, e.g. as USB mass storage device that in turn causes the automatic installation of malware operating systems that autorun code from removable media.
How many modern operating systems do that nowadays?
It could have a very small (<10000) pre-defined private keys to dole out instead of generating a completely random one. You then give out a public key to someone who then assumes they’re sending you something private, but if the attacker intercepts the ciphertext they have a very simple brute force run on their hands. Yubikeys aren’t just MFA, they’re tiny HSMs and used very widely in public key cryptography.
I've purchased more than one USB "WIFI" or "BT" or similar adapter from Aliexpress/Wish that will present as a USB hub of some sort, a ~64MB flash drive, and a USB HID that will try to rapidly run it or send keystrokes (I had one that would as soon as you plugged it in, open the Run window with Win+R and try to type in E:\setup.exe. Why E? No idea)
The web is moving towards webauthn passwordless, at least for low(er) importance services, so I thin there might be more scope for harm in the future
If someone puts poison on Yubikey that is highly toxic by the touch of skin, that would be the worst thing. But maybe it's just a Netflix material. 🙂
https://en.wikipedia.org/wiki/Thallium_poisoning#:~:text=Thallium%20poisoning%20is%20poisoning%20that,readily%20absorbed%20through%20the%20skin.