What's the risk from fake Yubikeys?


I found this on a security-related Slack (shared with permission).

Anyone at the Government ICT conference? Yubico are doing free Yubikeys. Well, I presume it is Yubico...

It launched an entertaining discussion about the risks of taking a potentially fake FIDO token.

We all know the risks of taking a free USB drive and shoving it in our computer, right?

Meme in the style of "You Wouldn't Download A Car" saying "You wouldn't take a free USB stick.

USB sticks can install software, act as a keylogger, transmit data over WiFi, and even physically damage the electronics!

So a USB Yubikey could do all those things - but could it do anything malicious as an MFA token?

And - at the risk of invoking Cunningham's law - I think the answer is a cautious "no".

Other than the risks inherent in any USB device, what's the worst that could happen? A cloned device might let an attacker have a duplicate key. But that's useless unless they also have your username and password.

A device with a built in transmitter might send an OTP to an attacker but, again, useless without the other authentication factors.

The devices could be set up to deliberately fail - or be revoked. That could work as a denial of service attack against users. But most services allow you to have a backup authentication method.

There may be some sites which only use a token for login - eschewing passwords - but that's rare, I would hope.

A Yubikey can be hacked to send arbitrary keystrokes - but that's of limited usefulness. I guess an attacker could force open a browser window to download malicious software, but that would be fairly obvious to a user.

So, go on then, prove me wrong. What's the worst thing that can be done with a compromised Yubikey?


7 thoughts on “What's the risk from fake Yubikeys?

  1. Alex B says:

    I'd be most concerned about it having a dual role, e.g. as USB mass storage device that in turn causes the automatic installation of malware operating systems that autorun code from removable media.

    1. Leo says:

      operating systems that autorun code from removable media

      How many modern operating systems do that nowadays?

  2. Paul Bowsher says:

    It could have a very small (<10000) pre-defined private keys to dole out instead of generating a completely random one. You then give out a public key to someone who then assumes they’re sending you something private, but if the attacker intercepts the ciphertext they have a very simple brute force run on their hands. Yubikeys aren’t just MFA, they’re tiny HSMs and used very widely in public key cryptography.

  3. ryan says:

    I've purchased more than one USB "WIFI" or "BT" or similar adapter from Aliexpress/Wish that will present as a USB hub of some sort, a ~64MB flash drive, and a USB HID that will try to rapidly run it or send keystrokes (I had one that would as soon as you plugged it in, open the Run window with Win+R and try to type in E:\setup.exe. Why E? No idea)

Leave a Reply

Your email address will not be published. Required fields are marked *