Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

"The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains brief physical access to it, researchers said Tuesday."

well duh, that's the whole point of it?

i think the fingerprint enabled devices have a countermeasure that they require a fingerprint match to work but that can also be spoofed much the same as an electrical fucking contact

TL;DR: keep your yubikey on you at all times ffs

nostr:nevent1qyghwumn8ghj7mn0wd68ytnvv9hxgtcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhszrnhwden5te0dehhxtnvdakz7qgkwaehxw309a5xjum59ehx7um5wghxcctwvshszxthwden5te0wfjkccte9ehx7umhdpjhyefwvdhk6tcqypmsh5pgfgj3r0j57q7xqevn6u6myxpt8lksk8wsthnm3fmnytz02s35vcs

Reply to this note

Please Login to reply.

Discussion

Avatar
royster⚡️ 1y ago

TL;DR - yubi key up your butt or HFSP

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

probably consider getting a new auth key doodle

but honestly, the "hidden" functions of the device have turned out to be mostly useless for me, the one thing i use it for now is basically an instant password sender as a virtual USB keyboard

which is instantly cloneable of course lol

the other stuff, pssh, honestly, what i know about elliptic curve cryptography and security

THERE IS NO DEVICE EXISTING THAT SIMPLY ACCEPTS A HASH AND SENDS BACK A SIGNATURE

and this is a market aching need, right now, and it's not that hard to fix, i'm pretty sure there is devices that can boot in a second that have computational capacity to make a signature only, and nothing else

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

btw, did you know:

standard google authenticator uses SHA1 hashes

Avatar
⛩oizen 1y ago

sooner or later one ought to plant face to some of horror stories, and deal with its resolution the best possible so risk of getting rekt if otherwise...

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

honestly, i just want a little thing that signs a hash when i plug it in... then there is no cloning risk

only stealing risk

Avatar
semisol 1y ago

in that case the goal is not collision resistance but generating unique numbers from a secret and timestamp

which has still not been attacked successfully

da
Rand 1y ago

t-y m

Avatar
Svoboda 1y ago

I think many of the older versions are just PIN protected. I'd assume that means they can be cloned without PIN?

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

that's pretty messed up

anyhow, i want a nostr signer usb, with a number pad, capacitative touch screen but epaper, and every time it gets a signal to input it scrambles the 9 numbers so you don't leave a consistent pattern on the surface, and all it does is accept a message hash and return a signature, and it has a timeout, like 5 minutes, so you don't have to input the pin every time if you keep using it, only when you stop for 5 minutes

can i get a grant to build this

Avatar
semisol 1y ago

the more concerning part is that this applies to other infineon chips like smart cards

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

this doesn't include NFC capable devices like credit cards tho?

Avatar
semisol 1y ago

they also share the same crypto libs, but those use symmetric crypto usually

Avatar
shinohai 1y ago

*yawn* Evil Maid attacks are so 2000.