Unpatchable Yubico two-factor authentication key vulnerability breaks the security of most Yubikey 5, Security Key, and YubiHSM 2FA devices

[Redaktion]

An unpatchable Yubico two-factor authentication key vulnerability has broken the security of most Yubikey 5, Security Key, and YubiHSM 2FA devices. The Feitian A22 JavaCard is also vulnerable. Vulnerable 2FA keys should be replaced as soon as possible, especially when used to secure cybercurrency or top-secret information.

https://www.notebookcheck.net/Unpatchable-Yubico-two-factor-authentication-key-vulnerability-breaks-the-security-of-most-Yubikey-5-Security-Key-and-YubiHSM-2FA-devices.883661.0.html

[Doug Rosser]

Article is definitely sensational in nature. If you don't have 100% physical control of your hardware tokens 100% of the time, you should generally consider them compromised.

[Keith Smith]

"Scientists in lab, figure out a way to duplicate a U2F key with a great deal of effort"

Not

"Vulnerability breaks the security" of anything

This is so disingenuous it's not even funny.  Once I hand you my u2f device we are kinda way past the security angle.  This may come as a shock to you but if you lose your house key someone can duplicate it, if it was stamped with your address maybe it's time to change the locks.  So do you think someone is going to go all "Mission Impossible" on you, "borrow" your yubi-key for a few hours, rip it apart, then  using sophisticated equipment clone it, then glue it back together and give it back to you so you never know.  If so you watch too much TV or too many movies.

[T Nguyen]

The attack vector is very small, and this is a very target attack which requires access to the physical key.

I do not think I am big enough a fish for someone to hack into my account.

[Esosil]

Nothingburger. Notebookchat is going on my adblock list...

[McD]

This says you require access to the key for an hour to compromise it.

But once I have your key, I don't need to run a fancy analysis, I have the key itself.

If you give me your newer yubikey without this vulnerability, guess what I can use that one to login too.

[Tan]

No, you don't need to switch to another device. The threat doesn't exist in real life. This article is a clickbait.

[pol]

While I agree with the general click-baity vibe of the article, I'd like to temper it somewhat:

It also depends on where you buy your U2F key from.

So say you purchase legit-looking U2F devices that have, in fact, been cloned, you can be at risk.

You have to be able to trust that whoever manufactured your device won't have a copy of it to sell to someone else. That's part of the reason why yubikeys aren't made in China.

Now an unscrupulous retailer could -- with a bit of effort -- clone the keys it sells, then sell the clones to yet less scrupulous parties.
That's really not ideal from yubico's perspective.
The actual chips are tamper-evident for that reason.

So as long as you can trust the supply chain from yubico to your pocket, there's nothing to fear.

[James Westgate]

This is absolutely patchable on the Yubico device. Upgrade to the latest firmware. See Yubico Support (unable to post link)

[Joe]

This is absolutely patchable on the Yubico device. Upgrade to the latest firmware. See Yubico Support (unable to post link)

The article is full of false information but this is not in that category.

You absolutely can not, in any way, at all...update a Yubikey or any of its contemporaries. Not even Yubico can!

[Joe]

David, you are either intentionally trying to spread misinformation or you have reading comprehensive issue or you are just to dumb to be commenting on these sorts of things.

No radio info is captured...the key must be physically disassembled and the TPM gets physical probes attached

[pyrohornet]

"Scientists in lab, figure out a way to duplicate a U2F key with a great deal of effort"

Not

"Vulnerability breaks the security" of anything

This is so disingenuous it's not even funny.  Once I hand you my u2f device we are kinda way past the security angle.  This may come as a shock to you but if you lose your house key someone can duplicate it, if it was stamped with your address maybe it's time to change the locks.  So do you think someone is going to go all "Mission Impossible" on you, "borrow" your yubi-key for a few hours, rip it apart, then  using sophisticated equipment clone it, then glue it back together and give it back to you so you never know.  If so you watch too much TV or too many movies.

Reading a few stories of what Equation Group has managed to do, and other state actors, it is of a considerable concern, for some, to know such details. For the vast majority of people, you are correct. Most people using yubikeys or similar technologies constantly might be privileged to certain type of confidential / controlled information. Some even more so. Some of those still... might potentially have the sort of secrets a state actor would want to acquire. That's the thing. If you're a nobody you're safe. If you're someone that could be targeted by elites... this is cause for concern.

And as someone mentioned "the probe requires complete disassembly" it was placed right up against the small processor. In theory, a state actor could develop a way that is less intrusive and obvious, such as creating a hidden device that will be in close enough proximity to the 2FA physical key for long enough, that boosts sensitivity to be able to detect and record these signals. Who knows, perhaps you could have it be in a hotel safe hole and there's extra space for this intercepting signal analyser. Someone goes to bed and puts their physical key in the safe before bed... and while they sleep, their key is being analysed. Who knows how sensitive a probe needs to be. Who knows how much the process could be shortened etc. Heck, even the fact that your key could be taken and cloned and returned to you, by these state actors, without your knowledge is enough of a concern for certain special individuals.
Was the security of the key already important? Absolutely. But now you're adding another risk: compromised 2FA. Someone in theory could duplicate a 2FA method and use that for unauthorised access. So you almost have to keep multiple backups but if anything happens to the backups you keep trashing them. Or something.

[Jazzwhistle]

Ridiculous article, disingenuous replies to the comments pointing it out. Even with a key cloned before purchase they'd have no access to anything you subsequently store on the key. 2FA would be at risk if they cloned it after you set it up, but only with your passwords, and passkeys would be safe unless they also know your PIN. DO BETTER!

[MyNameIsntAllowed]

There are so many caveats to this. I use my yubikey for GPG with an RSA key. Am I impacted? No! Would this be a serious threat that I need to consider? No! Does this mean someone can hack me without physical access to my yubikey? No!

As the others have said, incredibly sensationalist.