Mike Stone

Mostly The Lonely Howls Of Mike Baying His Ideological Purity At The Moon

Yubikey Issues

04 Sep 2024

I started using a Yubikey for quite a while now. I picked up the one I’m using now at work. Our corporate IT team just setup a table and asked people if they wanted one, no charge. Why say no to that? It’s worked flawlessly for me for years now. That is until now.

It’s been in the news lately. There’s been a vulnerability found in Yubikeys, and this vulnerability can’t be fixed through a software or firmware update. So, if you have one of the vulnerable keys, you’re basically screwed. You just need to get a new one or stop using the one you have.

But do you?

In looking into this issue, sure, it can’t be fixed. But how big of a risk is this?

According to Yubico, “The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack.” So, they need to know me personally and know what my accounts are, and they have to steal my Yubikey from me without me noticing.

OK, don’t let anybody steal your Yubikey. Check.

This feels like a given. If they had my key and intimate knowledge of my accounts, then they could get into my accounts anyway. They don’t need to clone my key. This vulnerability has been classified as “moderate”, and I can see where it might be of concern to C level executives or government types, but nobody in their right mind is going to expend this kind of effort to break into the account of some rando IT nerd.

I think I’m safe, and I’ll continue to use my Yubikey as long as it works. It would be more effort than it’s worth to replace the key with a new one.

Day 15 of the #100DaysToOffload Series.


Looking for comments? There are no comments. It's not that I don't care what you think, it's just that I don't want to manage a comments section.

If you want to comment, there's a really good chance I at least mentioned this post on Fosstodon, and you can reply to me there. If you don't have a Mastodon account, I'd suggest giving it a try.

If you don't want to join Mastodon, and you still want to comment, feel free to use my contact information.

Also, don't feel obligated, but if you feel like buying me a ☕ cup of coffee ☕ I won't say no.