• Chemical Wonka@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    1
    ·
    edit-2
    4 months ago

    This is the problem of the security model by obscurity, if they had opted for an open source model both in hardware and firmware (like Nitrokey) maybe they wouldn’t be having this problem.

    • Godort@lemm.ee
      link
      fedilink
      arrow-up
      20
      ·
      4 months ago

      I’m not sure I necessarily agree. Your assessment is correct, but I don’t really think this situation is security by obscurity. Like most things in computer security, you have to weight the pros and cons to each approach.

      Yubico used components that all passed Common Criteria certification and built their product in a read-only configuration to prevent any potential shenanigans with vulnerable firmware updates. This approach almost entirely protects them from supply-chain attacks like what happened with ZX a few months back.

      To exploit this vulnerability you need physical access to the device, a ton of expensive equipment, and an incredibly deep knowledge in digital cryptography. This is effectively a non-issue for your average Yubikey user. The people this does affect will be retiring and replacing their Yubikeys with the newest models ASAP.