ROCA: Return Of the Coppersmith Attack

Posted Nov 17, 2017 17:34 UTC (Fri) by flussence (guest, #85566)
In reply to: ROCA: Return Of the Coppersmith Attack by tialaramex
Parent article: ROCA: Return Of the Coppersmith Attack

Sounds like Yubico's chickens are coming home to roost. Maybe the expense of having to replace every single unit of their proprietary model will make them rethink their roadmap.

ROCA: Return Of the Coppersmith Attack

Posted Nov 19, 2017 21:42 UTC (Sun) by nix (subscriber, #2304) [Link] (1 responses)

The problem here is not "proprietary". The problem is "not field-upgradeable", but... for something like a Yubikey, an absolute guarantee that it cannot be upgraded via the USB port seems distinctly valuable, because it means attackers that get root on a machine using a Yubikey *cannot* replace its firmware and violate its security properties. Perhaps some other way to upgrade it might be provided, but I'm not sure what that might be. Requiring a physical touch, maybe, only lots of other things also require a physical touch and it's not always clear which is being asked for, so an attacker could in theory launch something that looked like it was asking for, say, an HMAC-SHA1 auth with touch, but actually ask for a firmware upgrade, and then you lose...

ROCA: Return Of the Coppersmith Attack

Posted Nov 20, 2017 14:12 UTC (Mon) by tialaramex (subscriber, #21167) [Link]

Unlike the "touch to authenticate" step this is a very rare case so it might be fine to have it require say, a weird dance like "hold the touch sensor for 15 seconds, then release it for 15 seconds, repeat this four times before running the update software" or "tap the sensor in the pattern tap; pause; tap-tap-tap; pause; tap; pause; tap-tap-tap; pause; tap".

Unfortunately all these types of solutions are also vulnerable to a problem where somebody nicks your Yubikey, field upgrades it to a version that works against you, then gives it back. Being obliged to send the device away to the manufacturer partly averts this attack. Of course a _very_ sophisticated adversary might be able to produce a look-alike device that suits their purpose and can be substituted quickly, for example by pick-pocketing. For example if you're Bill Browder, then sure, even the current arrangement isn't going to keep you safe from the type of forces able to have your associates murdered with impunity and then blame you for their deaths. But most of us aren't Bill Browder.