|
|
Subscribe / Log in / New account

EUCLEAK attack

EUCLEAK attack

Posted Sep 4, 2024 21:56 UTC (Wed) by geuder (subscriber, #62854)
In reply to: EUCLEAK attack by hmh
Parent article: Firefox 130.0 released

> Do read, or at least skim, their paper if you have the time. It is worth it.

I agree. Really understanding the 80+ pages is probably impossible for 99.9% of the readers including myself. But I found it rather accessible to read anyway.

They also say clearly in the beginning: It's safer to use an affected Yubikey than not to use it because of their discovery.

Unless you are Julian Assange, Edward Snowden, or someone with similarly powerful adversary there is nothing to be worried about even after this attack.

to post comments

EUCLEAK attack

Posted Sep 5, 2024 10:01 UTC (Thu) by farnz (subscriber, #17727) [Link] (2 responses)

Specifically, for the EUCLEAK attack to be of concern to you, the attacker needs to be able to do the following without getting caught:

  1. Take your Yubikey away from you.
  2. Enroll your Yubikey against a site they control.
  3. Disassemble your Yubikey completely, destroying the packaging in the process.
  4. Spend approximately 5 minutes repeatedly authenticating against their site as fast as possible to gather data.
  5. Put new packaging on your Yubikey such that you're not going to notice in the time frame they need the clone to work for, noting that it will take at least 30 minutes to analyze their data and be able to create a clone.
  6. Return your Yubikey to you.

Steps 1, 3 and 5 are all hard to do without leaving traces, unless you've got powerful backers, and for most of us, the work involved in doing those steps is not worth the gain (access to accounts protected by Yubikey + password).

EUCLEAK attack

Posted Sep 5, 2024 11:49 UTC (Thu) by excors (subscriber, #95769) [Link] (1 responses)

Also, as I understand it, the attack is only relevant in a scenario where the attacker can't simply use your Yubikey directly (perhaps in combination with a password that they phished or keylogged from you earlier) and then either keep it or give it back to you. They only need to clone it if they want long-term persistent access to your account, without you noticing and revoking the device. If you're just using a Yubikey to protect your password manager or bank account etc, they could already steal your passwords/money/etc without this cloning attack, so it's no worse than before. (But in other scenarios it may still be a real problem.)

EUCLEAK attack

Posted Sep 5, 2024 13:14 UTC (Thu) by farnz (subscriber, #17727) [Link]

Indeed - and one of the consequences of that is that the attack is only relevant where the attacker has the capability to do a complex process taking about an hour and with risk of getting caught in order to clone your Yubikey, but does not have the capability to take your Yubikey and keep you from noticing that they've done so (e.g. because they've got you in a jail cell) until they've finished extracting everything of value from your accounts.

Doesn't stop it being a cool piece of research, and something we should aim to defend ourselves against in the long run; does mean that it's of limited practical relevance.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds