> A couple of years ago, I had a YubiKey that was affected by a security vulnerability, and to fix the issue, Yubico sent me a brand new YubiKey for free.
Opening with that, this could've been a story about sending trojan YubiKeys to high-value targets.
(For example, trojan might do stealthy exfiltration of stored data via cellular, have cloned hardware IDs/secrets to aid other attack, be a sleeper that doesn't hack and risk detection until heuristics on stored data suggest high-value opportunity, etc. Things for which there's an advantage to it being in a YubiKey rather than USB Storage.)
"Hi, this is totally Yubico writing to you. Your YubiKey was affected by a security vulnerability. Please use the enclosed free replacement, which has corrected the problem. For all your most sensitive security needs."
For those reading and do not get the reference, here it is:
Infineon is a company that makes “secure elements”.
In 2017, Infineon announced that the key-generation component of their chips was making RSA keys in a way that could be exploited[1]. Yubico had these secure elements in some of their Yubikey products. In the affected products, it affected key generation for PGP and PKCS#11 keys[2].
Affected customers could self-identify by checking their YubiKey model, firmware version, and how they were using it. If they were affected, they could apply for a free replacement. This was implemented by Yubico sending the affected customer a code to ‘buy’ a free Yubikey from the store.
I remember the vulnerability being widely-publicized at the time. The only communications I got from Yubico, if any, were an email asking me to do the check. They did not randomly send me a Yubikey.
My first thought was in response to the title "How to weaponize the Yubikey", and the opening sentence, as if that's what gave the writer the inspiration. When the article didn't go there, I still thought that idea was also interesting.
All the downvotes since you posted your comment suggest that maybe some people then thought I had been criticizing the writer's opsec. But I wasn't, I respect the article, and I should've been more clear.
IIRC, Yubikeys support some form of attestation. You could use this to determine whether or not the Yubikey was a genuine one from the Yubico organization.
This is a neat concept - especially because, unlike a USB Rubber Ducky that looks like a Yubikey, you can actually demonstrate that your Yubikey-as-weapon is a Yubikey. Very devious!
I am surprised someone so smart to come up with this didn't recognize the phrase scan codes or thought to just Google them. Would have saved a bit of work for themselves.
I am also surprised Yubikey calls USB HID Usage codes "scan codes" when scan codes is a completely different table, it is indeed in the order the XT scanned the keyboard you can see it https://kb.iu.edu/d/aanc here.
Me too. These days most of it fails to read like the old days (90's) but maybe that's just me. It is always fun seeing the pictures of the phones / phonebooths.
I'd say this would be capable of fooling even people who are knowledgeable about USB attacks, because they're likely to recognise that it's a YubiKey presume it's not dangerous. Of course they'd also have less reason to plug it in.
I’m also kicking myself for not making this connection back when I first inadvertently typed gibberish into my documents by accidentally touching my Yubikey.
Opening with that, this could've been a story about sending trojan YubiKeys to high-value targets.
(For example, trojan might do stealthy exfiltration of stored data via cellular, have cloned hardware IDs/secrets to aid other attack, be a sleeper that doesn't hack and risk detection until heuristics on stored data suggest high-value opportunity, etc. Things for which there's an advantage to it being in a YubiKey rather than USB Storage.)
"Hi, this is totally Yubico writing to you. Your YubiKey was affected by a security vulnerability. Please use the enclosed free replacement, which has corrected the problem. For all your most sensitive security needs."