[clug] Yubikeys on Linux
Robert Edwards
bob at cs.anu.edu.au
Fri Jun 12 05:42:03 GMT 2009
steve jenkin wrote:
> Robert Edwards wrote on 12/6/09 10:23 AM:
>
>> As to having someone opportunisticly reprogram your yubikey on
>> insertion - this is a real threat at the moment. Locking the
>> reprogramming with a password would fix it, as long as you don't
>> "lose" that password...
>
>> Cheers,
>>
>> Bob Edwards.
>
>
> If what you're saying is correct (I haven't looked at the site), it is a
> major vulnerability.
>
> Allowing Silent & Promiscuous Reprogramming?!?!
> They gotta fix that...
> As you've pointed out, there's at least one simple & effective process.
>
Funny thing... Tom Worthington here blogged about my talk last night
even before I gave it:
http://www.tomw.net.au/blog/2009/06/open-source-for-government-security.html
This morning I got a phone call from a guy at Yubico's California office
asking me about how I am going with Yubikeys etc.
He assures me (?) that Yubikeys no longer allow keystrokes to be
generated upon insertion (no more "automatic navigation") and that the
new firmware may/does (I'm not sure) require the encryption key before
it can be reprogrammed.
I am a little concerned that this may lead to making it even harder
to reprogram the devices away from Yubico's servers, as getting the
encryption keys from Yubico is not trivial... (a good thing too...).
My solution suggests multiple keypresses in relatively quick succession.
Agreed, convincing someone to do that may not be hard, and doing it
to someone else's Yubikey whilst they are not watching is also a
possibility, but at least it would mitigate against accidental
opportunistic reprogramming.
Here is yet another attack scenario: it wouldn't be too hard to build
a device that looks like a Yubikey or any USB memory stick that does,
in fact, generate arbitrary and naughty key strokes and sucker someone
into plugging it into their Windoze or other system and perform all
sorts of evil... The defence against that is not going to be pretty...
(basically, you would need to disable all USB keyboards - hard to do
on most modern desktops. May need dedicated Keyboard USB ports and
no more Yubikeys etc.).
Jon Oxer shows just how "easy" it is to build a gadget to be a USB
keyboard: http://jon.oxer.com.au/blog/id/334 (not really that easy,
but not beyond the capabilities of most hardware geeks).
Cheers,
Bob Edwards.
More information about the linux
mailing list