#Defcon authentication key verification
The fake RSA device broadcasts that verification code over bluetooth. The researchers also dug into RSA tokens, similar devices that display a code which a user has to enter into their computer. The demonstrated attack did not compromise or bypass any functionality or keying material in the YubiKey." At Yubico, we manage our own supply chain and ensure that all factory provisioned device secrets are handled with care and are never exportable. "It's a supply chain attack you're modifying them before the user gets them," FitzPatrick told Motherboard.Ĭhristopher Harrell, VP of engineering at Yubico told Motherboard in an email, "Today's hardware plus supply chain hacking demonstration at DefCon illustrated that when purchasing security products, both software and hardware, choosing a trustworthy source and carefully evaluating procurement and distribution channels are key. When the victims go and link their fake YubiKey to their Gmail, for example, the attacker also has a copy of their two-factor token. In a live demo, FitzPatrick and Leibowitz showed that the YubiKey servers recognized their device as a genuine YubiKey.Īlthough the proof-of-concept version likely wouldn't trick someone in the flesh, Leibowitz also presented a 3D-printed design that could make the key much more convincing.Īs for how an attack might work in practice, a hacker might make a batch of DoobieKeys and then hand them out to attendees at a crypto-party gatherings where people meet to learn about encryption and security. So the researchers took that, but rather than leaving the key as just a naked looking computer board, they also tried to copy the real YubiKey's appearance to create what they dub a DoobieKey.
On Github, anyone can download some code to emulate a YubiKey on an Arduino, a tiny computer similar to a Raspberry Pi.
0 kommentar(er)
