Some thoughts on the YubiKey EUCLEAK Vulnerability

September 4, 2024

•

Terence Eden

It looks like everyone's favourite FIDO token provider might have an unpatchable vulnerability! Much Sturm und Drang from the usual sources. But how bad is it really? Not so bad - but it does expose some weaknesses in the very idea of having physical tokens.

It also looks like the attacker will need:

Physical access to key
Username & password tied to account protected by key
$11,000 worth of equipment

So yes, it doesn’t seem to be an “easy” attack, but geez…it’s always something.