What’s the risk from fake Yubikeys? – Terence Eden’s Blog

I found this on a security-related Slack (shared with permission).

It launched an entertaining discussion about the risks of taking a potentially fake FIDO token.

We all know the risks of taking a free USB drive and shoving it in our computer, right?

USB sticks can install software, act as a keylogger, transmit data over WiFi, and even physically damage the electronics!

So a USB Yubikey could do all those things - but could it do anything malicious as an MFA token?

And - at the risk of invoking Cunningham's law - I think the answer is a cautious "no".

Other than the risks inherent in any USB device, what's the worst that could happen? A cloned device might let an attacker have a duplicate key. But that's useless unless they also have your username and password.

A device with a built in transmitter might send an OTP to an attacker but, again, useless without the other authentication factors.

The devices could be set up to deliberately fail - or be revoked. That could work as a denial of service attack against users. But most services allow you to have a backup authentication method.

There may be some sites which only use a token for login - eschewing passwords - but that's rare, I would hope.

A Yubikey can be hacked to send arbitrary keystrokes - but that's of limited usefulness. I guess an attacker could force open a browser window to download malicious software, but that would be fairly obvious to a user.

So, go on then, prove me wrong. What's the worst thing that can be done with a compromised Yubikey?

Like this: