A fake Yubikey next to the real one. Source: Motherboard
Two security researchers at the recent DEFCON conference have demonstrated that even hardware-based 2-factor authentication devices are not as safe as people think they are. They managed to hack 2 popular devices - the Yubikey, and RSA tokens.
The Yubikey is a USB drive-like device, that when setup, has to be plugged-in everytime you login to an account. So you enter your password, and insert your Yubikey into the USB slot. RSA tokens are little devices, that generate a random code at fixed intervals(generally every minute) which has to be entered while logging in. The random code is based on a 'seed' value that is unique for every device. Basically, it's like a hardware version of the Google Authenticator app(there also are software RSA token apps that do the same thing).
In the case of the Yubikey, the code for making an arduino emulate a Yubikey is available online, but the unique thing that these researchers did, is they also tried to emulate the hardware. They created a fake Yubikey(which they call the 'Doobiekey'), and demonstrated the device being sucessfully registered with Yubikey servers. As for the RSA tokens, what the researchers did was arguably even more impressive. They created custom hardware and software which, after generating a random key, will be broadcast to everyone via bluetooth.In the case of the Yubikey, the hack only works when someone is registering the device for the first time. Emulation of a device that has already been registered is not possible. In the case of the RSA token, again, the hack doesn't work with existing devices, because they don't have bluetooth.
I think one thing that teaches me is:
Get your device from a trusted source.
That is the one way to ensure that devices like these cannot be hacked. While these devices are incredibly secure during day-to-day use, the one weak point in the chain is when you first setup these devices. Ensuring that the device is genuine, and from a trusted source, will take care of these supply-chain based security vulnerabilities. I think this kind of hack would never work in corporate setting, because someone who is purchasing these devices for the whole company would never do so(or rather, should never do so) from anyone but the company that manufactures them. I think this attack is much more capable at an individual level.
So, in conclusion, don't buy hardware from sketchy sources.
Sources:
Motherboard Article: https://motherboard.vice.com/en_us/article/8xazek/hackers-show-proof-of-concepts-to-beat-hardware-based-2fa
Yubikey image from Motherboard article. RSA token image from Wikipedia.
If you liked this post, don't forget to upvote and resteem. Follow me if you want more content like this :-)
Thanks for bringing this up! I'm a big fan of the Yubikey and the title of this article got me a bit worried. Glad to see that the core of it (stored private keys) is still very much secure if handled correctly^^
Thanks for reading