YubiKey 5 Series Hacking
by giogio2021 - November 20, 2021 at 06:00 PM
#1
Modify yubikey firmware to hack a site?

Is it possible to change the firmware to create a password recovery?
Reply
#2
Hackers Show Proofs of Concept to Beat Hardware-Based 2FA
DEF CON hackers show how YubiKeys and RSA tokens can be spoofed and circumvented.

Hardware tokens, small devices that produce a code or plug into your computer, provide possibly the best way to add an extra lock onto your email account. Whereas two-factor authentication sent by SMS can be intercepted, an attacker is probably going to have a harder time getting hold of the unique code these little gizmos generate.

But, it's not impossible. Two security researchers at the annual DEF CON hacking conference in Las Vegas presented several proof-of-concept attacks against popular hardware tokens, including the YubiKey.

https://github.com/rprinz08/StickLock
Reply
#3
Hackers can clone Google Titan 2FA keys using a side channel in NXP chips?

There’s wide consensus among security experts that physical two-factor authentication keys provide the most effective protection against account takeovers. Research published today doesn’t change that thinking, but it does show how malicious attackers with physical possession of a Google Titan key can clone it.

There are some steep hurdles to clear for an attack to be successful. A hacker would first have to steal a target’s account password and also gain covert possession of the physical key for as many as 10 hours. The cloning also requires up to $12,000 worth of equipment and custom software, plus an advanced background in electrical engineering and cryptography. That means the key cloning—were it ever to happen in the wild—would likely be done only by a nation-state pursuing its highest-value targets.

“Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid [an] unnoticed security breach by attackers willing to put enough effort into it,” researchers from security firm NinjaLab wrote in a research paper published Thursday. “Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.”

interesting article on yubikey firmware programming!

https://www.blackhillsinfosec.com/how-to...e-yubikey/
Reply

 Users browsing this thread: 1 Guest(s)