Some thoughts on the YubiKey EUCLEAK Vulnerability
It looks like everyone's favourite FIDO token provider might have an unpatchable vulnerability! Much Sturm und Drang from the usual sources. But how bad is it really? Not so bad - but it does expose some weaknesses in the very idea of having physical tokens.
So, straight off the bat, this reduces the likelihood of attack. Someone would need to actively target you. Of course, if you're the sort of person who secures all their secrets and cryptowallets with a FIDO token, you may be a juicy target!
So, you need to lose your username, password, and token for this attack to be successful. Again, this is unlikely to happen as a "drive-by" attack.
Once the attacker gets your FIDO token, they need to analyse it using "expensive equipment". A cost of approximately $11,000 according to Ars.
That moves the attack away from the hands of casual criminals. It isn't an insurmountable barrier for organised crime or nation states.
