• jqubed@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    4 months ago

    It doesn’t affect their newest keys, but you can’t upgrade an older key to fix it:

    All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable.

    • 🖖USS-Ethernet@startrek.website
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      edit-2
      4 months ago

      Which is why I’m now questioning why I even bought them to begin with. Any time a security flaw is found I need to spend another $50-60. Seem crazy and wasteful.

      • jqubed@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        4 months ago

        Reading the article I think most people don’t need to worry about upgrading because of this flaw; this would be a very targeted attack. And I can understand not letting the firmware upgrade; I’m pretty sure I’ve seen examples of nation-state hacks for phones that involve attackers installing an “upgraded firmware” that disables security protections to access otherwise secured info. But yeah, cost is definitely a risk with this design.