One way to keep your crypto assets secure is by using YubiKey, but there’s a problem. A vulnerability has been discovered that users who purchased a lifetime YubiKey must learn to live with. Let’s first discuss why YubiKey is important for crypto asset security and then talk about its lifelong vulnerability.
What is YubiKey?
FIDO Alliance developed this USB-sized device to assist with identity and password verifications. This authentication device, supporting 2-factor and FIDO2 authentication protocols, keeps your crypto wallets secure. You can think of it as a version designed to protect the passwords of cold wallets commonly used for cryptocurrencies.
It can work offline, allowing you to log in by simply touching the key instead of entering a password, without relying on a phone. This way, you don’t need to store your exchange passwords or other private keys on WhatsApp, email, or paper.
You can also use it by tapping it on your phone thanks to the NFC feature. You can even set this YubiKey as your key when you want to log into your computer. This way, physical access to your computer is not possible while the device is in your possession. This device, compatible with applications like Lastpass and Google Password Manager, can be used not only for your crypto accounts and wallets but for all your accounts.
For extra security, some users buy 2 YubiKeys, using one actively and keeping the other as a backup or recovery key.
YubiKey Security Vulnerability
Everything is perfect unless someone holds a gun to your head and takes your YubiKey. However, a significant security vulnerability that you need to get used to living with was recently discovered. Cybersecurity experts found a vulnerability in YubiKey two-factor authentication keys that allows the device to be cloned. This vulnerability was discovered in the Infineon crypto library used by almost all products, including the following series:
- YubiKey 5
- Yubikey Bio
- Security Key
- YubiHSM 2
Yubico stated that this security vulnerability is of moderate severity and difficult to exploit. Experts mentioned the following details in their comments on what to watch out for:
“An attacker would need to have physical possession of the YubiKey, Security Key, or YubiHSM, have knowledge about the accounts they want to target, and require special equipment to carry out the attack. Depending on the use case, the attacker might also need additional information such as username, PIN, account password, or authentication key.”
Although it seems difficult, attackers who believe they can access a significant amount of assets might overcome this challenge. In state-sponsored attacks, the success rate is higher because access to much information is easier. Additionally, knowing how extensively teams like Lazarus work and infiltrate companies, investors holding large amounts of assets need to be much more cautious.
Since YubiKey firmware cannot be updated, all YubiKey 5 devices before version 5.7 (or version 5.7.2 for the Bio series and version 2.4.0 for YubiHSM 2) will live with this vulnerability for a lifetime. However, later models are not affected by this vulnerability as they do not use the Infineon crypto library.