• @jqubed
    link
    English
    53 months ago

    It doesn’t affect their newest keys, but you can’t upgrade an older key to fix it:

    All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable.

    • 🖖USS-Ethernet
      link
      fedilink
      English
      10
      edit-2
      3 months ago

      Which is why I’m now questioning why I even bought them to begin with. Any time a security flaw is found I need to spend another $50-60. Seem crazy and wasteful.

      • @jqubed
        link
        English
        43 months ago

        Reading the article I think most people don’t need to worry about upgrading because of this flaw; this would be a very targeted attack. And I can understand not letting the firmware upgrade; I’m pretty sure I’ve seen examples of nation-state hacks for phones that involve attackers installing an “upgraded firmware” that disables security protections to access otherwise secured info. But yeah, cost is definitely a risk with this design.