Search results

I’m trying to make sure I understand what this means. In particular, when targeting a device (employing FBE) in a locked AFU state, does a FFS extraction necessarily mean you’re getting the decrypted files? Or might they still be encrypted?

That's correct. And as Beth noted, the ACIP already had been recommending the MMR and varicella vaccines through separate vaccinations over the combined version. That goes back to 2009. I think a lot of people are confused. I was at first.

The ACIP can always issue that as a recommendation, but neither the ACIP nor the CDC has the authority to make that a legal requirement. But, the language that went through probably avoids problems in states that only allow ACIP-recommended vaccines to be administered by pharmacists without a...

Are you sure about this? CHIP has to fully cover all ACIP-recommended vaccines, but I don't see anything that says they're not allowed to also cover other approved vaccines.

After having a bit of a panic attack after reading this article, I decided to assume my understanding was wrong and I looked for other sources. And luckily those confirmed my initial understanding was wrong. The ACIP didn't remove their recommendation for the MMR vaccine or the varicella...

You don't need clocks synced between the GPU and the verification server because you wouldn't trust a clock on the card. Instead the verification server would require the cards to respond to remote requests in a very short period of time- short enough that the propagation delay at the physical...

Let's suppose all of that is practical and can be implemented in a way that cannot be bypassed (neither of which is likely, particularly the latter). GPS spoofing costs about $100. Hardly an impediment to organizations buying large quantities of several-thousand-dollar compute cards.

Once you clone the key you don't need to know the PIN. The PIN is only verified by the Yubikey. You're going to need to inject the extracted key in your own FIDO token-- either a USB token running custom firmware or a software-based one. Your custom implementation can set the PIN to whatever...

Interesting. I ran some tests on this. Even if "UV=Required" during WebAuthn registration, it doesn't get called if the server sends UV=Discouraged in the getAssertion request. So user verification doesn't really help here because the attacker can just bypass it by setting UV=Discouraged.

Fair. My background makes me a bit biased. ROCA hit us fairly hard (not just yubikeys), and even without these vulnerabilities, getting organizational support to deploy Yubikeys has always been an uphill battle due to the cost.

Even something more powerful than a FIDO security key wouldn't be able to do much more. Ostensibly you could imagine the WebAuthn request being signed by, e.g., Google.com, and verified by the security key, but the problem is that the security key itself doesn't know if your browser is really...

You might think they're just scanning the main page of the passsport when they're also reading off the NFC chip.

This is a smart card chip. It gets used on different devices, including smart cards, identity documents, TPMs, and Yubikeys. And yes, this is a well-known vulnerability. In particular, the extended euclidean algorithm ranks pretty high on the list of mathematical algorithms you'd want...

You're comparing a hypothetical attack (a bootloader/firmware vulnerability allowing key extraction) to this single SCA vulnerability, ignoring other potential vulnerabilities whose impact could be mitigated with firmware updates. Again, the ROCA vulnerability on Yubikey 4s is a real-world...

Manufacturers and vendors are always going to make assumptions and decisions about the threat models that they're intending to guard against. But in this case, Yubico and Infineon have always been pretty clear that their intended threat model included physical access to the chip. And they...

w E-passports have NFC chips embedded in the cover or in a special page. They still look like paper passports. You probably have one if you live in the western world.

The underlying vulnerability isn't unique to FIDO2. Earlier FIDO U2F security keys would be more vulnerable to this kind of attack because of a lack of user verification at signing time (though, UV isn't always required in FIDO2 flows, either).

Well, I certainly have more confidence in basic signed update and zeroization functions than I do SCA-free crypto implementations. But it would certainly be fair to say the realities of mounting a successful side channel attack may not be a rational threat model for most people. The thing is...

Side channel vulnerabilities are unfortunately common. And this isn't even the first time Yubico has been affected by an Infineon vulnerability-- look up the ROCA vulnerability for an earlier example. And I bet a lot of those (unpatchable) yubikeys are still in use because $50/unit isn't...

Adding active authentication to passports doesn't help a tremendous amount. The US doesn't bother, and that isn't likely to change anytime soon. Sure, it means someone can clone the NFC chip data, but that data- including the photo- is digitally signed by the issuer. You can't change the data or...