Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> - Cryptocurrency hardware wallets like Ledger and Trezor

Ledger hardware wallets (which btw can serve as U2F authentication but, AFAIK, not FIDO2) are protected by a PIN: three wrong PINs and the device, unlike a Yubikey, factory resets itself.

IIUC the side-channel attack relies on a non constant-time modinv.

I don't know if there's a way to force that modinv to happen on a Ledger without knowing the PIN. I take it we'll have a writeup by Ledger on that attack very soon.



Yubikeys don’t use a pin by default, but at least the ones I use all have the option to set one.


Whether a PIN is used is determined by the RP on a per-authentication basis, so unfortunately this attack likely breaks that mechanism.


> Whether a PIN is used is determined by the RP on a per-authentication basis

Ahem, cough...

    ykman fido config toggle-always-uv


Does that work for Yubikeys other than the Yubikey Bio?


I just tried it on a 5C NFC (firmware 5.4.3) and got:

    ERROR: Always Require UV is not supported on this YubiKey.
So I'm really not sure this is an option for non-Bio keys, unless it was introduced quite recently.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: