Hello, so I’m new here and do not frequent forums very often so please bare with me…
I believe that the person I should be tagging in this post is @t11 as you seem to be the person to talk to around here.
I wanted to make you/the OnlyKey Team aware of a video I found on YouTube while looking for reviews of the OnlyKey. The video in question quickly glances over a MITM attack on/against the OnlyKey.
The link to the video that I’m talking about can be found here:
I want to know if;
1.) The OnlyKey Team was aware of this?
2.) Has this vulnerability been patched yet?
3.) Are their any other vulnerabilities affecting the OnlyKey that I, and anyone else, should be made aware of?
Yes, the creator of that video sent me a message when it came out. It is not a vulnerability as you can given root access to any computer modify the USB traffic between USB device and computer. This applies to FIDO2 security keys, USB drives, everything that is USB you can given root access conduct a MITM attack to modify any and all communication between device and host. There is no patch as given root/admin access you can access all modes of communication of all USB devices. Here is another example, you could given root/admin access make a video showing say a Yubikey or other FIDO2 device being sent a rouge FIDO2 authentication request from an attackers remote computer. Another example would be to send a sign/decrypt request to an unlocked smart card.
Ah, so this is just demonstrating manipulation of the USB protocol in order to undertake offensive tasks on the target hardware.
Well I’m glad you’re already aware of this, even if nothing can be done about it due to it being a flaw with any device with privilledged user access against any & all potential hardware platforms of every kind.
This is correct, its not just USB devices either. If someone has root/admin access to any device there are many ways that account compromise could occur. When thinking though a threat model you would probably want to look at low hanging fruit first as an adversary is more likely to exploit the easier things. For example, you would not even need to compromise the user’s credential as with access an adversary could hijack a users logged in active browser sessions, install a malicious browser plugin, install a malicious browser, etc.
