Yubico / ykneo-oath

OATH App for the YubiKey NEO
https://developers.yubico.com/ykneo-oath/
GNU General Public License v3.0
63 stars 40 forks source link

Unauthenticated reset via NFC? #10

Closed darconeous closed 10 years ago

darconeous commented 10 years ago

I haven't tried this, so this is purely theoretical, but...

It looks to me like the reset command could be easily sent via NFC. This could be a potential denial-of-service attack, as I could be sitting next to someone and they could, without my knowledge, wipe my OATH credentials.

This sort of attack doesn't just apply to this applet, of course --- it also applies to the PIV applet as well... But it seems unsettling that someone could render the device useless without even touching it. I often have my keys worn on my belt to my side, and I have a lot of credential information in the key that would be somewhat awkward to recover if wiped.

One way to avoid this would be to require a serial number to wipe, but this would only work if the serial number couldn't be retrieved via NFC, which it likely could be.

dainnilsson commented 10 years ago

While this is theoretically possible, it's not a very practical attack. You have to get REALLY close for this to work, and it's a pretty targeted attack (attacker needs to specifically target wiping ykneo-oath credentials). We recommend storing backups of the QR codes containing the credentials in a safe location, so that you can restore these at a later point. It's probably more likely that you'll lose your device than that an attacker will sneak up next to you with a hidden antenna to zap your credentials, so keeping a backup is good practice anyway. Note that if you lose your key it is recommended to reset any credentials lost with it, to prevent them from falling into the wrong hands. If attackers actually start exploiting the zap command like this in the wild we may reconsider, but for now we're going to leave it as is.