tildelowengrimm
commented
5 years ago Yubico suggests that the most straightforward way to check for at-risk devices is https://github.com/Yubico/yubico-piv-tool/blob/master/lib/ykpiv.c#L1083 in their tool used to manage PIV applet on Yubikeys. It relies on the CCID interface being enabled and gets the firmware version by constructing and sending a single APDU command. They're also checking wether it may be possible to check for this the firmware version over the U2F or HID interfaces, because those have simpler dependencies.
This morning, Yubico announced a firmware bug in their FIPS series of Yubikeys. They are offering replacements for all affected devices.
As part of our role as a trustworthy agent for people browsing the web, we should let them know if they're attempting to use one of these affected devices. We shouldn't prevent the use of affected devices, just warn. It's unlikely that many people will be in this situation because of the ecosystem surrounding FIPS devices. This makes it a good test case for this class of notification — there are sure to be more in future.
We may also want to consider this same notification for Feitian's security vulnerability with their Bluetooth-enabled keys. Though we's only be able to detect them when used via USB.