I could probably think of more scenarios but I’m already sold on keeping it simple and keeping that attack vector off my laptop until I fully understand the implications. Could a nation state attacker do something that crafty with enough time and money? What do you think? (The answer is yes.)Īn even simpler option would be to get me to click on some link that somehow executes the command on my laptop via some form of malware. I never knew that the attacker just got one of my MFA codes form my Yubikey. I hit the button again and my request on the website goes through. I am sitting here thinking my key just didn’t work. Somehow that malware generates a programmatic request for a code just before I try to use my Yubikey for that web site and intercepts the code. Somehow the malware figures out when I visit a webpage that requires MFA and I’m about to click a button to allow access via my Yubikey. Let’s say I have this software installed on my laptop and somehow an attacker gets access to run commands on my laptop. Potential attack scenario with the Yubico CLI on your laptop The permissions granted to the user with permissions to assume a role used by a batch job will be limited to what the batch jobs require. I would notice that pretty quickly and use my access provided by an admin account and Yubikey to change settings as needed. They could also try to steal my phone or trick someone into giving up my SIM card. The one thing an attacker could do would be to try to trick me into entering an MFA token into a malicious application or website, but that same threat exists when using a Yubikey generated token. Hopefully, since I don’t click or go to links on that phone my attack surface is reduced. What about the attack surface of my phone and the ability to use that to obtain MFA codes? I use a separate phone for my authenticator app on which I don’t use to surf the web or install untrusted applications. Hopefully the attacker never gets access to my laptop but I’d just like to rule out the any possible attack paths until I investigate it further.Īttack Surface on a Phone With Virtual MFA By installing the Yubico CLI on my laptop, an attacker who somehow obtains access to my laptop can use the commands in that CLI to do whatever that CLI can do.
0 Comments
Leave a Reply. |