Oddbean new post about login | logout I saw people talking about putting their Bitcoin keys in yubikeys not even 2 weeks ago… nostr:note1704j6qaly6kxssg59trza396yzluaym5alkxv2kppk5px63grwuqx4a77f
that’s so fucking dumb 😭
It's actually very clever. Lots of people use yubikeys for their jobs so using it as part of a multisig setup gives you plausible deniability: "That's not a hardware wallet that's what I use to sign in to github." It also improves your anonymity set: "Sorry officer, I don't know what you're talking about. I don't even own one of these 'hard wallets' or whatever you called it."
Casa recently added yubikey support. https://blog.casa.io/secure-your-bitcoin-with-yubikey/ Casa supports firmware versions >= 5.5. This vulnerability exists for firmware versions < 5.7. Install Yubikey Manager to check your firmware version. https://www.yubico.com/support/download/yubikey-manager/
We only started shipping Yubikeys with version 5.7 so it's probably low likelihood someone brought their own 5.5 device.
Upon closer review it appears that the only Yubikeys with firmware version 5.5 were the Yubikey Bio, so I bet the total number of those in the wild are rather low.
First, they need physical access Second they need to know your pin of the yubikey Still wouldn’t put my private key on there but no need to panic. Just remove the keys now and use a proper HWW