This is the problem of the security model by obscurity, if they had opted for an open source model both in hardware and firmware (like Nitrokey) maybe they wouldn’t be having this problem.
I’m not sure I necessarily agree. Your assessment is correct, but I don’t really think this situation is security by obscurity. Like most things in computer security, you have to weight the pros and cons to each approach.
Yubico used components that all passed Common Criteria certification and built their product in a read-only configuration to prevent any potential shenanigans with vulnerable firmware updates. This approach almost entirely protects them from supply-chain attacks like what happened with ZX a few months back.
To exploit this vulnerability you need physical access to the device, a ton of expensive equipment, and an incredibly deep knowledge in digital cryptography. This is effectively a non-issue for your average Yubikey user. The people this does affect will be retiring and replacing their Yubikeys with the newest models ASAP.
For the price they charge, they should be made so that opening the case will destroy the contents. They could have at least potted them.
Physical anti-tamper, while important for this type of device, wouldn’t have helped for this particular attack. It’s an electromagnetic side channel, so they don’t even have to be touching the the thing to collect data.
If it was something that was not possible to patch , was it necessary to released to the world?
Absolutely. If you are the CISO in a place where security is a top priority with adversaries that may have access to the equipment and knowledge to exploit this, you will absolutely want to retire the keys ASAP and replace them with the new model that is not vulnerable to this.
