fid02 Oh, would this have been patchable with a simple firmware upgrade?
It sounds that way to me.
fid02 I see claims on the internet that having upgradable firmware on a security key would pose a security risk in that an attacker could socially manipulate you into flashing a fake firmware upgrade.
If firmware updates were properly signed and versioned that wouldn't work. That is the approach Google took with Pixels.
But adding a firmware update path would add cost and risk: it would be more code, which itself might contain exploitable bugs.
It seems Yubico decided the additional cost and risk were high compared to the benefit. Unlike Pixels, the devices are not all that expensive, so replacing them is not that unreasonable... except for one little issue.
Right now lots of people probably want to replace a Yubikey or two or three... but if Yubico can't produce them infinitely fast, a lot of people may need to wait in line. If Yubico were one small manufacturer among many, and if organizations supported keys made by lots of manufacturers, that might not be a problem. But this might be a bit of a crunch situation.
Luckily the attack (as understood so far) seems laborious and in-person and appears to work only after a user's other credentials are blown.