Hardware security tokens like YubiKeys are trusted worldwide as a gold standard for authentication. But what happens when trust becomes an attack vector? This talk introduces YubiWorm, a proof-of-concept experiment that transforms a seemingly secure YubiKey into a propagating worm capable of spreading across systems via HID injection and OTP/static password abuse.

We’ll walk through the design, payload delivery mechanism, and propagation strategy, showing how a simple reprogramming of a YubiKey can weaponize it into a stealthy USB-borne worm. Attendees will learn:
• How security tokens interact at the OS level.
• The dual-use potential of HID/OTP features for persistence and propagation.
• Why hardware trust boundaries are fragile without layered defenses.