The insecurity relates the problem with allowing random usb devices to be plugged into a computer. Specifically, it points out that, even if you wipe an usb stick, you still can't trust that it's safe.

The devices that Google is referring to should be inherently safe. If you don't trust the supplier of these devices then yes, that's an issue. But, in theory, you receive these from a trusted source. As long as the device doesn't leave your possession, you're ok.

Edit: I should add that I didn't quite summarize the vulnerability correctly. If you plug a trusted USB device into an untrusted computer, you also have the potential for attack. If the USB device can be made writable, the computer can infect the USB device, propagating malware forward. I _assume_ that these security keys are made read-only before they leave factory, but vulnerabilities can be found in the darnedest of places!

"Read-only" is a property of flash memory in a USB thumb drive.

The nasty USB vulnerability covered recently infects the chip firmware, which can always be re-flashed (indeed, that's how the firmware got there in the first place). And it affects all USB devices, not just thumb drives.

The only way to make a USB peripheral safe from this attack is to engineer some sort of fuse that can be burned after the final firmware flash (so it can't ever be re-flashed), or cryptographically sign the firmware it can't be re-flashed without the private key.

Until Google says their security key has one or the other of these, I personally would not trust it.

I have a Yubikey and it isn't read only. You can customize how it works with software they provide.

Setting parameters in the device is different than replacing the firmware. The attack requires replacing the firmware. As far as I know yubikeys have never been able to update firmware after they've left the factory. In the forums you will see yubico people offering to swap devices because of problems related to outdated firmware.

There was also a blog post by yubico confirming that the badusb attack is irrelevant on yubikeys. https://www.yubico.com/2014/08/yubikey-badusb/

I think the take away is that all the devices are read only except the Neo and the Device Firmware Upgrade (DFU) implementation on the Neo "requires the new firmware image to be signed by [yubico]. Yubico does not endorse nor support use of DFU for users"

The Neo also has javacard capability that lets you load applets. In the latest devices unless you purchase the developer editions, the javacard apps cannot be updated.* Older Neo's allowed you to build and load your own javacard apps.

* I'm not entirely sure about whether in the latest Neos the javacard apps can be updated to new official signed yubikey versions or whether the javacard apps cannot be updated at all...

The important part is you can't read your private key out, nor update the firmware to something that allows you to read the private key out. The customization you can do is unrelated.

That's really about the "fundamental insecurity" of a few low-end USB chips. Obviously a device whose entire purpose is security can't be reflashed with arbitrary compromised firmware.

You cannot verify that the key hasn't been altered.

Meaning that theoretically someone could steal your key, alter the firmware, turn it into a virtual hub and attach virtual keyboards/USB sticks which do nasty things.

However the same can be said for any electrical device you carry. If you carry your laptop through a US border they can seize it for almost no reason, and attach things to the PCI bus directly internally (see the NSA's foreign intelligence catalogue for numerous examples).

The USB security issues are just fun ones to exploit (relatively easy, with great results). No firmware is REALLY verifiable (e.g. baseband, CPU microcode, BIOS/uEFI, et al).

Ultimately it boils down to physical security of your electronics and buying anonymously (so devices cannot be intercepted before they're delivered to you).