[consp]

Because it is a clever way of not considering that MITM but man in the machine (which is almost the same in my opinion in the case of possible damage but has more attack vectors). Most companies consider MITM an external compromise since the malicious actor is not on the machine itself or has no-longer access to the machine(s).

Even most 'dedicated' systems do NOT have a direct link to the input terminals most of the times since they are simple usb keypads. Some smartcard readers for PC have pin-pads but this is rarely the case and they are way more expensive than a keyboard and a regular reader. The normal way is to process transaction data through the hsm, and onto the terminal after which the user has to see/check (on the terminal) if the data is correct. This is how the better (not best) Bank-transaction-verifiers work. A secure connection to the pinpad/terminal has and can be set up (either in advance, via a pre-known mechanism or ad-hoc), but there are some attack vectors there as well.

HSMs are not "MITM proof", the system at-large has to be. Using a HSM does not give you MITM proofness, but makes it sure the old-fashioned 'steal the private key and act like nothing happened' won't happen. Stupid design choices or even simple "call them and ask for a new intermediary certificate" sometimes cause more harm. You CA Root/CSP keys are safe but you are still screwed. Unless you steal the usb drive of course. There are still other ways to do a mitm though.

The main advantage is for small and medium businesses that they won't have to buy a hugely expensive ethernet/pcie HSMs from the known companies which are hugely overpriced (I have several on my desk and they range from 1-2K to 10K+, which are the cheap ones). It also helps with some legal compliance if YubiCo can get it FIPS 140-2 approved (which I doubt).

Considering they made it small, I guess they need to provide some form of duplication/backup since people are going to lose them.

[wav-part]

An ideal HSM serve only one purpose: store secrets (privatekeys/passwords) and give specific access (sign/spend/login).

> Most companies consider MITM an external compromise since the malicious actor is not on the machine itself or has no-longer access to the machine(s).

Securing HSM+Laptop is impossible compared to HSM. If laptop is secure, why even need HSM ?

> Even most 'dedicated' systems do NOT have a direct link to the input terminals most of the times since they are simple usb keypads. Some smartcard readers for PC have pin-pads but this is rarely the case and they are way more expensive than a keyboard and a regular reader.

If usbkeypad is not connected to a network and not attacked by evil maid, HSM+usbkeypad is still secure. But laptop is complex system, always connected to internet and has loosly regulated physical access.

> HSMs are not "MITM proof", the system at-large has to be.

Again if whole system is secure why need HSM ?

If user satisfy few conditions of using HSM, such as being rubberhose attack proof, the secrets MUST be secure irregardless of how insecure the larger system is.