Security Tool YubiKeys Recalled Over Firmware Flaw

YubiKey security key OTP key

Yubico is recalling its line of YubiKeys, tools used for two-factor authentication that generate one-time passcodes and used by thousands of federal government employees (via Engadget).

YubiKeys Firmware Flaw

YubiKey FIPS Series keys with firmware versions 4.4.2 and 4.4.4 have a flaw that reduces the randomness of the one-time passcodes they generate. According to Yubico, it happens after the YubiKeys turn on. A bug keeps “some predictable content” inside the keys’ data buffer.


YubiKeys with elliptic curve digital signal algorithm (ECDSA) are particularly vulnerable. 80 out of the 256 generate bits don’t change, meaning an attacker who gets access to several signatures could recreate the private key. All affected customers will get a replacement key.

Further Reading:

[Google Builds HTTPS Directly Into Top Level Domains]

[AdGuard 3 Brings DNS Privacy, 250,000 Filter Rules, Premium Features]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.