Security Tool YubiKeys Recalled Over Firmware Flaw

YubiKey security key OTP key

Yubico is recalling its line of YubiKeys, tools used for two-factor authentication that generate one-time passcodes and used by thousands of federal government employees (via Engadget).

YubiKeys Firmware Flaw

YubiKey FIPS Series keys with firmware versions 4.4.2 and 4.4.4 have a flaw that reduces the randomness of the one-time passcodes they generate. According to Yubico, it happens after the YubiKeys turn on. A bug keeps “some predictable content” inside the keys’ data buffer.

Don’t miss the best of The Mac Observer

Set us as a preferred source and our Apple reporting ranks higher in your Google Search results and Discover feed — one tap, no account changes.

Or get it by email

Yubikeys

YubiKeys with elliptic curve digital signal algorithm (ECDSA) are particularly vulnerable. 80 out of the 256 generate bits don’t change, meaning an attacker who gets access to several signatures could recreate the private key. All affected customers will get a replacement key.

Further Reading:

[Google Builds HTTPS Directly Into Top Level Domains]

[AdGuard 3 Brings DNS Privacy, 250,000 Filter Rules, Premium Features]

Discussion

Join the discussionCommenting as a guest — your email is never published · Log in

Protected by Akismet — be kind, stay on topic.

This site uses Akismet to reduce spam. Learn how your comment data is processed.