Yubico is recalling its line of YubiKeys, tools used for two-factor authentication that generate one-time passcodes and used by thousands of federal government employees (via Engadget).
YubiKeys Firmware Flaw
YubiKey FIPS Series keys with firmware versions 4.4.2 and 4.4.4 have a flaw that reduces the randomness of the one-time passcodes they generate. According to Yubico, it happens after the YubiKeys turn on. A bug keeps “some predictable content” inside the keys’ data buffer.
YubiKeys with elliptic curve digital signal algorithm (ECDSA) are particularly vulnerable. 80 out of the 256 generate bits don’t change, meaning an attacker who gets access to several signatures could recreate the private key. All affected customers will get a replacement key.
Further Reading:
[Google Builds HTTPS Directly Into Top Level Domains]
[AdGuard 3 Brings DNS Privacy, 250,000 Filter Rules, Premium Features]