Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Yubico YubiKey lets you be me: Security blunder sparks recall of govt-friendly auth tokens

For FIPS sake!

Shaun Nichols in San Francisco Thu 13 Jun 2019  //  21:57 UTC

Yubico is recalling one of its YubiKey lines after the authentication dongles were found to have a security weakness.

The vendor said the firmware in the FIPS Series of YubiKey widgets, aimed mainly at US government use, were prone to a reduced-randomness condition that could make their cryptographic operations easier to crack in some cases, particularly when the USB-based token is first powered up. That could be exploited by a miscreant to potentially authenticate as someone else.

"An issue exists in the YubiKey FIPS Series devices with firmware version 4.4.2 or 4.4.4 (there is no released firmware version 4.4.3) where random values leveraged in some YubiKey FIPS applications contain reduced randomness for the first operations performed after YubiKey FIPS power-up," Yubico said in announcing the recall today.

"The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted."

Specifically, the recall covers the YubiKey FIPS, Nano FIPS, C FIPS, and C Nano FIPS models. The vulnerability was found to only exist in the FIPS Series of devices, so other YubiKey dongles are not affected by this particular blunder.

Newer devices running version 4.4.5 of the firmware are protected and will not need to be replaced: the security shortcoming is present in firmware versions 4.4.2 and 4.4.4.

"To safeguard the security of our customers, Yubico has been conducting an active key replacement program for affected FIPS devices (versions 4.4.2 and 4.4.4) since the issue was discovered and recertification was achieved," Yubico says.

"At the time of this advisory, we estimate that the majority of affected YubiKey FIPS Series devices have been replaced, or are in process of replacement with updated, fixed versions of the devices."

Customers who have purchased their dongles directly from Yubico or its sales channel should have already heard from the company about getting a replacement sent out.

Those who bought their hardware from a reseller, or received it from their IT department, should get in touch with those people about having their drives swapped out. ®
Send us news
14 Comments

Sleuths who cracked Zodiac Killer's cipher thank the crowd

Fifty-one years of community contributions, software, and clever cryptanalysis contributed

US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products

In what other sphere does a bad supplier not feel pain for its foulups?

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Plus: Adobe, SAP, Fortinet, VMware, Cisco issue pressing updates

Cisco creates architecture to improve security and sell you new switches

Hypershield detects bad behavior and automagically reconfigures networks to snuff out threats

OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories

While some other LLMs appear to flat-out suck

Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online

CISA calls for 'fundamental, security-focused reforms' to happen ASAP, delaying work on other software

H-1B visa fraud alive and well amid efforts to crack down on abuse

It's the gold ticket favored by foreign techies – and IT giants suspected of gaming the system

Japanese government rejects Yahoo<i>!</i> infosec improvement plan

Just doesn't believe it will sort out the mess that saw data leak from LINE messaging app

It's 2024 and Intel silicon is still haunted by data-spilling Spectre

Go, go InSpectre Gadget

Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways

Out of the PAN-OS and into the firewall, a Python backdoor this way comes

French issue <em>alerte rouge</em> after local governments knocked offline by cyber attack

Embarrassing, as its officials are in the US to discuss Olympics cyber threats

Fire in the Cisco! Networking giant's Duo MFA message logs stolen in phish attack

Also warns of brute force attacks targeting its own VPNs, Check Point, Fortinet, SonicWall and more