Yubico is replacing for free YubiKey FIPS devices due to security weakness

Yubico is replacing YubiKey FIPS security keys due to a serious flaw that makes cryptographic operations easier to crack under specific conditions.

Yubico is replacing YubiKey FIPS security keys due to a serious issue that flaw that makes it easier to crack RSA keys and ECDSA signatures generated on these devices.

The security advisory published by the company states that the issue impacts YubiKey series devices running versions 4.4.2 and 4.4.4 of the firmware. The weakness impacts PIV smart card applications, Universal 2nd Factor (U2F) authentication, OATH one-time passwords, and OpenPGP. Nano FIPS, C FIPS and C Nano FIPS devices are also impacted by the weakness.

“An issue exists in the YubiKey FIPS Series devices with firmware version 4.4.2 or 4.4.4 (there is no released firmware version 4.4.3) where random values leveraged in some YubiKey FIPS applications contain reduced randomness for the first operations performed after YubiKey FIPS power-up,” reads the advisory published by Yubico.

“The issue only affects certain use cases and scenarios. YubiKey FIPS applications utilizing ECDSA are at higher risk than other use cases.”

Some YubiKey FIPS applications leverage on ransom values that contain reduced randomness for the first operations performed after devices power-up.

“The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted,” continues the advisory.

Yubico discovered the flaw in March and addressed it with the release of the firmware version 4.4.5 that was certified at the end of April.

At the time, there is no news of attacks exploiting the issue in the wild.

Yubico is contacting its customers to inform them of the free device replacement. The company said that most of the affected security keys have already been replaced or are in the process of being replaced.

People who bought their devices from a reseller should contact them and ask for the drives replacement.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Yubico, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.