Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Yubico Replacing YubiKey FIPS Devices Due to Security Issue

Yubico is in the process of replacing YubiKey FIPS (Federal Information Processing Standards) security keys following the discovery of a potentially serious cryptography-related issue that can cause RSA keys and ECDSA signatures generated on these devices to have reduced strength.

Yubico is in the process of replacing YubiKey FIPS (Federal Information Processing Standards) security keys following the discovery of a potentially serious cryptography-related issue that can cause RSA keys and ECDSA signatures generated on these devices to have reduced strength.

In a security advisory published on Thursday, the company informed customers that the issue impacts YubiKey FIPS series devices running versions 4.4.2 and 4.4.4 of the firmware (version 4.4.3 does not exist), including Nano FIPS, C FIPS and C Nano FIPS devices. No other Yubico products appear to be impacted.

YubiKey FIPS series impacted by crypto flaw

“[Random] values leveraged in some YubiKey FIPS applications contain reduced randomness for the first operations performed after YubiKey FIPS power-up. The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted,” Yubico said in its advisory.

“This issue occurs only during the power-up of the YubiKey FIPS Series, version 4.4.2 or 4.4.4. After the predictable content in the random buffer is consumed, the buffer will be filled with the intended full random number generator output, and all subsequent use of randomness will not be affected,” it added.

The issue impacts PIV smart card applications, Universal 2nd Factor (U2F) authentication, OATH one-time passwords, and OpenPGP.

The flaw was discovered internally by Yubico in mid-March and it was patched with the release of firmware version 4.4.5, which received FIPS certification on April 30. The vendor says it’s not aware of any incidents exploiting this weakness.

Yubico has actively reached out to customers to inform them of the free device replacement and says a majority of the affected security keys have already been replaced or are in the process of being replaced. Users who have not heard from the company have been advised to visit a replacement portal set up for this purpose.

The news comes just weeks after Google announced that it was replacing its T1 and T2 Titan Security Key dongles due to a misconfiguration in the Bluetooth pairing protocols.

Related: Support for FIDO2 Passwordless Authentication Added to Android

Related: Android’s Security Key Now Works with iOS Devices

Related: New Authentication Standard Coming to Major Web Browsers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.