Yubico announced today to replace its security keys due to a firmware flaw that can reduce the randomness of cryptographic keys generated by its devices.
Affected devices include ones from the YubiKey FIPS Series, a line of YubiKey authentication keys certified for use on the US government networks, according to FIPS, i.e., Federal Information Processing Standards of the US government.
According to the Yubico security advisory published today, the devices of the YubiKey FIPS Series that run firmware version 4.4.2 and 4.4.4 contains a flaw that has “some predictable content” inside the device’s data buffer after the power-up operation.
This “predictable content” influences the randomness of cryptographic keys generated on the device after the boot-up for a short period of time until the “predictable content” is used up completely, and just the true data is present in the data buffer.
This means that for a short period of time after booting up the system, the affected devices of the YubiKey FIPS Series, having versions 4.4.2 and 4.4.4, will generate keys that can either be recovered partially or completely. This recovery depends on the cryptographic algorithm the key works on, for a particular authentication operation.
Well, you must be thinking what about version 4.4.3? But actually, Yubico never released this kind of version and skipped it from 4.4.2 to 4.4.4. For now, Yubico is advising the owners of the YubiKey FIPS series to check the version of their key’s firmware and to sign up for the replacement on its portal, in case they have the affected one. It also declared that the customers would soon receive the corrected version of the YubiKey FIPS Series, which is version 4.4.5.
It’s not a big deal, but also not the one to be ignored. The chances of an attacker exploiting this vulnerability are quite low, as he’ll have to first intercept the authentication operations and then decrypt the rest of the cryptographic key, along with many other complex operations. But its also advised to not take any chance, especially if these keys are used in highly sensitive networks. Yubico is the second company, after Google, to offer a replacement after the discovery of a bug in its security keys.