Yubico is recalling one of its YubiKey lines after the authentication dongles were found to have a security weakness.
The vendor said the firmware in the FIPS Series of YubiKey widgets, aimed mainly at US government use, were prone to a reduced-randomness condition that could make their cryptographic operations easier to crack in some cases, particularly when the USB-based token is first powered up. That could be exploited by a miscreant to potentially authenticate as someone else.
"An issue exists in the YubiKey FIPS Series devices with firmware version 4.4.2 or 4.4.4 (there is no released firmware version 4.4.3) where random values leveraged in some YubiKey FIPS applications contain reduced randomness for the first operations performed after YubiKey FIPS power-up," Yubico said in announcing the recall today.
"The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted."
Specifically, the recall covers the YubiKey FIPS, Nano FIPS, C FIPS, and C Nano FIPS models. The vulnerability was found to only exist in the FIPS Series of devices, so other YubiKey dongles are not affected by this particular blunder.
Newer devices running version 4.4.5 of the firmware are protected and will not need to be replaced: the security shortcoming is present in firmware versions 4.4.2 and 4.4.4.
"To safeguard the security of our customers, Yubico has been conducting an active key replacement program for affected FIPS devices (versions 4.4.2 and 4.4.4) since the issue was discovered and recertification was achieved," Yubico says.
"At the time of this advisory, we estimate that the majority of affected YubiKey FIPS Series devices have been replaced, or are in process of replacement with updated, fixed versions of the devices."
Customers who have purchased their dongles directly from Yubico or its sales channel should have already heard from the company about getting a replacement sent out.
Those who bought their hardware from a reseller, or received it from their IT department, should get in touch with those people about having their drives swapped out. ®