According to its recent security advisory report, YubiKey FIPS Series devices running firmware 4.4.2 and 4.4.4 have reduced randomness, making them more vulnerable to being potentially compromised.
YubiKey has stated that devices on firmware 4.4.2 and 4.4.4 retain as many as 80 predictable bits, out of any keys or signatures generated on the device. With keys being as short as 256 bits, this could make for a significant drop in randomness. As of yet, there are four devices affected by the flaw: YubiKey FIPS, YubiKey Nano FIPS, YubiKey C FIPS, and the YubiKey C Nano FIPS.
Getting Hacked is Still Not Easy
When describing the specifics of how this reduced randomness could be used to cause harm to affected users, Yubico notes that an attacker would need to either gain access to a device connected to the FIDO U2F device or leverage a TLS vulnerability. To use this flaw to bypass U2F security measures, they would then need to capture several signed responses from a compromised computer, which could then be used to recompute “the private key created for this specific Relying Party registration.” After retrieving the username and password of the website the YubiKey holder was trying to access, the attacker could then sign authentication requests using the previously obtained key without needing to access their YubiKey device. Similar scenarios are also possible with OATH one-time passwords and OpenPGP-based authentication, with the vulnerability greatly reducing the security of these on affected devices.
Cryptocurrency Traders Beware
Although the wallet isn’t explicitly designed as a cryptocurrency storage device, its utility as a two-factor authentication stick has found it favored by cryptocurrency holders looking to better protect their online wallets. Bitfinex, Coinbase and Gemini being just a few cryptocurrency exchanges that support FIDO U2F, it is likely that more than just a few cryptocurrency holders may be vulnerable. With YubiKey devices being used by governments, corporations and thousands of individuals worldwide, it remains to be seen whether there will be any fallout as a result of the vulnerability. However, YubiKey estimate that the majority of vulnerable devices have either been replaced or are in the process of being replaced under its active key replacement program, and note that they are not aware of any security breaches arising due to the flaw. If you have an affected device, you will be able to order a replacement using the official YubiKey replacement portal. What do you think is the most secure 2FA method? Let us know your thoughts in the comments below!
Top crypto projects in the US | April 2024
Trusted
Disclaimer
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.
Daniel Phillips
After obtaining a Masters degree in Regenerative Medicine, Daniel pivoted to the frontier field of blockchain technology, where he began to absorb anything and everything he could on the subject. Daniel has been bullish on Bitcoin since before it was cool, and continues to be so despite any evidence to the contrary. Nowadays, Daniel works in the blockchain space full time, as both a copywriter and blockchain marketer.
After obtaining a Masters degree in Regenerative Medicine, Daniel pivoted to the frontier field of blockchain technology, where he began to absorb anything and everything he could on the subject. Daniel has been bullish on Bitcoin since before it was cool, and continues to be so despite any evidence to the contrary. Nowadays, Daniel works in the blockchain space full time, as both a copywriter and blockchain marketer.
READ FULL BIO
Sponsored
Sponsored