According to its recent security advisory report, YubiKey FIPS Series devices running firmware 4.4.2 and 4.4.4 have reduced randomness, making them more vulnerable to being potentially compromised.
YubiKey has stated that devices on firmware 4.4.2 and 4.4.4 retain as many as 80 predictable bits, out of any keys or signatures generated on the device. With keys being as short as 256 bits, this could make for a significant drop in randomness. As of yet, there are four devices affected by the flaw: YubiKey FIPS, YubiKey Nano FIPS, YubiKey C FIPS, and the YubiKey C Nano FIPS.
Getting Hacked is Still Not Easy
When describing the specifics of how this reduced randomness could be used to cause harm to affected users, Yubico notes that an attacker would need to either gain access to a device connected to the FIDO U2F device or leverage a TLS vulnerability.
To use this flaw to bypass U2F security measures, they would then need to capture several signed responses from a compromised computer, which could then be used to recompute “the private key created for this specific Relying Party registration.” After retrieving the username and password of the website the YubiKey holder was trying to access, the attacker could then sign authentication requests using the previously obtained key without needing to access their YubiKey device.
Similar scenarios are also possible with OATH one-time passwords and OpenPGP-based authentication, with the vulnerability greatly reducing the security of these on affected devices.
Cryptocurrency Traders Beware
Although the wallet isn’t explicitly designed as a cryptocurrency storage device, its utility as a two-factor authentication stick has found it favored by cryptocurrency holders looking to better protect their online wallets.
Bitfinex, Coinbase and Gemini being just a few cryptocurrency exchanges that support FIDO U2F, it is likely that more than just a few cryptocurrency holders may be vulnerable.
With YubiKey devices being used by governments, corporations and thousands of individuals worldwide, it remains to be seen whether there will be any fallout as a result of the vulnerability.
However, YubiKey estimate that the majority of vulnerable devices have either been replaced or are in the process of being replaced under its active key replacement program, and note that they are not aware of any security breaches arising due to the flaw.
If you have an affected device, you will be able to order a replacement using the official YubiKey replacement portal.
What do you think is the most secure 2FA method? Let us know your thoughts in the comments below!