Latest in Gear

Image credit:

Yubico recalls government-grade security keys due to bug

The flaw reduces the randomness of cryptographic keys.
Amrita Khalid, @askhalid
June 13, 2019
1 Shares
Share
Tweet
Share

Sponsored Links

Yubico is recalling a line of security keys used by the U.S. government due to a firmware flaw. The company issued a security advisory today that warned of an issue in YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 that reduced the randomness of the cryptographic keys it generates. The security keys are used by thousands of federal employees on a daily basis, letting them securely log-on to their devices by issuing one-time passwords.

The problem in question occurs after the security key powers up. According to Yubico, a bug keeps "some predictable content" inside the device's data buffer that could impact the randomness of the keys generated. Security keys with ECDSA signatures are in particular danger. A total of 80 of the 256 bits generated by the key remain static, meaning an attacker who gains access to several signatures could recreate the private key.

Fortunately, any affected customers will receive a replacement key. This isn't the first time a security company has issued a similar recall. Google earlier this year recalled some Titan security keys after finding a Bluetooth vulnerability.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
1 Shares
Share
Tweet
Share

Popular on Engadget

Instacart lays off 1,900 workers, including the 10 who formed a union

Instacart lays off 1,900 workers, including the 10 who formed a union

View
Put Bernie Sanders almost anywhere with this Google Street View app

Put Bernie Sanders almost anywhere with this Google Street View app

View
'Call of Duty: Warzone' is about to get a big esports push

'Call of Duty: Warzone' is about to get a big esports push

View
Raspberry Pi Pico is a $4 Arduino alternative

Raspberry Pi Pico is a $4 Arduino alternative

View
Samsung Galaxy S21 review: The best Android phone for the money

Samsung Galaxy S21 review: The best Android phone for the money

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr