

Yubikey NEO OpenPGP private key operations can be accessed without PIN - mortenlarsen
https://developers.yubico.com/ykneo-openpgp/SecurityAdvisory%202015-04-14.html

======
zhovner
My key is 1.0.8 firmware

    
    
        /usr/local/MacGPG2/bin/gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
        D[0000]  01 00 08 90 00                                     .....           
        OK
    

Sadly.

~~~
fluidcruft
If they never shipped the pgp applet with older than 1.0.9 as stated in the
advisory, maybe you're like me and you installed the applet yourself? I think
we can just update the applet (I think you'll have to re-import your keys).
Mine is currently running 1.0.7.

[https://developers.yubico.com/ykneo-
openpgp/Releases/](https://developers.yubico.com/ykneo-openpgp/Releases/)

------
jlgaddis
Just to be clear, the applet is upgradeable (by the user) on these devices,
yes?

~~~
jlgaddis
The answer to my question is apparently "no".

> _YubiKey NEOs are not upgradable based on best security practices. There is
> a no upgrade policy for our devices since nothing, including malware, can
> write to the firmware._

\-- [https://www.yubico.com/products/yubikey-hardware/yubikey-
neo...](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/#toggle-
id-9)

~~~
jayrox
right and this makes me sad since my neo doesn't include and cant upgrade to
include u2f ;\

~~~
fluidcruft
IIRC not being able to add U2F to the old NEO was about missing hardware
support for elliptic curve cryptography, which is now present in the new NEO.

