Hacker News new | past | comments | ask | show | jobs | submit login
YubiKey still selling old stock with vulnerable firmware
288 points by MaKey 23 days ago | hide | past | favorite | 109 comments
FYI, YubiKey is apparently still selling old stock with firmware vulnerable to the EUCLEAK attack instead of disposing of them, as a reader of Fefe's Blog reported: https://blog.fefe.de/?ts=99ccc8dc



I hadn’t noticed the announcement of the vulnerability, looks like it’s nothing I care about for my “thread model”.

https://www.theverge.com/2024/9/4/24235635/yubikey-unfixable...

>“The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack,” the company said in its security advisory. “Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key.” But those aren’t necessarily deterrents to a highly motivated individual or state-sponsored attack.


The attacker would need physical possession of the [key]... Depending on the use case, the attacker may also require additional knowledge including... PIN, account password, or authentication key.

If you already had both these things, any vulnerability in the key's firmware would be moot, surely? It's hardly a surprise that 2FA can be compromised by compromising both factors.


The vulnerability allows extracting the secret key from a vulnerable device. If I remember correctly, it's after a successful auth / sign flow, which requires the login/password of the target website.

I could give you my security key and you'll be able to login once. If you can extract the key, then you could login without the security key. In the context of a targeted attack, that could heavily change the impact.


If you're paranoid, of course, you're not going to trust a key that's left your possession, even if you get it back later. One it's gone it should be revoked permanently.


That presumes you'd know.


It does. If you can get my yubikey off my keyring while it's in my pocket and put it back on without my noticing then I don't know how I can defend against that.


Sort of like how several plot points of the last Mission: Impossible movie could have been thwarted by a zipper.


... in hindsight :)


> If you can get my yubikey off my keyring while it's in my pocket and put it back on without my noticing

Yubikey security advisory: "Due to software vulnerability, always store in pocket".

:)


And you can store things like your PGP keys on there. I use mine for code signing, ssh, and encryption. For me it’d just be a PITA, since I don’t operate in a very sensitive or valuable area, but it could be a nightmare for someone who signs code a lot of people use, for example.


What is your job where you need to give your key to lieutenant Chang daily?


The whole point of a YubiKey is that it can produce inextractable keys so it cannot be forged/cloned.

Without that property, might as well use a < 1$ Arduino clone that's 100x cheaper.


Are there < 1$ Arduino clones? How compatible are they with yubikeys? Are there any from trusted manufacturers? Any pointers?


Not $1, but you can get a JavaCardOS card and upload a FIDO applet yourself

https://github.com/token2/pin_plus_firmware https://github.com/BryanJacobs/FIDO2Applet

Probably will cost 5USD


Interesting, but "card" sounds like a different form factor, and Yubikeys do a fair but more than just FIDO2!


JavaCardOS can run in a USB-form factor as well. But that will not be 5USD. https://usasmartcard.com/usb-token/?page=1

In addition to FIDO2, you can add java applet for OpenPGP (also open source), TOTP (https://github.com/JavaCardOS/Oath-Applet) and PIV/smartcard (open source as well). I tell you more - there are tons of JavaCardOS compatible applets available on github etc.


The Yubikeys also support NFC, which is necessary for U2F authentication on Lightning iPhones.


Sorry I was not clear. Cards have NFC in any case. What is missing in cards is USB


Note I'm talking "clone of the Arduino", not "Arduino-based clone of the YubiKey". My point was that if you don't need protection against key extraction, you can just get an ultra-cheap microcontroler and write code to do the crypto operations on them.

This thread talks about sub-1$ Arduinos:

https://old.reddit.com/r/arduino/comments/dixa9x/awesome_sub...

I can't speak to the quality of those, but my friend got some sub-1$ Arduionos in the past (not sure which) and said they worked.


It's a matter of safeguards. If the arduino clone is remotely extractable, then you're not saving much.


That's the point. Yubikey can charge a premium on the assumption that what it sells is secure. If it sells old stock with known issues, what's the point?

Also I returned my yubikey to my $work when my contract ended so I know at least Microsoft reuses these keys.


> Also I returned my yubikey to my $work when my contract ended so I know at least Microsoft reuses these keys.

Or destroys them.


Is it the whole point? My understanding is that this attack requires physical access to the key. Would a compromised computer be able to extract the key without physically having the key? My understanding is that it wouldn't.

So having my private key on the Yubikey plugged into my computer is still safer than having the private key directly on the computer, right?


Yes, but my point is you could also have any ultra-cheap device plugged into your computer that can run general-purpose crypto software and talk via USB, or your phone.

You wouldn't have to pay > 50$ for a Yubikey.


> my point is you could also have any ultra-cheap device plugged into your computer that can run general-purpose crypto software and talk via USB,

But you would need this ultra-cheap device plugged into your computer to be resistant to your computer being compromised. Do you know such an off-the-shelf device?

> or your phone

Well your phone has a very large attack surface as compared to a Yubikey.

> You wouldn't have to pay > 50$ for a Yubikey.

Are you sure about that? I have a Nitrokey 3C NFC that cost more than my Yubikey, and the Nitrokey can be flashed from my computer. Meaning that if my computer is compromised, then my Nitrokey is compromised.

It's not clear to me that 50$ is expensive for a product that is not used by half the world and doesn't collect the private data of its users. I understand the frustration with the security issue, but I find it unfair to say "I would do better for < 1$".


The attacker would have to take the targeted YubiKey physically apart to get access to the Infineon chip. Then, after performing enough successful FIDO2 challenges (ie. logins with phished credentials) they would need to put the device back together, and do so without the victim noticing that their YubiKey has been physically compromised.

The keys are tamper-evident.

The attack is not impossible, and surely fits within the capabilities of nation state actors. For majority of other users it's a theoretical attack.


> The keys are tamper-evident.

No. Attacker replaces the shell.


So in your threat model the attacker is someone who has the resources to target you individually (plausible for high-value targets), the capability and capacity to further develop the physical field attack kit (current cost at ~11k for lab condition hardware), and can haul around essentially a mobile electrics oven - approximate size between a fusion splicer and a small 3D printer - to re-shell a decapped YubiKey.

I'm discounting the need to conduct phishing. That comes for free. I'll also give you that the victim may be rather unlikely to spot that their YubiKey has been replaced with a freshly manufactured copy.

For those kinds of capabilities you're still looking at nation state actors or very motivated enterprises.


> essentially a mobile electrics oven - approximate size between a fusion splicer and a small 3D printer - to re-shell a decapped YubiKey.

Not at all. Superglue is ample.

> For those kinds of capabilities you're still looking at nation state actors or very motivated enterprises.

And that's comfort?


Not comfort, but threat model.

Nation state actors have the resources to destroy me. Defending fully against them is cost prohibitive. I'll take basic actions to make it more expensive though.

My threat model is much less well resources actors who would happily sim-swap or password-stuff, etc, and there a ubikey is enough to foil those attacks. I have locks on my doors to prevent random teenagers and miscreants from walking in, not to prevent people motivated enough to pick the locks, break a window, or go through a wall.


> My threat model is much less well resources actors who would happily sim-swap or password-stuff, etc, and there a ubikey is enough to foil those attacks.

...whereas many users trusting the "industry’s #1 security key" pitch were relying upon a lot more.


As another commenter started to point out, the risk is essentially cloning the key. So, if you were out to dinner and it was cloned while you were out, you might not realize you'd been compromised whereas if it was stolen, it might too late, but you'd know. It seems that for many/most people the risk is low, but anyone at risk of a state sponsored attack should be aware.

For the threat model of keeping out random online attackers with no physical access, it seems this vulnerability doesn't matter.


You should care about a seller who sells products with known flaws.


Every product has "known flaws".


Almost every known product maker make procedures around having a vulnerable product and advertises it as 'securing your data has the utmost importance' while releasing thick stream of security patches on the back of patches, more than not making updates mandatory this way or the other.

'We may finish that later sometime after sales' kind of product development.


Not in this particular case. Here, it's more like "buy our new product if you care enough about the latest vulnerability; the old one is unpatchable by design".


You should care about the seller who conceals them at sale.


Known to the seller or the buyer?


If I recall RSA keys on an affected unit are also not impacted.


Yeah, but what isn't ever(?) mentioned is, "other" ECC keys are (should be) impacted by this too, not just FIDO2, i.e. ECC smart card certificates if you're using those.


That's why I said it. I primarily use mine for signing commits with gpg. This use case isn't impacted since I use rsa keys.


Relevant bit:

> Update: Ist sogar noch krasser, wie ein Leser anmerkt:

> zu der Yubikey-Geschichte sei noch angemerkt, dass die aktuell sogar so dreist sind erstmal ihre Lagerbestände mit verwundbaren Keys abzuverkaufen anstatt die zu verschrotten. Hab neulich zwei von den Dingern bestellt (die teure FIPS-Variante!) und was bekomme ich geliefert? Die Keys mit der alten, verwundbaren Firmware. Hintergrund soll wohl sein, dass die zunächst Behörden und andere "priorisierte" Kunden mit den Keys mit der neuen Firmware beliefern.

Machine Translation:

> Update: It's even more extreme, as a reader points out:

> Regarding the Yubikey story, it should be noted that they are currently so brazen as to sell off their stock of vulnerable keys instead of scrapping them. I recently ordered two of those things (the expensive FIPS version!) and what do I get delivered? The keys with the old, vulnerable firmware. The background seems to be that they are initially supplying authorities and other "prioritized" customers with the keys that have the new firmware.


wtf.

And these YubiKey aren't exactly cheap. You'd expect the price to cover whatever they have to do on their end so that you do not receive a known vulnerable device.


I agree that it would look bad if Yubico pretended to send patched keys and instead sent the vulnerable ones (which this anonymous reader seems to claim).

But I think it would deserve more than an anonymous, unverified claim. For what I see, on Yubico's store it says which version of the firmware I am ordering.


The product page of the FIPS series shows firmware 5.4. However, it doesn't say that this is a firmware with a known vulnerability.


off topic, but I'm so mesmerized, I can't help it -- the translation is just perfect, even though the original is ripe with colloquialism. Not too long ago, this was SciFi.


Same didn't want to shill, but I used Kagi Translate https://news.ycombinator.com/item?id=42080012


AFAIK key extraction is not allowed by 140-2. Weird to call it FIPS approved.


FIPS certified, which means a validation certificate exists. (And it does: https://csrc.nist.gov/projects/cryptographic-module-validati..., issued 2021.)


Oh, this is even more complicated -- getting FIPS certification is not a fast process, so the only FIPS-certified Yubikeys at present are the vulnerable ones. Their FIPS 140-3 certificaton process started... huh, yesterday, apparently:

https://www.yubico.com/blog/yubico-submits-yubikey-5-fips-se...

FIPS certification is never the thing you want if you don't specifically need that certificate number. There are two certified firmware versions, 5.4.2 and 5.4.3, and if you get a FIPS key that's what you're getting.

https://csrc.nist.gov/projects/cryptographic-module-validati...


I would gladly take an old stock yubikey at a discount - my threat model doesn't have a serious need for resistance to stolen keys, because at the user level they're unlikely to not notice them missing for long enough to successfully attack and then replace to a keychain.


You're joking, right?


The vulnerability, as another commenter mentions, is extremely hard to exploit and requires both physical access and the specific accounts to clone the key for.

That may be too much of a risk for enterprises, but as a personal security key? That seems like a completely reasonable choice to make.


A yubikey vulnerable to this attack perfectly protects against phishing, which is the attack the 99.9% of us have a practical reason to worry about.

Not all vulnerabilities are equal.


But so does a software password manager supporting passkeys – at a much lower price.


But a software password manager on a compromised computer can be compromised, right? It feels like the secrets can't be extracted by a compromised computer: the attacker needs physical access to the Yubikey.

This sounds better than a software password manager, right? Or am I missing something?


Definitely, but GP mentioned

> [...] phishing, which is the attack the 99.9% of us have a practical reason to worry about [...]

Both physical and software authenticators protect just fine against that.


But lesser convenience and with more hassle.


You're right: a physical security key is a lesser convenience with more hassle than a personal password manager in my case.


No, I'm not. I've got a bunch of yubikeys locked in lockboxes when they're not in use, serving as trust anchors for internal PKI, but also using certificate logging. If one is compromised, there's a short window until it's known, and access to the box has a very small group of people. My threat model does not include "Insider under the watchful eye of two other insiders"


> My threat model does not include "Insider under the watchful eye of two other insiders"

Some Mastodon infosec grifter is going to name this "Insider Triple Threat".


The attack is local, limited, and requires sophistication to pull off. For most people and most use-cases, this is a theoretical vulnerability rather than a real one.

While some users may need to buy updated YKs, perhaps having a tier of discounted "vulnerable" new old stock and more expensive patched new stock would make the most economic and utility sense.


If he understands the risks and deems those manageable according to their threat model, I don't see a problem.


If you lose your YubiKey, or any other hardware key, for all intents and purposes all your data on it is compromised.

What I'm reading from <https://ninjalab.io/eucleak/> is this:

>This vulnerability – that went unnoticed for 14 years and about 80 highest-level Common Criteria certification evaluations – is due to a non constant-time modular inversion.

The vulnerability is therefore that the secrets can be extracted without taking the YubiKey apart, by measuring timings, thus tricking you into thinking that your YubiKey is intact (but you were already compromised the moment you could not account for the location of the YubiKey). On the other hand, a well motivated adversary can take apart your YubiKey, extract the secrets through other means (every hardware key is vulnerable to this) and finally put together a new YubiKey, identical on the outside to your old YubiKey, with the same secrets.

The two scenarios are almost the same, unless you're biotagging your YubiKey (which only buys you knowledge that you've been compromised). If Yubico is selling these keys, it's because it would be too expensive for them to clearly label the firmware version on each YubiKey sold, for various reasons. I think this is a great opportunity for a competitor to arise, who hopefully allows flashing of the firmware, at a minimum. The Nitrokey seems like a good option <https://www.nitrokey.com/>.


> The Nitrokey seems like a good option <https://www.nitrokey.com/>.

My experience with Nitrokey is different. I trust Yubico for my threat model, I just don't trust Nitrokey at all. They seem to have more products than employees and in my experience they have a history of advertising/selling features they don't have.


For those who downvote me, let me add some context. I count 14 employees in the company picture [1]. They say "up to 20 employees". I assume not everyone is a software developer.

They have 1. Nitrokey 2. NitroPhone 3. NitroTablet 4. NitroPad 5. NitroPC 6. NextBox 7. NitroWall 8. NetHSM which look like very different products. On top of this, they have consulting services and NitroChat (not clear to me if it is just a branded Matrix instance) and "Android FIDO SDK" (which for some reason points to https://hwsecurity.dev/, which doesn't exactly seem to be a Nitrokey product). That seems like a lot for 14-20 employees.

But then my experience was with the Nitrokey 3 NFC. They advertised all the main features that Yubikey had and accepted pre-orders. They claimed that the software was ready, in Rust and open source (!), and that it would just take a few months for the hardware. It took 2 years, and when I finally received my Nitrokey, none of the software was ready (it had just one feature, maybe FIDO?).

Finally, it is great that it is open source, but the fact that it is flashable does not sound like a security feature to me: doesn't it mean that an attacker could flash a malicious firmware on it from a compromised computer?

[1]: https://www.nitrokey.com/about


Flashing firmware makes it easier to compromise an unattended hardware key but as I said above every hardware key could be considered compromised in this sense. Pre-order generally come with stipulations on when you receive the product and what it will be. NitroChat is them running a Matrix chat server for you, they probably intend to have integrations with their Nitrokey. The SDK mentions that it is "Offered in partnership with Hardware Security SDK by heylogin GmbH", the intend of heylogin GmbH is to charge you for commercial use of the SDK. Them having less than 20 employees makes sense, it's a niche market.

What it comes down to is that YubiKeys have better integration but Nitrokeys are more fun if you want to hack on them, and it's not really a matter of security. Note that smart cards in general can be used for the same purposes, e.g. Java Cards. USB keys do not require you to carry around a card reader.


> Flashing firmware makes it easier to compromise an unattended hardware key but as I said above every hardware key could be considered compromised in this sense.

Isn't there a difference between your compromised laptop being able to reflash your Nitrokey and your compromised laptop not being able to reflash your Yubikey, though?

> Them having less than 20 employees makes sense, it's a niche market.

Maybe, but they sell 8 different hardware products. Have you ever been involved in a hardware product? I have, and it feels like they must not put a lot of resources on them. Which is kind of proven in my experience with the fact that my Nitrokey arrived 2 years after I ordered it and by then, only a fraction of the software had been written.


> biotagging

Sorry, what does this mean? I couldn’t find anything on Google about it.


The problem here is that depending on your threat model it might be important for customers to trust Yubico not to sell out against rich/powerful attackers. This behavior adds a datapoint that speaks against them, even if they are technically correct.

I do not expect a manufacturer of such hardware to be like: "Eh it is okay" when skipping the fix to their IC manufacturers fuckup saves them money, I expect them to go out of their way to protect their customers. Seen like this their refusal to replace compromised keys was already brazen, them selling compromised keys constitutes a breach of trust.

I am already researching for alternatives.


> Seen like this their refusal to replace compromised keys was already brazen,

Does it really sound crazy that they would not replace all the keys they ever sold? At that price, it feels like it's obviously part of the deal. If you want to buy a security key that will get audited every day by 10 experts and receive new versions delivered in your hands by approved staff, I guess you should expect to pay more than 50 bucks, right?

> them selling compromised keys constitutes a breach of trust.

Some anonymous reader of some blog claims it. It doesn't mean it's true, does it? For what I can see, it says on the Yubico store which version of the firmware I am getting. Can anyone confirm that they ordered the new version, received the old version and Yubico refused to exchange that?


Of course they would like to avoid replacing every (affected) key they ever sold if they don't absolutely have to. But if they sold cars and this was a defective airbag they would have been forced to replace them.

You as a manufacturer are responsible for the products you bring to market — don't want to recall your products? Then ensure they work and you don't put all your eggs in one basket.

In this case Yubico is very likely not legally bound to recall, but I made a case how this is an issue of trust. You know what would have been a good move? A deal where you can order a new one at strongly reduced prices if you can show you had an affected device, or something among those lines. Or selling the affected ones for cheap and give the customers the choice. There are many ways to deal with that situation in a better way than they did and they decided to choose the one that helped their very short term bottom line the most.

As a owner of an affected Yubikey I have to saybthat the whole episode put an questionmark behind thir product for me. Not because it was affected, because of how they dealt with it.


> in a better way than they did

What did they do? What I see is that I can't choose to order a key with an older firmware, and it explicitly says "firmware 5.7" everywhere I look.

> But if they sold cars and this was a defective airbag they would have been forced to replace them.

New cars have those electronic keys that work remotely (automatically close the door when you leave, automatically open when you arrive). There has been an increase of car thefts from those keys, because they are objectively less secure. Have you ever tried asking the car manufacturer to change the key for free? Or to sell you a new car at a strongly reduced price?


For the record, they've replaced defective vulnerable keys before.

https://www.yubico.com/support/security-advisories/ysa-2017-...

I had one of the affected keys. I requested a replacement via their key replacement program and got a new one in the mail.


Is this really true? Looking at the Yubikey Shop I see that the purchase page explicitly states that the key is shipped with Firmware 5.7 (the fixed version). If a device is received with the old firmware, I would believe that this not intentional and support would resolve the problem.


They're still selling the FIPS series with firmware 5.4: https://www.yubico.com/us/product/yubikey-5-fips-series/yubi...


> as a reader of Fefe's Blog reported

My understanding is that the blog post complains about the fact that there was a security vulnerability in Yubikeys and that Yubico doesn't exchange everything they have sold until now. But it makes sense to me: I buy a Yubikey at time T, with firmware F that by design cannot be modified. I don't buy a subscription that will provide me with an updated key every month, it's a one-off.

Until the security flaw was discovered, my keys were fine. So I paid 50$ per key for 4 years, I don't think it's exactly expensive. Now there are two questions for me:

1. Should I replace my keys? In my case, I don't think so (given my threat model)

2. Should I stop trusting Yubico? I don't think so. It doesn't seem like this flaw is due to a total incompetence from their part. If I stopped trusting software every time a critical flaw was discovered, I wouldn't use software anymore.

The blog post then goes on claiming that Yubico pretends that they sell keys with the updated firmware (on their store, it clearly says if I am ordering a key with firmware 5.7 or not) but sell keys with older firmware. That would be pretty bad from Yubikey, but the blog gives absolutely no proof. It could as well just be an empty claim to hurt Yubico's reputation, for what I see.


The FIPS Series shows firmware 5.4: https://www.yubico.com/us/product/yubikey-5-fips-series/yubi...

Instead of stopping the sale of them, they're dumping old stock on unsuspecting customers.


Right, I don't see an explanation of what it means to have firmware 5.4. Probably they should add something there.


The Yubico support article for this issue: https://support.yubico.com/hc/en-us/articles/15705749884444-...

Spoiler: none of the options are warranty replacement.


Yeah, it's really disappointing. They've replaced defective vulnerable keys before.

https://www.yubico.com/support/security-advisories/ysa-2017-...


Hmmm. Not excusing Yubico if the report is accurate, but I ordered 4x 5C NFC to replace my old keys, and they shipped with firmware 5.7.1 which does not have that vulnerability. Perhaps because they got the FIPS version, which is actually less secure because of NSA-borked protocols, but required for government compliance, and probably sells in lower quantities. The 5.7 firmware was released in May and so new-old-stock of the vulnerable firmware should have rotated out a while ago.


If I consider buying a security token similar to a Yubikey, I'll try hard to buy one with open firmware, and preferably open enough hardware. Something that has been independently inspected, and something that allows me to load the firmware I control and can inspect. (The ability to only load it once would be fine; an ability to securely update it would be really nice.)


Where did this unknown individual buy the keys and when? I see a lot of smoke but where is the fire?


Just go with Nitrokey, the software is, at least, published at GitHub https://github.com/Nitrokey


That's about the only advantage I see with Nitrokey. Support is terrible (in my experience) and they sell unfinished products while advertising features they don't have.

I have never reached a point where I could trust Nitrokey (I have a Nitrokey that I never used because after waiting 2 years to receive it, it still had none of the features that were announced when I ordered it).


Classic strategy. Market leader is closed source. Follower attempts to be open source to gain market share despite being behind in features and market.

Has this strategy ever worked? Gitlab went public, but it's barely a fraction of what GitHub is.

Framework laptops aren't really all that big.

Maybe Android? But it had huge backing.


BitWarden went this route against LastPass. They've had their own closed source component contoversies lately though.


The password manager market does not have a dominant player like Github vs Gitlab (others). Actually this would be more true if you add non commercial offerings like Keychain passwords, Google passwords and Firefox (other browsers password managers).

Lastpass didn't have a majority at anytime. And their decline is related more to thei breaches and horrible practices. They are trying to be relevant now. They offered my university free subscription for all students and faculty and still people don't even consider them. At least this is among people who consider password managers.

Also for bitwarden the controversy was about their SDK licence being proprietary but they re-licenced to open source [1]

[1] https://news.ycombinator.com/item?id=41940580


Gitlab and GitHub can't be compared.

GitHub is a social platform.

We would need mastodon for GitHub.


GitHub is also CI/CD like Bitbucket and GitLab etc.


For how new framework is they are actually pretty big on college campuses especially among engineering students in my experience. They're still a fairly new company in the scheme of things and I'd say the strategy is definitely not hurting them.


Yeah, not enough people care about open source right now. Maybe after this incident more will!

In any case you're right, if you try doing open source purely as a marketing tactic it may or may not work out. I think one good reason to do open source is because you believe it's more sustainable, or transparent, or just being decent to your customers.


Not sure where Framework laptops fit in that strategy. They are ahead in terms of features (but not market, granted).


Thank you so much!

My client was in the final stage of selecting security tokens.

They have contracts with administration and their tokens need to be secure.

I was strongly for yubikeys, now they will not be an option any longer.

It is not so much about the flaw, but about their handling of the broken security tokens, still claiming them to be somehow secure-ish.

Even if they offered us the new tokens, that wouldn't make a difference. Their claim to making the internet more secure for all, contradicts their attitude.

That is really disappointing.


That seems really reactionary based on a single random report posted to HN. It’s worth actually verifying if this was intentional or accidental. They’re marketing the keys as having the new firmware. It would be really idiotic to do that and then intentionally ship old firmware. Anyone and everyone would be able to figure that out in an instant, and would severely damage their business.


I was in contact with a Sr. Customer Support Specialist from Yubico and I was not impressed by their denial of a problem.

The reason to get such a Hardware Token is, that the private key cannot be extracted, even if the users lose it.

They have plausible deniability for fraud with the broken devices.

Claiming that this would not be a problem and trying to explain why it is not a problem without considering their client could be right, is pure arrogance.

Only a complete exchange of the whole management of yubico could save them, when they want to be taken seriously ever again.

And of course the new management should immediately offer a cost free exchange program.

D'oh.


The report can be verified by visiting the product page of the YubiKey 5 NFC FIPS: https://www.yubico.com/us/product/yubikey-5-fips-series/yubi...

It is listed with the vulnerable firmware 5.4.


They also refuse to swap out vulnerable keys for high security environments where customers require to "update or replace any system with known vulnerabilites."


And when you do order a single key from them be prepared for a barrage of passive-aggressive sales e-mail along the lines "I wanted to discuss your rollout plan".


I personally find token2 really nice.


Thanks, their devices look interesting. Open source firmware and good pricing.


The new set of keys I bought earlier this year are affected. Last time a vulnerability like this one was discovered, they sent me a new replacement key. It appears that's not gonna happen this time.

Really disappointed.


A lot of hardware is vulnerable but still being sold. All hardware is infact


Hopefully not hardware with known vulnerabilities.


A lot of IoT devices, cameras, alarm systems, car components have known vulns and are still sold...


It might make sense for a product that is hard to patch due to a more complex manufacture to drain supplies before updating. For a security product that is known to be vulnerable it is not forgivable to keep shipping.


I’d say security cameras and alarm systems are security products, too.


Almost every hardware have known vulnerabilities, you can't just take things off shelves once one is found, they don't have a money printer.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: