Yubico Replaces FIPS Series Security Keys Due to Hardware Flaws
Yubico discovered a hardware flaw in YubiKey FIPS Series devices in mid-March and since then, has updated the firmware version to one that does not contain the bug, as well as replaced the majority of affected devices.
- By Kaitlyn DeHaven
- Jun 17, 2019
Yubico is replacing U.S. government-approved security keys due to hardware flaws. The recalled device is the YubiKey FIPS Series, which are not consumer devices, and only in versions 4.4.2 and 4.4.4.
Yubico released an advisory last week that stated that the main issue with the security keys was decreased randomness in the first set of values.
“Random values leveraged in some YubiKey FIBS applications contain reduced randomness for the first operations performed after YubiKey FIPS power-up,” Yubico said. “The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted.”
Yubico originally discovered the flaw in mid-March 2019, and subsequently created YubiKey FIPS Series firmware version 4.4.5, which achieved FIPS certification on April 30, 2019.
The company has been replacing keys for affected FIPS devices since they discovered the issue, and said that at the time the advisory was released, they believed the majority of affected YubiKey FIPS Series devices had been replaced, or were in the process of being replaced.
The company is not aware of any security breaches due to the issue, but all users that haven’t yet been contacted by Yubico are advised to request a replacement.
Kaitlyn DeHaven is the Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.