Physical security keys, like those sold by Yubico, Thetis and Kensington, are a great way to lock down your digital lives. They also tend to be wicked fast compared to the wait you have to put on while you're waiting for a 2FA password to arrive via SMS or typing in a verification code from an app like Google Authenticator.
Unless of course said security key is deeply, deeply borked.
Yubico is recalling a line of security keys used by the U.S. government due to a firmware flaw. The company issued a security advisory today that warned of an issue in YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 that reduced the randomness of the cryptographic keys it generates. The security keys are used by thousands of federal employees on a daily basis, letting them securely log-on to their devices by issuing one-time passwords.
The problem in question occurs after the security key powers up. According to Yubico, a bug keeps "some predictable content" inside the device's data buffer that could impact the randomness of the keys generated. Security keys with ECDSA signatures are in particular danger. A total of 80 of the 256 bits generated by the key remain static, meaning an attacker who gains access to several signatures could recreate the private key.
If someone reading this can school me on why anyone working at Yubico would think that keeping 'predictable content' on a device meant to secure highly-sensitive governmental systems and information, I'd appreciate it.
This isn't the first field plowed down on the fuck-up farm by a security key manufacturer in recent memory. Earlier this year, many Google's Titan 2FA security keys users were warned to send their hardware in for replacement, due to a Bluetooth vulnerability.
Remember: a security solutions are only as good as the people making it or trying, for good or evil, to break it.
Image via The Beech Island Fire Department
Nest is a home automation company that Google bought in 2014, turned into an independent unit of Alphabet, then re-merged with Google again in 2018 (demonstrating that the "whole independent companies under Alphabet" thing was just a flag of convenience for tax purposes); the company has always focused on "ease of use" over security and […]
German security researchers from Security Research Lab created a suite of apps for Google and Amazon smart speakers that did trivial things for their users, appeared to finish and go dormant, but which actually stayed in listening mode, then phished the user for passwords spoken aloud to exfiltrate to a malicious actor; all their apps […]
Earlier this month, Google announced a new collection of auto-delete settings for your personal information that allows you balance some of the conveniences of data-collection (for example, remembering recent locations in Maps so that they can be intelligently autocompleted when you type on a tiny, crappy mobile device keyboard) with the risks of long-term retention, […]
Everybody could use a little improvement, especially those of us on the hunt for new careers. Each job requires a different set of skills, and that list can change from year to year or even month to month as new technologies emerge. When you’re in that race and need to learn fast, the old model […]
In recent years, natural language processing technology and language translation technology have advanced greatly. The trouble is, language translation software typically comes in the form of apps. And while your mileage may vary on their usefulness, they share one thing in common: a serious drain on the battery for your smartphone, the very thing you’ll […]
Treat yourself, internet: We’ve rounded up some deals from the past week that were too good not to bring back for an encore. Take your pick from home goods, massagers and other tech, all at serious discounts. TREBLAB Z2 Bluetooth 5.0 Noise-Cancelling Headphones Get in the groove and stay that way with these headphones and […]