Yubico to replace flawed YubiKey FIPS security keys

YubiKey FIPS Series
Image credit: Yubico (Image credit: Image credit: Yubico)

Yubico has announced that it will soon replace hardware security keys from its YubiKey FIPS series due to a firmware flaw that reduces the randomness of cryptograhic keys generated by the devices.

Unlike the company's consumer-focused products, the YubiKey FIPS Series are certified for use on US government networks and take their name from the US government's Federal Information Processing Standards (FIPS).

In a recent security advisory, Yubico explained that YubiKey FIPS Series devices running firmware version 4.4.2 and 4.4.4 contain an issue where the first set of random values used by YubiKey FIPS applications after each device power-up have reduced randomness.

This means that these devices will generate keys that can be either partially or fully recovered depending on the cryptographic algorithm the key is using for a particular authentication operation.

Replacement security keys

Yubico discovered the issue internally in March and conducted a full investigation into the root cause, impact and how it could mitigate the issue for its customers. The company fixed the issue fully in YubiKey FIPS Series firmware version 4.4.5 but as a result of the firmware update, FIPS recertificiation was also required.

Yubico is also now advising owners of YubiKey FiPS Series devices to check the firmware version of their security key and affected users can sign up for a new key on its replacement portal. The company said that its customers would receive new YubiKey FIPS Series keys with firmware version 4.4.5.

According to the security advisory, most of the affected devices have either been replaced or are in the process of being replaced:

“To safeguard the security of our customers, Yubico has been conducting an active key replacement program for affected FIPS devices (versions 4.4.2 and 4.4.4) since the issue was discovered and recertification was achieved. At the time of this advisory, we estimate that the majority of affected YubiKey FIPS Series devices have been replaced, or are in process of replacement with updated, fixed versions of the devices.”

Yubico also reassured customers by informing them that the company is not aware of any security breaches that have occurred as a result of the issue.

Via ZDNet

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.