Security flaw allows PIN bypass in YubiKey Neo

Check the firmware version for your YubiKey Neo as a security flaw allows a bypass of the PIN. Since affected devices can't be updated, Yubico has started issuing free replacements if the firmware is below 1.0.10.

YubiKey Neo

When it comes to password alternatives, the USB dongle YubiKey Neo is a popular option for providing two-factor authentication; it has been certified as providing the "highest level of security." The device has been lauded by third parties "for its tight security and ease of use."

Earlier this month, a security advisory was issued for the YubiKey Neo. A summary of the advisory states:

The YubiKey NEO is a flexible security product from Yubico that implements the Yubico One-Time Password technology, FIDO Universal 2nd Factor, OATH codes, PIV card, and OpenPGP card functionality. The on-card OpenPGP software of the YubiKey NEO is implemented by the free and open-source software (FOSS) project "ykneo-openpgp", forked from an earlier implementation called “javacardopenpgp”.

The source code contains a logical flaw related to user PIN (aka PW1) verification that allows an attacker with local host privileges and/or physical proximity (NFC) to perform security operations without knowledge of the user's PIN code.

A typo in the source code of the on-card OpenPGP software is the culprit for this vulnerability, according to Joey Castillo, who discovered both the flaw and the solution. His analysis states:

The bug appears to be a typo in the first line of the computeDigitalSignature, decipher and internalAuthenticate methods. The goal of each is to establish that the PW1 has been validated, AND the proper mode has been set (mode 81 for signing, mode 82 for everything else). According to the spec, if either of these conditions are not satisfied, the security operation should not proceed.

His analysis includes a truth table; Castillo discovered the bug due to case #3 of that table as "OpenKeychain for Android mistakenly verifies the PIN with mode 82 for signing, which should not allow a signature to be generated. The YubiKey generates a signature anyway."

Although the "logical flaw is real and violates assumption of how the OpenPGP applet works in principle," the recommendation added, "we don't see any immediate need for users to upgrade existing deployed products."

Yubico mitigation allegedly downplays security impact

Several Yubico forums users were upset about the way the advisory downplayed the security impact, as the mitigation claims, "The flaw is mitigated by the fact that an attacker would typically require some abilities that would enable the attack even without the logical flaw."

But forum user testic took issue with the very specific portions listed under the Neo mitigation. For example, Yubico said, "Any attacker with access to the local host must be assumed to be able to learn the user's PIN code, simply by intercepting communication with the OpenPGP card hardware or through key logging." Yet testic called that "very misleading, as it implies the attacker would need a full compromise of the host to be able to exploit the vulnerability. A shared computer with unprivileged users is also a possible scenario."

Yubico also said, "If the attacker has physical proximity to the card, it could wait for the device to be used normally over NFC and then learn the PIN code wirelessly and perform the attack at a later point." Testic replied, "This is clearly bad faith! Someone could easily 'borrow' a (seldom used) vulnerable YubiKey and use it (for example) to sign a message and return it."

The same "borrowing attack," testic said, could apply to Yubico's statement of: "If an attacker has gone through the trouble of obtaining physical access to a key, the conservative approach is to regard it is possible that the attacker were able to learn the PIN earlier since the PIN is often unprotected. In situations like this, you should treat the key as potentially compromised and revoke the key."

Also fed up, Yubico forum user zviratko said the applet is "completely worthless" as "anyone with physical access to the token can sign on my behalf; this completely defeats the purpose (which is NOT only to make the key unextractable, but to block the card if someone tries to break the PIN and make it worthless without it)."

On the NetSec subreddit, user Mike Seth added, "This is going to be a circus, because last time I checked, only 1.0.6 worked with gpg2 and because upgrading the card-side applet is a pain in the *ss. The firmware itself isn't upgradeable," he added, meaning there are "probably thousands of tokens that need to be replaced."

Vulnerability-free YubiKey Neo replacement

Yubico is apparently planning to issue replacements for the affected YubiKey Neos. In a different forum posting, Yubico Support told user MRuth:

You correct in stating that Production NEOs cannot be updated. If you're affected by the issue, just provide us with any applicable order numbers and serial numbers for NEOs and we'll issue replacements.

After contacting Yubico support, Reddit user Freeky also reported that Yubico will supply a free replacement without too much hassle. "Arranged one via support with no problems. Literally 3 minutes between giving them my order number and getting a code for a replacement." Freeky added that Yubico support "suggested waiting until Tuesday or Wednesday to guarantee getting one with the latest firmware."

YubiKey Neo version affected by security flaw

Yubico said versions below 1.0.9 as well as some YubiKey Neos with 1.0.9 are affected by the security flaw, since the fix was not included in some shipped devices running 1.0.9. So the company released version 1.0.10, which does include the fix, and advised users to check the version of firmware running on their Neo.

If you have a YubiKey Neo, then you are highly advised to check the version of firmware; since it can't be updated, then contact Yubico to see about arranging a vulnerability-free replacement.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)