YubiKey NEO OpenPGP Security Bug

April 27, 2015 2 minute read
YubiKey neo in computer USB

Yubico recently learned of a security issue with the OpenPGP Card applet project that is used in the YubiKey NEO. If you are not using OpenPGP, or have the OpenPGP applet version 1.0.10 or later, this vulnerability does not apply to you.

The OpenPGP Card applet defect was inherited from the open-source software project “javacardopenpgp.” The technical details are available in a security advisory posted on our website. This issue only affects the OpenPGP applet and does not impact the security of the YubiKey or its other functions.

While we continue to believe that the practical impact for the majority of users is not critical, Yubico aspires to exceed expectations related to security incident handling. Therefore, we have developed a policy on replacing affected YubiKey NEOs.

Note that moving usage of an OpenPGP key to a new YubiKey NEO requires that you have saved a backup copy of the private key on the card as there is no way to retrieve the private key from any YubiKey, including the YubiKey NEO. If you did not save a backup copy of the private key when you initially generated the key, you will need to revoke the existing key and create a new key. Therefore, we urge you to consider whether you are truly affected by the security issue before proceeding.

If you are using the YubiKey NEO with the OpenPGP Card applet and want to replace your YubiKey, go to yubi.co/support to log a support ticket. Include the output from ‘gpg –card-status’ on your YubiKey NEO (masking out personal information) together with your order number in the ticket you submit. We will give you a coupon code so you can order a replacement YubiKey NEO.

Share this article:

Recommended content

5 Simple Ways to Get Started with Your YubiKey

What are your go-to apps? There are several applications and services that many of us use weekly, and in most cases, daily — Gmail, Facebook, Dropbox, a password manager — and the good news is that all of these support the YubiKey for strong authentication. And now, there is one more to add to the ...

yubikey nano close up

Does Key Size Really Matter in Cryptography?

One of the most interesting and useful aspects of the YubiKey NEO and NEO-n is that they can act as a smart card and come pre-loaded with a bunch of interesting applications, such as an implementation of OpenPGP Card. Many end-users like this functionality, but some question the key lengths. It’s an expected cryptographic question ...

tray of yubikeys

We Love Third-Party Validation!

It’s always rewarding when you see third-party validation of your company’s product, and that is why today started off so well. In separate articles published today, Yubico’s YubiKey was highlighted for its tight security and ease of use by authors Don Sambandaraksa at TelecomAsia.net, which is aimed at the telecom market, and Greg Harvey, co-founder ...

Security Key by Yubico with FIDO U2F logo

Google Unveils FIDO U2F Security Key Support

Google today announced on its security blog an extra layer of security for Google Accounts based on the emerging strong authentication standard; Universal 2nd Factor or U2F. This is a good day for the Internet. As a driving contributor to FIDO U2F specifications, Yubico celebrates this big day by releasing a new blue campaign version ...