UPDATE: YubiKeys with serial numbers 2624253 to 2624449 and 2624801 to 2625499 are also not configured with fixed card manager keys.
Our YubiKey NEO, is a JavaCard-based product. The NEO has a set of card manager keys that allows you to delete/add/update the software “applets” running on the NEO, through the Global Platform interface.
We launched the YubiKey NEO as a “Developer Edition”, and as such, the card manager keys were set to a single value to facilitate development.
For production use we don’t recommend this, since anything you can do is also something an attacker can do, thus potentially achieving a denial of service of your NEO by (for example) removing all applets on it. (Note that the card manager keys does not give anyone the ability to extract secrets, that’s by design never possible.) As the Yubico applets have now reached a reasonable level of maturity, we are proactively changing our processes around card manager keys. The YubiKey NEOs that have shipped from July 1st 2014, starting with serial number 3,000,000, are no longer configured with the fixed card manager keys.
What does this mean if you are an existing YubiKey NEO customer? If you are concerned with someone else modifying the software on your NEO we recommend that you change the card manager keys. Global Platform can be used to change the card manager keys.
Initially we targeted YubiKey NEO towards early adopters and developers; now the majority of our customers are moving to production deployment and require production devices. What does this mean if you want to develop applets for the YubiKey NEO? We are setting up a YubiKey NEO Developers program for you to order YubiKey NEO “Developer Edition” that come with the known card manager keys, so you can load and delete applets as you wish, and services for Yubico to load your applets onto production YubiKey NEO for your customers. We will announce the launch of the YubiKey NEO Developer program here and on our social media channels.
We are improving the way we set-up the OpenPGP applet on YubiKey NEO; from shipments made today, we now set the card serial number to be the same as the YubiKey laser etched serial number; that’s important if you have multiple YubiKey NEO. Secondly, we are shipping version 1.0.6 of the OpenPGP applet that works with GnuPG version 2.0.22+ and supports import of secret keys – for some informal hints see my personal blog post on GnuPG and NEO usage.