Security Advisory 2018-01-16 –
Security Issue with Password Protection in OATH Applet on YubiKey NEO

Tracking IDs: YSA-2018-01

Summary

Oscar Mira and Roi Martin from the Schibsted security team informed us of a security issue in the OATH (Initiative for Open Authentication) applet on the YubiKey NEO. The YubiKey OATH applet is used to generate time-based one-time password (TOTP) and HMAC-based one-time password (HOTP) codes that are then displayed in the companion Yubico Authenticator app. To provide an extra layer of protection against unauthorized viewing of these codes, the OATH applet can be protected with an optional password; a feature unique to the YubiKey OATH Applet among one-time password (OTP) code generators.  The issue may allow an individual in physical possession of the YubiKey NEO to remove the password protection of the OATH applet and view the TOTP/HOTP codes generated by the applet in the companion Yubico Authenticator app, without knowing the password.

TOTP/HOTP codes generated by that applet are typically used as a second authentication factor, in conjunction with a password or PIN code, to log into a service or website. This issue does not affect those passwords or PIN codes; it only affects the password protecting the OATH applet on the YubiKey NEO.

Other functions of the YubiKey NEO, including PIV, FIDO Universal 2nd Factor (U2F) and Yubico OTP are not affected. No other YubiKeys, including the YubiKey 4 and the FIDO U2F Security Key are impacted by this issue. The YubiKey 4 platform uses a different applet for OATH and the FIDO U2F Security Key does not include OATH.

Severity

The severity of this issue is moderate. It is mitigated by the fact an individual must be in physical possession of the YubiKey NEO to exploit the issue, i.e. no online attacks are possible. Further, the TOTP/HOTP seeds cannot be extracted from the device, which means an attacker cannot clone the OTP generator. To use the TOTP/HOTP codes, the attacker must have physical possession of the YubiKey NEO at the time the OTP codes are needed.

Mounting an attack to exploit this issue results in removal of the password. A user that has set a password on the OATH applet can easily tell if it has been removed since the user will not be prompted for the password the next time they use the Yubico Authenticator app to retrieve TOTP/HOTP codes from the OATH applet.

How to Tell If You Are Affected

Only customers who use the OATH applet to store TOTP/HOTP codes on their YubiKey NEO may be affected by this issue. This is normally done in conjunction with the Yubico Authenticator app. All other functions of the YubiKey NEO remain unaffected.

If you use the OATH applet to store TOTP/HOTP codes on your YubiKey NEO you may be affected if you have set a password on the OATH applet using the Yubico Authenticator app or another Yubico tool.  

The issue was addressed in OATH applet version 1.0.1, YubiKey NEO firmware version 3.5.0. Any YubiKey NEO shipped prior to that date, 2017-12-01, is affected. You may use the Yubico Authenticator  to check the firmware version of the OATH applet on your key.

Mitigation

If you are using the password protection feature of the OATH applet on your YubiKey NEO and your YubiKey NEO was purchased between 2017-01-01 and 2018-01-01, you may be eligible for a coupon code for a replacement YubiKey NEO. Go to yubi.co/support to log a support ticket referencing YSA-2018-1.

Timeline

2017-09-18 Schibsted informs Yubico of the Issue
2017-12-01 Yubico remedied this issue in all shipping YubiKey NEO devices
2018-01-16 Yubico releases advisory YSA-2018-1