Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yubikey Neo Teardown and Durability Review

Posted by timothy on from the do-not-place-in-any-mailbox dept.

An anonymous reader writes: Folks at HexView (disclaimer: I contract for the company) took apart Yubikey Neo and found out that, while the key uses solid hardware to ensure secure identity management, its physical anti-tamper measures and durability could be improved. The tear-down analysis is short, but to the point, and offers some very nice close-ups of the internals. One example of the design shortcomings they've identified: Contrary to Yubico's claims, Yubikey appears to be quite destructable. Do not push on it when you touch the sensor while the key is plugged in to a USB port. The point where it bends the most happens to be the point where USB vias are located and through which NFC antenna loop goes. To make things worse, the injection molding hole right next to the connector makes this area even more susceptible to bending.

4 of 88 comments (clear)

  1. No they didn't. by Anonymous Coward · · Score: 0, Informative

    No they didn't. Unless Yubikey Neo is a person, they took apart a Yubikey Neo.

    When you omit article, it make you sound like chinaman.

  2. A two factor device by Sycraft-fu · · Score: 4, Informative

    I know, only because where I work is using them. Idea is it is a general two factor token. Can be programmed by the end user or their org. Also in theory a lot of companies could all use their platform and you have one two factor device for everything but in reality you use it for whatever your company does and nothing else.

    Once programmed it acts like a HID class keyboard. You push the button, it spits out a string of characters, that being the two factor code for your account at the time.

  3. Re:Okay, what is it? by Echo_Hotel · · Score: 5, Informative

    It's a USB/NFC multi-factor authentication token.
    It acts as an additional requirement to logging in to a computer, cellphone or network beyond a password.
    YubiCo is a company that makes budget security tokens with the YubiKey Neo being their "top of the line" at a price of 50usd
    One of the main security features of tokens of this nature is their inability to be tampered with since it is guaranteed to be connected to a computer.
    Many manufacturers achieve this by "potting" the circuit board (coating it entirely in plastic rather than using a shell like most electronics) in some sort of difficult to remove chemically resistant plastic.
    The YubiKey Neo was potted in a plastic that melted totally in nail polish remover
    The fact that the plastic can be removed so easily along with a poor USB connector and keychain loop disprove YubiCo's claim that the YubiKey Neo is "virtually indestructible".

  4. Use mine 20+ times a day by Average · · Score: 3, Informative

    Really addicted to mine. I have my private SSH key on there (via GPG/PGP), so that's never on my working machines. Use the standard OTP on several personally-run sites. Use U2F security for Google apps. Use the TOTP (a.k.a. Google Authenticator/Authy) app. Use the challenge-response mode as a second factor on my KeePass database. Amazing gadget.

    The question regarding the teardown is... "so"? Even with full pin access to the A7005 chip, you *STILL* wouldn't have access to my GPG/SSH private key or my TOTP generators within it. That's the point of a secure element. You'd have to dissolve the casing of the A7005 chip and have a decent microscope lab to get those bits of data out of the chip. You would be able to use my U2F/OTP/TOTP-generated-code functionality. But, you could do that just by stealing my Neo and plugging it into a USB slot without any acetone bath involved.