Yubikey Neo Teardown and Durability Review

An anonymous reader writes: Folks at HexView (disclaimer: I contract for the company) took apart Yubikey Neo and found out that, while the key uses solid hardware to ensure secure identity management, its physical anti-tamper measures and durability could be improved. The tear-down analysis is short, but to the point, and offers some very nice close-ups of the internals. One example of the design shortcomings they've identified: Contrary to Yubico's claims, Yubikey appears to be quite destructable. Do not push on it when you touch the sensor while the key is plugged in to a USB port. The point where it bends the most happens to be the point where USB vias are located and through which NFC antenna loop goes. To make things worse, the injection molding hole right next to the connector makes this area even more susceptible to bending.

Okay, what is it?

[TWX]

The branding, "Yubikey Neo," means nothing to me. Sounds like an Asian version of the main character from The Matrix.

Re:Okay, what is it?

[DrunkenTerror]

"Yubikey?" No, I walkie. She drovie.

Re:Okay, what is it?

[jellomizer]

Exactly. Even on a site for Computer Geeks and Nerds, It is silly to think we know of every new fangled device that is released, and their particular marketing claims of the day.
Being the poster contracted for the company, it probably means he is engulfed in the sales and marketing of the company and makes him believe that this is a really popular product. While it just covers a small niche.

Re:Okay, what is it?

[OzPeter]

Try Google.

I have one on my keyring. I know exactly what it is, and what it is used for.

In other words you have prior information that makes sense out of the word salad that passes for summaries these days.

The rest of use just look at the summary and go WTF?!?!?!?

And yes, I have heard of that Google thing, but one of the prime tenets of good communication is to not make your audience go elsewhere for fundamental information. Because sooner or later they will be going to other sources for all of their information and will be by-passing you completely.

Re:Okay, what is it?

[ZombieDonut]

Haha, I thought the same thing, "They're certainly talking about something... something that... uhhh... apparently is made like crap?" I would've claimed this to be corporate shill, but the article isn't flattering, and this would be the worst advertisement ever. I get more information from late night drug commercials than this.

Re:Okay, what is it?

[antiperimetaparalogo]

Line 1 from The Fine Article linked in summary: "Yubikey Neo is a $50 authentication token (with bells and whistles) from Yubico."

And the whole Slashdot summary: "An anonymous reader writes: Folks at HexView (disclaimer: I contract for the company) took apart Yubikey Neo and found out that, while the key uses solid hardware to ensure secure identity management, its physical anti-tamper measures and durability could be improved. The tear-down analysis is short, but to the point, and offers some very nice close-ups of the internals. One example of the design shortcomings they've identified: Contrary to Yubico's claims, Yubikey appears to be quite destructable. Do not push on it when you touch the sensor while the key is plugged in to a USB port. The point where it bends the most happens to be the point where USB vias are located and through which NFC antenna loop goes. To make things worse, the injection molding hole right next to the connector makes this area even more susceptible to bending."

Now imagine the Slashdot summary with something like the "Line 1 from The Fine Article linked in summary" that explains what the linked article is about...

Re:Okay, what is it?

[OzPeter]

Agh, wtf is a salad?

Apparently you need some help with understanding something. So here is a helpful link: Word salad

Re:Okay, what is it?

[Ryyuajnin]

The Yubikey can serve as a One-Time-Password(OTP), Universal Second Factor (U2F) Authentication, Etc. I primarily use it for the U2F, which is similar to an RSA Token, but it conveniently eliminates token expiration anxiety, and errors frequently caused by chronic butterfingers. I just jam it into a USB port, it gets recognized as a keyboard, I press the little light on the top, and boom!

The NEO is similar to the standard blue Yubikey, additionally supporting NFC for some protocols. Unfortunately, U2F is NOT supported through the embedded NFC chip. https://www.yubico.com/product...

When I bought mine, I was hoping to use it as a physical password on my smartphone, simply swiping across the back side, as available with the OTP protocol. I later found out that would be forced to use the USB on everything, and have yet to find any use for the NFC with U2F. (my fault for not reading the documentation more thoroughly, as they clearly state: "...current U2F standards do not support NFC for mobile devices.")

Long story short, if you only need the U2F, don't bother with the NEO. just get the cheaper FIDO U2F SPECIAL SECURITY KEY https://www.yubico.com/product...
As far as durability, its survived me for about a year now, and I'm not known being gentile.

Re:Okay, what is it?

[Echo_Hotel]

It's a USB/NFC multi-factor authentication token.
It acts as an additional requirement to logging in to a computer, cellphone or network beyond a password.
YubiCo is a company that makes budget security tokens with the YubiKey Neo being their "top of the line" at a price of 50usd
One of the main security features of tokens of this nature is their inability to be tampered with since it is guaranteed to be connected to a computer.
Many manufacturers achieve this by "potting" the circuit board (coating it entirely in plastic rather than using a shell like most electronics) in some sort of difficult to remove chemically resistant plastic.
The YubiKey Neo was potted in a plastic that melted totally in nail polish remover
The fact that the plastic can be removed so easily along with a poor USB connector and keychain loop disprove YubiCo's claim that the YubiKey Neo is "virtually indestructible".

Re:Okay, what is it?

[ArsenneLupin]

It acts as an additional requirement to logging in to a computer, cellphone or network beyond a password.

Actually, it supplies the password. When you plug it into an USB port, it acts as a keyboard, and "types" a one-time password as soon as you touch its button.

One of the main security features of tokens of this nature is their inability to be tampered with since it is guaranteed to be connected to a computer.

Huh? How does being connected to a computer guarantee that it is tamper proof? Or is that the other way round?

The YubiKey Neo was potted in a plastic that melted totally in nail polish remover
The fact that the plastic can be removed so easily

Actually, methinks the issue here is poor word choice. Yubi should have touted their product as "tamper evident" rather than "tamper proof".

For its main application, tamper evident is enough. If some ill intentioned third party wanted to read the seed from the Yubikey's chip, they can, but it will be very obvious to the owner that this has been done (casing is gone), and so the owner can have his key blacklisted by his provider (making the seed worthless for the attacker).

Oh, an if you're worried about a "fast" attacker that uses the pilfered credentials immediately, rather than sleeping on them for a while: he can achieve this much easier by just stealing the yubikey, and using it normally, rather that bothering to dissolve its casing first.

along with a poor USB connector and keychain loop disprove YubiCo's claim that the YubiKey Neo is "virtually indestructible".

Good point on that one. Accidental destruction (causing hassle, but not a security issue) is indeed a real concern with the device.

Pretty durable in my real-world use.

[hawkeyeMI]

I have one that I've carried and abused daily for years, still working, though I think it's getting close to needing a replacement. My biggest problem, because I wear it on a necklace chain, is that it's been getting sweat on the contacts which eventually have gunked up and corroded. I was able to scrape it off with a knife, but that scraped off the gold plating and exposed the copper underneath, which is of course corroding much worse. I've got the private key locked away here somewhere so I can flash one of my spares and be up and running quickly, or I can just add the new key to the places I use it before it croaks. I've had more problems with USB ports getting worn out.

Re:Pretty durable in my real-world use.

[pz]

You might try using a pencil eraser next time instead of a knife. Wiping vigorously with an alcohol-saturated paper towel first (and really, any easily obtainable alcohol, whether vodka, rubbing alcohol, etc.) helps, too.

Stupid question: how do you use it?

[bradley13]

The purpose of the thing is clear enough, but how exactly do you use it? The website implies that it only works with applications that know about it, but that would seem to limit its usefulness a lot. Still, the information on the manufacturer's site is anything but clear.

Re:Stupid question: how do you use it?

[wonkey_monkey]

So you plug the device into an SSH port

Are you from TRON?

Re:Stupid question: how do you use it?

[qwijibo]

It's a second factor in two factor authentication (2FA) for applications that support it.

The one I find to justify it entirely is LastPass. All of the random sites on the internet that need credentials can have automatically generated passwords that are stored encrypted and I never have to remember them. I just have to remember the LastPass password and have the Yubikey setup with my account. The Yubikey integration requires a LastPass Premium subscription.

Of course, nowadays you can use google authenticator without having a piece of custom hardware or paying for LastPass Premium. But I don't mind supporting good companies with useful products.

And nothing of value was lost.

[Hognoxious]

Wrong. On Slashdot we never read the article. We barely even scan the summary.

Re:And nothing of value was lost.

Wrong.

Incorrect. On Slashdot, we don't even fully read the comments. All I know is that I'm right, and you're attacking someone's opinion, maybe mine, maybe even yours, it doesn't matter. All that matters is that you said "wrong" and now we are arguing. You'll never change your mind, nor I mine. The readers though, and those rare but precious bestowers of mod points, those are the opinions to change.

Were you or I part of a shill argument whereby two extreme views are argued while a third shill shifts the Hegelian dialectic via offering a more reasonable yet propaganda supporting middle ground, then I wouldn't even need to read your comment at all.

That, my adversary, is Slashdot. It's not pretty, but it's the one I go home with, and so do you, because we all know that slut loves attention more than any one of us.

Re:Durability concerns valid, but... Tampering?

[Rich0]

Not sure what benefit "tampering" would provide. Why would you have to take it apart to extract its secrets, when you can just: steal the person's smartphone/computer and the yubikey, and use them in tandem to authenticate yourself as the user to whatever services they have locked behind it? You can use the Yubikey all by itself, assuming you have exclusive physical access to the device, to make it serve its purpose for you, the attacker.

Sure, but you can ONLY use it while it is under your control if the embedded keys cannot be extracted.

If they can, then you can duplicate the key and return the original, perhaps undetected. That gives you the ability to retain access to whatever was secured.

There is definitely value in tamper-resistant key vaults.

A two factor device

[Sycraft-fu]

I know, only because where I work is using them. Idea is it is a general two factor token. Can be programmed by the end user or their org. Also in theory a lot of companies could all use their platform and you have one two factor device for everything but in reality you use it for whatever your company does and nothing else.

Once programmed it acts like a HID class keyboard. You push the button, it spits out a string of characters, that being the two factor code for your account at the time.

Re:A two factor device

[TWX]

Simply adding a hint of what you posted would have made the article summary work a whole lot better.

Re:A two factor device

[rthille]

I don't use it for the Yubikey auth stuff, I use it for my PGP/GPG key. My key was generated on the device, and can never leave it (firmware bugs aside), so I feel it's more secure than one where the private bit of the key is on a computer.

Tamper evident

[qwijibo]

From TFA: For those interested, FIPS140-2 Level 1 means that a device has at least one standard ("approved") security algorithm or function and Level 2 means that physical design is tamper-evident.

He seems to think little of the product, but it appears to me it meets the requirements just fine. It's obvious that his key was tampered with, and nothing was done to try to extract key data from the device. Basically, he can take one apart, but there's little chance someone's going to take my Yubikey in the middle of the night, duplicate the key data, and put it back without me noticing something is wrong. Sure, the NSA could probably do it, but they can't have the time with listening to everyones grandmas phone calls. =)

Re:epoxy?

[FranTaylor]

RTFM! it IS potted in epoxy. Guess what? Nasty solvents will dissolve epoxy!

Who is using this?

[Hrrrg]

I bought a couple of these keys a few years ago - they are still sitting around in a drawer somewhere. I wasn't too worried about the durability - it seems fine. When I tried it, my issues with were:

1) Very few websites supported it, and those that did made it a pain to set up. Looking at their website, it is supported by gmail, lastpass, dropbox, evernote. I suppose there is a complete list of supported websites and I'm too lazy to go look for it. Any banks support this?
2) Using it on Linux required installing additional software
3) Too expensive - $18 - $50 each. That's fine if I only needed one, but if I have to buy a few in case I lose or break one, then buy a few for the wife and the kid, and then it is only supported by a few websites... Well, not worth it for me.
4) The website is hard to read - written more for IT people than for the lay person. FIDO? OATH-TOPT? I've got no idea what they are talking about on most of their website. The "For Individuals" page is easy to read, but light on details and as soon as you leave it, you are in deep water. Also, can you get duplicate keys in case you lose one? I could never figure out this question from the website. Some sites like gmail allow you to associate more than one key. If there is a list of supported applications and websites, does it also state whether they allow a backup key? If the Yubico wants me to buy and use this thing, it needs to do the research for me and tell me exactly how and why I would want to use it. Something like this hypothetical example*:

1) Buy a Yubikey Neo to use wirelessly with your phone. Keep it on your keychain. Use it to access Lastpass on your phone.
2) Buy a Yubikey Standard for each computer at home and keep it plugged in. Associate it with the same Lastpass account as in #1 - for convenient use on your home computer and as a backup for the one on the keychain.
3) Associate the home Yubikey's with every family member's Lastpass account so that the whole family could share them.

*No idea if this scenerio is possible. Anyone? How would you use it with an ipad or iphone? (do the latest ones have NFC yet?)

Re:epoxy?

[fuzzyfuzzyfungus]

Whatever they encased it in was on the seriously lightweight side. 30 minutes in acetone and the case dissolved right off, leaving the PCB and all the ICs and passives in pristine condition. That's not 'tampering', that's 'cleaning'; and the device appears to have rolled over and wagged its tail by way of resistance.

If you are serious, you at least use the same stuff that the ICs are packaged in, which tends toward the 'black as sin and harder to remove' school of adhesives. Hot nitric acid will usually do the job; but you need to know what you are doing if you don't want it to remove the contents of the package at least as enthusiastically as it removes the package; since destroying the contents defeats the purpose of the exercise.

Use mine 20+ times a day

[Average]

Really addicted to mine. I have my private SSH key on there (via GPG/PGP), so that's never on my working machines. Use the standard OTP on several personally-run sites. Use U2F security for Google apps. Use the TOTP (a.k.a. Google Authenticator/Authy) app. Use the challenge-response mode as a second factor on my KeePass database. Amazing gadget.

The question regarding the teardown is... "so"? Even with full pin access to the A7005 chip, you *STILL* wouldn't have access to my GPG/SSH private key or my TOTP generators within it. That's the point of a secure element. You'd have to dissolve the casing of the A7005 chip and have a decent microscope lab to get those bits of data out of the chip. You would be able to use my U2F/OTP/TOTP-generated-code functionality. But, you could do that just by stealing my Neo and plugging it into a USB slot without any acetone bath involved.