Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yubikey Neo Teardown and Durability Review

Posted by timothy on from the do-not-place-in-any-mailbox dept.

An anonymous reader writes: Folks at HexView (disclaimer: I contract for the company) took apart Yubikey Neo and found out that, while the key uses solid hardware to ensure secure identity management, its physical anti-tamper measures and durability could be improved. The tear-down analysis is short, but to the point, and offers some very nice close-ups of the internals. One example of the design shortcomings they've identified: Contrary to Yubico's claims, Yubikey appears to be quite destructable. Do not push on it when you touch the sensor while the key is plugged in to a USB port. The point where it bends the most happens to be the point where USB vias are located and through which NFC antenna loop goes. To make things worse, the injection molding hole right next to the connector makes this area even more susceptible to bending.

14 of 88 comments (clear)

  1. Okay, what is it? by TWX · · Score: 4, Insightful

    The branding, "Yubikey Neo," means nothing to me. Sounds like an Asian version of the main character from The Matrix.

    --
    Do not look into laser with remaining eye.
    1. Re:Okay, what is it? by OzPeter · · Score: 5, Insightful

      Try Google.

      I have one on my keyring. I know exactly what it is, and what it is used for.

      In other words you have prior information that makes sense out of the word salad that passes for summaries these days.

      The rest of use just look at the summary and go WTF?!?!?!?

      And yes, I have heard of that Google thing, but one of the prime tenets of good communication is to not make your audience go elsewhere for fundamental information. Because sooner or later they will be going to other sources for all of their information and will be by-passing you completely.

      --
      I am Slashdot. Are you Slashdot as well?
    2. Re:Okay, what is it? by ZombieDonut · · Score: 3, Funny

      Haha, I thought the same thing, "They're certainly talking about something... something that... uhhh... apparently is made like crap?" I would've claimed this to be corporate shill, but the article isn't flattering, and this would be the worst advertisement ever. I get more information from late night drug commercials than this.

    3. Re:Okay, what is it? by antiperimetaparalogo · · Score: 4, Insightful

      Line 1 from The Fine Article linked in summary: "Yubikey Neo is a $50 authentication token (with bells and whistles) from Yubico."

      And the whole Slashdot summary: "An anonymous reader writes: Folks at HexView (disclaimer: I contract for the company) took apart Yubikey Neo and found out that, while the key uses solid hardware to ensure secure identity management, its physical anti-tamper measures and durability could be improved. The tear-down analysis is short, but to the point, and offers some very nice close-ups of the internals. One example of the design shortcomings they've identified: Contrary to Yubico's claims, Yubikey appears to be quite destructable. Do not push on it when you touch the sensor while the key is plugged in to a USB port. The point where it bends the most happens to be the point where USB vias are located and through which NFC antenna loop goes. To make things worse, the injection molding hole right next to the connector makes this area even more susceptible to bending."

      Now imagine the Slashdot summary with something like the "Line 1 from The Fine Article linked in summary" that explains what the linked article is about...

      --
      Antisthenes: "Wisdom begins by examining the words/names." - excuse my English, i am (slightly...) better with my Greek!
    4. Re:Okay, what is it? by OzPeter · · Score: 4, Interesting

      Agh, wtf is a salad?

      Apparently you need some help with understanding something. So here is a helpful link: Word salad

      --
      I am Slashdot. Are you Slashdot as well?
    5. Re:Okay, what is it? by Echo_Hotel · · Score: 5, Informative

      It's a USB/NFC multi-factor authentication token.
      It acts as an additional requirement to logging in to a computer, cellphone or network beyond a password.
      YubiCo is a company that makes budget security tokens with the YubiKey Neo being their "top of the line" at a price of 50usd
      One of the main security features of tokens of this nature is their inability to be tampered with since it is guaranteed to be connected to a computer.
      Many manufacturers achieve this by "potting" the circuit board (coating it entirely in plastic rather than using a shell like most electronics) in some sort of difficult to remove chemically resistant plastic.
      The YubiKey Neo was potted in a plastic that melted totally in nail polish remover
      The fact that the plastic can be removed so easily along with a poor USB connector and keychain loop disprove YubiCo's claim that the YubiKey Neo is "virtually indestructible".

  2. Pretty durable in my real-world use. by hawkeyeMI · · Score: 3, Interesting

    I have one that I've carried and abused daily for years, still working, though I think it's getting close to needing a replacement. My biggest problem, because I wear it on a necklace chain, is that it's been getting sweat on the contacts which eventually have gunked up and corroded. I was able to scrape it off with a knife, but that scraped off the gold plating and exposed the copper underneath, which is of course corroding much worse. I've got the private key locked away here somewhere so I can flash one of my spares and be up and running quickly, or I can just add the new key to the places I use it before it croaks. I've had more problems with USB ports getting worn out.

    --
    Error 404 - Sig Not Found
    1. Re:Pretty durable in my real-world use. by pz · · Score: 4, Interesting

      You might try using a pencil eraser next time instead of a knife. Wiping vigorously with an alcohol-saturated paper towel first (and really, any easily obtainable alcohol, whether vodka, rubbing alcohol, etc.) helps, too.

      --

      Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
  3. Re:Stupid question: how do you use it? by wonkey_monkey · · Score: 3, Funny

    So you plug the device into an SSH port

    Are you from TRON?

    --
    systemd is Roko's Basilisk.
  4. And nothing of value was lost. by Hognoxious · · Score: 4, Insightful

    Wrong. On Slashdot we never read the article. We barely even scan the summary.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  5. Re:Stupid question: how do you use it? by qwijibo · · Score: 3, Interesting

    It's a second factor in two factor authentication (2FA) for applications that support it.

    The one I find to justify it entirely is LastPass. All of the random sites on the internet that need credentials can have automatically generated passwords that are stored encrypted and I never have to remember them. I just have to remember the LastPass password and have the Yubikey setup with my account. The Yubikey integration requires a LastPass Premium subscription.

    Of course, nowadays you can use google authenticator without having a piece of custom hardware or paying for LastPass Premium. But I don't mind supporting good companies with useful products.

  6. A two factor device by Sycraft-fu · · Score: 4, Informative

    I know, only because where I work is using them. Idea is it is a general two factor token. Can be programmed by the end user or their org. Also in theory a lot of companies could all use their platform and you have one two factor device for everything but in reality you use it for whatever your company does and nothing else.

    Once programmed it acts like a HID class keyboard. You push the button, it spits out a string of characters, that being the two factor code for your account at the time.

  7. Tamper evident by qwijibo · · Score: 5, Interesting

    From TFA: For those interested, FIPS140-2 Level 1 means that a device has at least one standard ("approved") security algorithm or function and Level 2 means that physical design is tamper-evident.

    He seems to think little of the product, but it appears to me it meets the requirements just fine. It's obvious that his key was tampered with, and nothing was done to try to extract key data from the device. Basically, he can take one apart, but there's little chance someone's going to take my Yubikey in the middle of the night, duplicate the key data, and put it back without me noticing something is wrong. Sure, the NSA could probably do it, but they can't have the time with listening to everyones grandmas phone calls. =)

  8. Use mine 20+ times a day by Average · · Score: 3, Informative

    Really addicted to mine. I have my private SSH key on there (via GPG/PGP), so that's never on my working machines. Use the standard OTP on several personally-run sites. Use U2F security for Google apps. Use the TOTP (a.k.a. Google Authenticator/Authy) app. Use the challenge-response mode as a second factor on my KeePass database. Amazing gadget.

    The question regarding the teardown is... "so"? Even with full pin access to the A7005 chip, you *STILL* wouldn't have access to my GPG/SSH private key or my TOTP generators within it. That's the point of a secure element. You'd have to dissolve the casing of the A7005 chip and have a decent microscope lab to get those bits of data out of the chip. You would be able to use my U2F/OTP/TOTP-generated-code functionality. But, you could do that just by stealing my Neo and plugging it into a USB slot without any acetone bath involved.