Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yubikey Neo Teardown and Durability Review

Posted by timothy on from the do-not-place-in-any-mailbox dept.

An anonymous reader writes: Folks at HexView (disclaimer: I contract for the company) took apart Yubikey Neo and found out that, while the key uses solid hardware to ensure secure identity management, its physical anti-tamper measures and durability could be improved. The tear-down analysis is short, but to the point, and offers some very nice close-ups of the internals. One example of the design shortcomings they've identified: Contrary to Yubico's claims, Yubikey appears to be quite destructable. Do not push on it when you touch the sensor while the key is plugged in to a USB port. The point where it bends the most happens to be the point where USB vias are located and through which NFC antenna loop goes. To make things worse, the injection molding hole right next to the connector makes this area even more susceptible to bending.

3 of 88 comments (clear)

  1. Re:Okay, what is it? by OzPeter · · Score: 5, Insightful

    Try Google.

    I have one on my keyring. I know exactly what it is, and what it is used for.

    In other words you have prior information that makes sense out of the word salad that passes for summaries these days.

    The rest of use just look at the summary and go WTF?!?!?!?

    And yes, I have heard of that Google thing, but one of the prime tenets of good communication is to not make your audience go elsewhere for fundamental information. Because sooner or later they will be going to other sources for all of their information and will be by-passing you completely.

    --
    I am Slashdot. Are you Slashdot as well?
  2. Tamper evident by qwijibo · · Score: 5, Interesting

    From TFA: For those interested, FIPS140-2 Level 1 means that a device has at least one standard ("approved") security algorithm or function and Level 2 means that physical design is tamper-evident.

    He seems to think little of the product, but it appears to me it meets the requirements just fine. It's obvious that his key was tampered with, and nothing was done to try to extract key data from the device. Basically, he can take one apart, but there's little chance someone's going to take my Yubikey in the middle of the night, duplicate the key data, and put it back without me noticing something is wrong. Sure, the NSA could probably do it, but they can't have the time with listening to everyones grandmas phone calls. =)

  3. Re:Okay, what is it? by Echo_Hotel · · Score: 5, Informative

    It's a USB/NFC multi-factor authentication token.
    It acts as an additional requirement to logging in to a computer, cellphone or network beyond a password.
    YubiCo is a company that makes budget security tokens with the YubiKey Neo being their "top of the line" at a price of 50usd
    One of the main security features of tokens of this nature is their inability to be tampered with since it is guaranteed to be connected to a computer.
    Many manufacturers achieve this by "potting" the circuit board (coating it entirely in plastic rather than using a shell like most electronics) in some sort of difficult to remove chemically resistant plastic.
    The YubiKey Neo was potted in a plastic that melted totally in nail polish remover
    The fact that the plastic can be removed so easily along with a poor USB connector and keychain loop disprove YubiCo's claim that the YubiKey Neo is "virtually indestructible".