Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 5:19 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Mon Dec 10, 2012 3:55 am 
Offline

Joined: Mon Dec 19, 2011 3:24 am
Posts: 9
Just out of curiosity - why is it that 2.2.3 is not able to be updated?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Dec 10, 2012 8:19 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Hello Medfordite,

The update feature is not available to prevent potential security threats.

Tom.

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Tue Dec 11, 2012 10:49 pm 
Offline

Joined: Mon Dec 19, 2011 3:24 am
Posts: 9
Tom -

Specifically what would an update do to make security worse?

Wouldn't an update fix any security issues which may exist on 2.2.3? Or is this a key so secure that no update is needed as it would break whatever security is in there? (A sign of questionable programming or "If it ain't broke, don't fix it").

Surely, you have seen where 25GPU systems are cracking every day windows passwords (http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/), and people are no longer safe against 2-factor password authentication when given the right information. (http://it.slashdot.org/story/11/12/06/0321250/scammers-work-around-two-factor-authentication-with-social-engineering)

Sure, we have the API tools and can authenticate against our own rolled out radius server, or yours, and that would help with this, but let's consider that maybe some of the things you 'fixed' in newer firmware was not made available to older keys (in my case less than 1 year old of ownership), and let's just say someone built a fantastic front end for those who have the newer keys with an updated API taking advantage of newer features. (For example, some new firmware that calls home to Yuibco to authenticate, but also authenticates against user's radius server to ensure that the key is real and not emulated AND the server it is going to authenticate is legitimate and not spoofed by a hacker). When a user with an older key with outdated firmware tries to login - Then they cannot login because they don't have the extra 'call' in the firmware to authenticate, forcing the user to purchase a new key.

I really am trying not to be sarcastic about this or a jerk, but I never thought Yubico would just make a key, call it a risk to security if it was updated. Seems a bit odd to me.


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 12, 2012 12:01 pm 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Hello again,

We do not release new firmware versions without a corresponding hardware change as well. The 2.3 firmware update was driven by changes to the YubiKey, and we took the opportunity to add new features we have been working on as well.

We are dedicated to providing a long-term 2 factor authentication solution - We want your YubiKey to remain useful for the full extent of it's lifetime. When we do release new firmware, we ensure the new YubiKey will function the same as with older versions, so there is no need to purchase new YubiKeys to ensure compatibly.

We understand your frustration of requiring a new purchase to access the new YubiKey Features. However, we feel that exposing the firmware in a manner that allows for upgrades represents a security risk which is at odds with our goal to provide trusted, security 2 factor authentication tokens at a reasonable price.

Without going anymore in dept, there are numerous security threts related to an upgradable hardware. To achieve a secure firmware upgrade in the YubiKey 2 more expensive hardware would be required.

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 05, 2013 2:50 am 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
Just another clarification from the lower deck of the boiler room - the Yubikey is not flash based - it has factory programmed ROM (for cost reasons). Therefore, apart from several security concerns, remote firmware upgrade is impossible.

Best regards,

JakobE
Hardware- and firmware guy @ Yubico


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group