Yubico Forum
https://forum.yubico.com/

2.2.3 No love for an update
https://forum.yubico.com/viewtopic.php?f=16&t=887
Page 1 of 1

Author:  medfordite [ Mon Dec 10, 2012 3:55 am ]
Post subject:  2.2.3 No love for an update

Just out of curiosity - why is it that 2.2.3 is not able to be updated?

Author:  Tom [ Mon Dec 10, 2012 8:19 am ]
Post subject:  Re: 2.2.3 No love for an update

Hello Medfordite,

The update feature is not available to prevent potential security threats.

Tom.

Author:  medfordite [ Tue Dec 11, 2012 10:49 pm ]
Post subject:  Re: 2.2.3 No love for an update

Tom -

Specifically what would an update do to make security worse?

Wouldn't an update fix any security issues which may exist on 2.2.3? Or is this a key so secure that no update is needed as it would break whatever security is in there? (A sign of questionable programming or "If it ain't broke, don't fix it").

Surely, you have seen where 25GPU systems are cracking every day windows passwords (http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/), and people are no longer safe against 2-factor password authentication when given the right information. (http://it.slashdot.org/story/11/12/06/0321250/scammers-work-around-two-factor-authentication-with-social-engineering)

Sure, we have the API tools and can authenticate against our own rolled out radius server, or yours, and that would help with this, but let's consider that maybe some of the things you 'fixed' in newer firmware was not made available to older keys (in my case less than 1 year old of ownership), and let's just say someone built a fantastic front end for those who have the newer keys with an updated API taking advantage of newer features. (For example, some new firmware that calls home to Yuibco to authenticate, but also authenticates against user's radius server to ensure that the key is real and not emulated AND the server it is going to authenticate is legitimate and not spoofed by a hacker). When a user with an older key with outdated firmware tries to login - Then they cannot login because they don't have the extra 'call' in the firmware to authenticate, forcing the user to purchase a new key.

I really am trying not to be sarcastic about this or a jerk, but I never thought Yubico would just make a key, call it a risk to security if it was updated. Seems a bit odd to me.

Author:  Tom [ Wed Dec 12, 2012 12:01 pm ]
Post subject:  Re: 2.2.3 No love for an update

Hello again,

We do not release new firmware versions without a corresponding hardware change as well. The 2.3 firmware update was driven by changes to the YubiKey, and we took the opportunity to add new features we have been working on as well.

We are dedicated to providing a long-term 2 factor authentication solution - We want your YubiKey to remain useful for the full extent of it's lifetime. When we do release new firmware, we ensure the new YubiKey will function the same as with older versions, so there is no need to purchase new YubiKeys to ensure compatibly.

We understand your frustration of requiring a new purchase to access the new YubiKey Features. However, we feel that exposing the firmware in a manner that allows for upgrades represents a security risk which is at odds with our goal to provide trusted, security 2 factor authentication tokens at a reasonable price.

Without going anymore in dept, there are numerous security threts related to an upgradable hardware. To achieve a secure firmware upgrade in the YubiKey 2 more expensive hardware would be required.

Author:  Jakob [ Tue Feb 05, 2013 2:50 am ]
Post subject:  Re: 2.2.3 No love for an update

Just another clarification from the lower deck of the boiler room - the Yubikey is not flash based - it has factory programmed ROM (for cost reasons). Therefore, apart from several security concerns, remote firmware upgrade is impossible.

Best regards,

JakobE
Hardware- and firmware guy @ Yubico

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/