ROCA: Return Of the Coppersmith Attack

Posted Nov 14, 2017 20:18 UTC (Tue) by smoogen (subscriber, #97)
Parent article: ROCA: Return Of the Coppersmith Attack

> For example, Yubico forbids firmware changes to the Yubikey 4.

I do not understand that wording. If the firmware can't be 'touched' by outside forces without physically altering the key.. that isn't forbidding in the general English sense as much as "working as designed". Forbidding is normally used for "Yubico could change the firmware but it refuses to allow anyone to do so"

ROCA: Return Of the Coppersmith Attack

Posted Nov 14, 2017 20:27 UTC (Tue) by coolhandluke (guest, #114151) [Link] (1 responses)

Older YubiKeys could, indeed, be upgraded by the user.

Yubico removed that ability (in the name of security). They also moved to closed source applets -- for OpenPGP, at least. I'd guess that *they* have the ability to upgrade the firmware if they wanted to but, yes, they have "forbidden" end users from doing so.

ROCA: Return Of the Coppersmith Attack

Posted Nov 14, 2017 20:54 UTC (Tue) by smoogen (subscriber, #97) [Link]

I only have generation 1,2,3 of yubikeys and none of them seem to be able to alter the firmware. They can alter certain aspects of storage on the key but not the 'software' which generates the one time codes or the tools which deal with gpg keys and such. Those seem to be only accessible if I cut open the key and hardware hack.

The closed source applets I don't have much say on.. I never used the keys for opengpg but just for different types of OTP