Yubikey Replay Attack

On January 29th (2009) I found a flaw in the Yubico authentication server used by owner of the Yubikey. It allowed reuse of one time passwords (OTP) generated by a Yubikey during the same insertion.

Yubico responded quickly and fixed the bug and release this statement. "The previous version (of the authentication server code) did not properly detect OTPs generated within that same session where the Yubikey remains inserted in the USB slot. If the Yubikey was removed and then reinserted again and a new OTP is generated (most common use case) then OTPs from previous session were invalidated correctly and detected as replay attacks. However, for OTPs that were generated while the key remained inserted then OTPs within that session could be replayed without detection until next removal and insertion of the Yubikey. The reason was that the Yubikey counter for “session use” was not checked by the server. "

The bug was caused by the “session use” counter not being checked by the server. Firmware versions (pre 1.3.3), the validation server was checking the timestamp instead of the session counter, but this was dropped! due to incompatibility with firmware 1.3.3. This bug is now fixed in the Yubico validation server source code as of 2009-02-07. 

This flaw would have allowed a man in the middle (MITM) attacker to reuse a OTP after more then one was generated if the key was not reinserted. For example, if the user where to plug in the Yubikey and begin to logon to a group of SSH sessions without removing the key, the attacker could reuse the OTPs to login to the servers or other the Yubikey was valid on, until the Yubikey was removed, reinserted and used again.

The only recomendation I have now that the bug has been fixed applies even if the bug had not been found. If you have any suspition your Yubikey have have been "borrowed" and you are using it in OTP mode (not static password mode) use it immediately to invalidate generated OTPs.