| 1 |
TL;DR: The Foundation/Nitrokey partnership is sending Nitrokey Pro units |
| 2 |
that are not the same as the Nitrokey Start units vulnerable to hands-on |
| 3 |
key extraction attack. |
| 4 |
|
| 5 |
As a few people have asked about it: |
| 6 |
There was a production batch of "Nitrokey Start" units that did not have |
| 7 |
a read-protection bit configured, and thus were vulnerable to a key |
| 8 |
extraction attack: |
| 9 |
https://github.com/rot42/gnuk-extractor |
| 10 |
The issue was specific to a batch of hardware that was mis-programmed, |
| 11 |
and the issue is not present on newer Nitrokey Start units. |
| 12 |
https://github.com/Nitrokey/nitrokey-start-firmware/issues/14 |
| 13 |
|
| 14 |
The Foundation/Nitrokey partnership is providing Nitrokey Pro 2 units, |
| 15 |
which are supposedly not vulnerable to this issue (but I'd be happy for |
| 16 |
a hardware hacker to confirm this, I understand that the Pro2 has a |
| 17 |
seperate smartcard internally) |
| 18 |
|
| 19 |
If you already had an older Nitrokey Start unit, reviewing/updating the |
| 20 |
firmware is advised. |
| 21 |
|
| 22 |
-- |
| 23 |
Robin Hugh Johnson |
| 24 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
| 25 |
E-Mail : robbat2@g.o |
| 26 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 27 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |
Archives