1 |
TL;DR: The Foundation/Nitrokey partnership is sending Nitrokey Pro units |
2 |
that are not the same as the Nitrokey Start units vulnerable to hands-on |
3 |
key extraction attack. |
4 |
|
5 |
As a few people have asked about it: |
6 |
There was a production batch of "Nitrokey Start" units that did not have |
7 |
a read-protection bit configured, and thus were vulnerable to a key |
8 |
extraction attack: |
9 |
https://github.com/rot42/gnuk-extractor |
10 |
The issue was specific to a batch of hardware that was mis-programmed, |
11 |
and the issue is not present on newer Nitrokey Start units. |
12 |
https://github.com/Nitrokey/nitrokey-start-firmware/issues/14 |
13 |
|
14 |
The Foundation/Nitrokey partnership is providing Nitrokey Pro 2 units, |
15 |
which are supposedly not vulnerable to this issue (but I'd be happy for |
16 |
a hardware hacker to confirm this, I understand that the Pro2 has a |
17 |
seperate smartcard internally) |
18 |
|
19 |
If you already had an older Nitrokey Start unit, reviewing/updating the |
20 |
firmware is advised. |
21 |
|
22 |
-- |
23 |
Robin Hugh Johnson |
24 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
25 |
E-Mail : robbat2@g.o |
26 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
27 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |