HEADS v2.5 and Nitrokey 3 Firmware v1.7.1 Security Update
We have released a security update for our NitroPad HEADS firmware images and the Nitrokey 3 firmware. This update addresses a potential security issue related to the re-creation of HOTP secrets on the Nitrokey 3 device.
HEADS v2.5
HEADS v2.5 ensures that re-creating HOTP secrets on the Nitrokey 3 always requires both User Verification (entering the user PIN) and User Presence (touching the Nitrokey 3). Please make sure to always update your Nitrokey 3 together with your HEADS firmware, as the version v2.5 is not compatible with any Nitrokey 3 firmware older than v1.7.1.
These updates are available for all NitroPads so far. The NitroPC Pro HEADS version is not updated yet, this firmware update will also arrive soon.
Nitrokey 3 Firmware v1.7.1
To work correctly with HEADS v2.5, the Nitrokey 3 firmware has also been updated to version v1.7.1. With previous firmware versions, re-creating HOTP secrets only required User Presence, but did not verify the user PIN, which was a less strict security policy than intended.
Please note that once you update to Nitrokey 3 firmware v1.7.1, you must also update to HEADS v2.5. The new Nitrokey 3 firmware is incompatible with older HEADS versions. All other combinations of HEADS and Nitrokey 3 firmware versions are compatible.
By updating to HEADS v2.5 and Nitrokey 3 firmware v1.7.1, the full security requirements for re-creating HOTP secrets are now enforced as originally designed - both User Verification and User Presence are mandatory.
We recommend all users of HEADS update to these latest versions as soon as possible. Follow the update instructions for Nitrokey 3 and HEADS. If you are using Qubes OS this workaround might be needed. As always, feel free to contact us if you have any questions or issues.
Comments
Add new comment