HEADS v2.5 and Nitrokey 3 Firmware v1.7.1 Security Update

We have released a security update for our NitroPad HEADS firmware images and the Nitrokey 3 firmware. This update addresses a potential security issue related to the re-creation of HOTP secrets on the Nitrokey 3 device.

HEADS v2.5

HEADS v2.5 ensures that re-creating HOTP secrets on the Nitrokey 3 always requires both User Verification (entering the user PIN) and User Presence (touching the Nitrokey 3). Please make sure to always update your Nitrokey 3 together with your HEADS firmware, as the version v2.5 is not compatible with any Nitrokey 3 firmware older than v1.7.1.

These updates are available for all NitroPads so far. The NitroPC Pro HEADS version is not updated yet, this firmware update will also arrive soon.

Nitrokey 3 Firmware v1.7.1

To work correctly with HEADS v2.5, the Nitrokey 3 firmware has also been updated to version v1.7.1. With previous firmware versions, re-creating HOTP secrets only required User Presence, but did not verify the user PIN, which was a less strict security policy than intended.

Please note that once you update to Nitrokey 3 firmware v1.7.1, you must also update to HEADS v2.5. The new Nitrokey 3 firmware is incompatible with older HEADS versions. All other combinations of HEADS and Nitrokey 3 firmware versions are compatible.

By updating to HEADS v2.5 and Nitrokey 3 firmware v1.7.1, the full security requirements for re-creating HOTP secrets are now enforced as originally designed - both User Verification and User Presence are mandatory.

We recommend all users of HEADS update to these latest versions as soon as possible. Follow the update instructions for Nitrokey 3 and HEADS. If you are using Qubes OS this workaround might be needed. As always, feel free to contact us if you have any questions or issues.

5.6.2024

Comments

Any reason for non-HEADS users to install 1.7.1?
Nope, there is no application/use-case we are aware of that is affected by this change despite HEADS. But v1.7.2 is already around the corner.
I was unable to use the Qubes workaround to reboot the NK3 in bootloader mode. After issuing the command and touching the key the system did not register a change and still showed the key attached to the AppVM. Attempting to detach and reattach to either sys-usb or the AppVM results in a brief error message. The nitropy command also cannot see the key and throws some sort of API error.
Depending on the versions of various components inside QubesOS this might take multiple tries to work. The great people at QubesOS have also done a fix for this re-connection issue, you can find the issue here: https://github.com/QubesOS/qubes-issues/issues/8953 At the end you can find instructions on how to update the affected components. We are also working on a solution based on our NitrokeyApp2 so that Nitrokey 3 updates will work more smoothly in the future inside QubesOS.

Add new comment

Fill in the blank.