How Nitrokey's Firmware is Protected Against BadUSB and NSA

You may have heard about BadUSB which is an attack on ordinary USB thumbdrives. The attack exploits the fact that the firmware of ordinary USB devices may not be protected and can be reprogrammed (or “flashed") without any protection. This allows the attacker to infect a USB device by flashing malicious firmware. This firmware executes its attack by behaving as an ordinary keyboard and gaining control of the computer by performing appropriate keystrokes. The malicious USB device could send files to the internet or infect the client machine by typing a malicious script (or “virus") into a file. Such attacks can go undetected if the device behaves normally most of the time.

During the NSA leaks the public learned that the NSA intercepts parcels containing physical firewalls, laptops and other sensitive devices in order to program these with backdoored firmware or even to manipulate the hardware. The parcels were opened and closed carefully so that the modification would not be noticeable.

Such examples demonstrate the need to carefully protect Nitrokey’s firmware. Even before these revelations came to light we were aware of the potential risks and designed the Nitrokey accordingly. The fact that Nitrokey is completely open-source allows users to:

  • Verify the layout of the hardware
  • Verify the source code of the firmware
  • Compile and build the firmware
  • Flash their own firmware into the hardware

These protections are effective against BadUSB and against parcel interception by intelligence services. Additional protections depend on the particular Nitrokey model:

Nitrokey Pro’s and Nitrokey HSM's firmware can only be reprogrammed by accessing the board (PCB) directly. It is impossible to flash the firmware just by connecting it via USB. This is pretty secure but also has the disadvantage of preventing firmware updates. Because Nitrokey Pro's and HSM's complexity is limited we think this is a feasible approach.

Nitrokey Storage allows firmware updates via USB. Given that this device is relatively complex, it enables us to roll out firmware updates containing bug fixes, improvements and even new features. However, for updating the firmware its mandatory to enter a dedicated firmware PIN which should be used on trusted computers only.

Nitrokey Storage also allows the entire firmware flash memory to be exported (without user data) into a file where it is compared against the official firmware releases published on the Nitrokey website. We plan to fill the empty memory space with random (but exported and verified) data in order to prevent malicious firmware from hiding there. This approach is pretty bullet-proof as long as the firmware doesn't hide in the mass storage (which is MicroSD and could be removed physically). The Nitrokey Storage can be preordered at our crowdfunding campaign page.

However we may still look into enabling signed firmware updates in the future which would be secure, more flexible, and more easy-to-use. However this brings with it another challenge: We don't want to (and the chosen GPLv3 won't allow us to) restrict users from installing their own firmware in the Nitrokey hardware. Hence the mechanism of secure and signed firmware would need to be combined with a way of ensuring the freedom to install users’ own firmware. The best practice solution would be to require users to configure the signature key within the device. This signature key could be determined either by Nitrokey or by the user. Nitrokey Start is based on GNUK which already supports this kind of firmware update. In future we may implement this scheme for other Nitrokey models as well. However since our other models are already secure in this respect we consider it more of a “nice-to-have” feature with lower priority.

In summary, we think we are well prepared against badUSB and similar threats.

5.9.2016

Comments

And what about crypto stick 1.2?

Crypto Stick 1.2 and Nitrokey Pro share the same approach.

Would it be possible to indicate a link where I can verify the firmware of the "Stick" or Nitrokey?
What happens if the key is effectively intercepted on transport? Do you reflash it in case?
Is there a howto about how I can export the 1.2 firmware in order to compare it to the original?
Thank you.

You can get the firmware of the Nitrokey Storage here.
An interception would need to be investigated. In such case as simple firmware update may not be sufficient.
The firmware of Nitrokey Pro can't be exported and compared. If you refer to Crypto Stick 1.2 instead, this should be possible by using standard tools (e.g. ST Flash Loader Demonstrator).

Then, if I buy a new nitrokey pro, how can I control that the firmware is original, once it arrives at my desk? The very problem would be that an attacker has the capacity to flash. How would I control for its integrity when I receive it and how reliable is that control (nitrokey pro).
Thank you.

You could either flash the firmware yourself or source the Nitrokey through a trusted channel (e.g. meet us).

Will it be possible to install and run a live Linux system on the Nitrokey Storage and have access to the passwords and PGP keys on the stick? This would be great - everything on one stick: OS, data, and passwords/authenticatons.

Yes, absolutely. Your Linux would be stored on an unencrypted volume while your data can be on a separate encrypted volume.

In the future we may look into integrating it further so that only a boot-partition would be in cleartext and the majority of the system could be encrypted. Help by a good Linux hacker would be very welcome.

Very good! The idea with only the boot partition in cleartext would be fantastic. No one provides this so far, you would be the first and only!

I am not a Linux hacker, but why not try to cooperate with the guys from Jondos who seem to have deep linux knowledge: https://anonymous-proxy-servers.net/en/software_more.html. By the way, they reside in Regensburg and also are idealists. If they cannot help they at least might know someone who can. Or try the tails guys: https://tails.boum.org/

Final questions:
1) Do you plan to integrate U2F into the Nitrokey Storage?
2) When will the Nitrokey Storage be available?
3) How much will the Nitrokey Storage cost for the respective sizes?
4) What is your recommended backup strategy with the Nitrokey Storage? A second key (could get expensive) or also another approach?

Keep going!

One more aspect is that the (Linux) volume can be set to read-only which would stop malware from infecting the system.

We started working on an U2F implementation but it will take a few more months.

Nitrokey Storage can be preordered here and we plan it's shipment on 2nd May 2016.

For backup you should definitely backup your encryption keys (for email, SSH etc.). For the data files we don't have a backup solution yet. PrivacyBox would be an ideal solution but it's not clear when it will be available.

So, if there is a bad firmware (for whatever reason), how can i be sure that the exported firmware from nitrokey storage is the one on the key, ie, who/what control the export of the memory ?

and the same goes on reflashing, could a firmware be done in such a way that it would accept to be reflashed, but without reflashing (ie, just reflash a copy, but still use a bad one for day to day operation) ?

For Nitrokey Storage our plan is to build the firmware with a high optimization (high compression), fill all remaining flash storage with random but known data. The flash capacity is 256 KB so that the exported firmware will be 256 KB including the random data. The entire 256 KB blob would be compared to a known valid firmware image. Ideally the user would remove the MicroSD card before performing the export so that no storage is available to hide a malicious firmware. This way we make it much harder for a malicious firmware to hide itself.

Add new comment

Fill in the blank.