Nitrokey Storage Got Great Results in a 3rd Party Security Audit

“Nitrokey is capable of functioning properly and securely”

“Nitrokey is capable of functioning properly and securely” - That is one of the final conclusions of an intense security review performed by security experts from the auditing company Cure53. A team of software security and hardware security experts under the lead of Dr.-Ing. Mario Heiderich analyzed the Nitrokey Storage hardware and firmware as well as the Nitrokey App over a period of eleven days. The security audit has been sponsored generously by the Open Technology Fund which we thank very much indeed! The final report can be downloaded here (firmware, hardware).

Update, 24.6.2016: Contrary to the statement in the report, an active security bit prevents any firmware update. As a consequence the security bit is disabled by default and can be activated by the user. Note that this prevents all future firmware updates and can not be undone! We will consider activating the bit by default when we are certain that no update will be necessary anymore.

“The Nitrokey has a lot of potential”

Cure53 performed a very detailed review of the Nitrokey Storage and states: “Nitrokey marks an interesting idea among the approaches thriving towards enhanced user-privacy, data security and tamper-safety. Contrary to the software-only products, Nitrokey is capable of functioning properly and securely even if the machine that the hardware is being used on is infected by Malware or suffers from comparable problems.”

When will Nitrokey Storage be available?

The good auditing results from Cure53 are a motivating feedback for our whole team and mark a significant milestone in the development process. From now on the development will focus on non-security areas such as stability of the USB interface, usability of the App and development of a new casing. Still we need your support in growing our fantastic Nitrokey community and be able to publish the Nitrokey Storage.

You may also be interested in reading when will Nitrokey Storage be available?



When will i be able to buy one online?

The devices can be purchased in our online shop.

Hello, can you please clarify the situation with the 3 critical (and perhaps also the 2 high) vulnerabilities listed in the Cure53 pentest report dated 8.2015? Have these been addressed already and if yes - in which models/versions? If not - what is the plan and how is the risk associated to these be managed? Thanks

Most issues contain a note at the end such as: "Note: This issue was fixed by the Nitrokey maintainers, the fix was verified by Cure53." Please check.

Yes, I checked, it is indeed the case. Thanks for a quick reply and it is good and reassuring to see that Nitrokey has managed to fix these issues. Regards

Hi, the report says that the vulnerabilities were fixed but it doesn't specify how. Can you specify how each vulnerability was fixed?

This would be a report of its own which we can't do just now. But you should be able to find related fixes in our source code repository. If you have specific questions to a particular issue, you can ask here.

Hello, for an opensource project I would expect the full report to be published. Kind regards
Yes, it's published in this article read "The final report can be downloaded here (firmware, hardware)" above.

Add new comment

Fill in the blank.