Security Update for Nitrokey Storage

Under certain circumstances the Nitrokey Storage could use an empty AES key to encrypt the mass storage and Password Safe, allowing an attacker to decrypt the encrypted data. As a precaution all Nitrokey Storage should be updated to firmware 0.51 or higher which prevents unlocking with a zero AES key. Nitrokey Storage with firmware 0.51 or higher and other Nitrokey models are not affected. Check your installed firmware version first and in case follow these instructions. Note: We provide a new easy-to use update tool.

By default Nitrokey Storage encrypts data properly and securely. This issue could appear if the smart card of a Nitrokey Storage with firmware 0.50 or below had been factory-reset with GnuPG or another separate tool, without executing "Destroy encrypted data" in the Nitrokey App afterwards. In this case 0x00.. may be used as a key to encrypt data, allowing an attacker to decrypt it easily.

After you updated the firmware, use the Nitrokey App to unlock your encrypted volume or the Password Safe. If this works your device hasn't been affected. Nevertheless, if you did reset User and Admin PINs before with GnuPG's factory-reset or a dedicated reset script, you may want to overwrite the mass storage data to clear any sensitive data potentially left unencrypted. In this case follow the instructions below. If you didn't use GnuPG or a separate script to reset both User and Admin PINs or you entered your Admin PIN to unlock the User PIN, your device is secure and you don't have to do anything else.

After updating the firmware: In case the Nitrokey App rejects unlocking attempts with "Could not enable encrypted volume. Status Code: -1" or "Password Safe.can't unlock.", your device has been affected and you should execute the following steps in this order:

  1. Start Nitrokey App in admin mode: "nitrokey-app --admin"
  2. Select “Configure -> Destroy encrypted data" to set your device in a secure state.
  3. Select "Configure -> Special Configure -> Initialize storage with random data" to ensure no insecure data is left on the mass storage. Depending on your device's storage capacity, this can take between 1/2 to 2 hours.

We would like to thank the user, who found the bug and responsibly disclosed it to us. We do not have a formal bug-bounty program established, but rewarded his contribution with a cost-free device of his choice.


Add new comment

Fill in the blank.

Nitrokey - Made in Berlin