Security Update for Nitrokey Storage

Under certain circumstances the Nitrokey Storage could use an empty AES key to encrypt the mass storage and Password Safe, allowing an attacker to decrypt the encrypted data. As a precaution all Nitrokey Storage should be updated to firmware 0.51 or higher which prevents unlocking with a zero AES key. Nitrokey Storage with firmware 0.51 or higher and other Nitrokey models are not affected. Check your installed firmware version first and in case follow these instructions. Note: We provide a new easy-to use update tool.

By default Nitrokey Storage encrypts data properly and securely. This issue could appear if the smart card of a Nitrokey Storage with firmware 0.50 or below had been factory-reset with GnuPG or another separate tool, without executing "Destroy encrypted data" in the Nitrokey App afterwards. In this case 0x00.. may be used as a key to encrypt data, allowing an attacker to decrypt it easily.

After you updated the firmware, use the Nitrokey App to unlock your encrypted volume or the Password Safe. If this works your device hasn't been affected. Nevertheless, if you did reset User and Admin PINs before with GnuPG's factory-reset or a dedicated reset script, you may want to overwrite the mass storage data to clear any sensitive data potentially left unencrypted. In this case follow the instructions below. If you didn't use GnuPG or a separate script to reset both User and Admin PINs or you entered your Admin PIN to unlock the User PIN, your device is secure and you don't have to do anything else.

After updating the firmware: In case the Nitrokey App rejects unlocking attempts with "Could not enable encrypted volume. Status Code: -1" or "Password Safe.can't unlock.", your device has been affected and you should execute the following steps in this order:

  1. Start Nitrokey App in admin mode: "nitrokey-app --admin"
  2. Select “Configure -> Destroy encrypted data" to set your device in a secure state.
  3. Select "Configure -> Special Configure -> Initialize storage with random data" to ensure no insecure data is left on the mass storage. Depending on your device's storage capacity, this can take between 1/2 to 2 hours.

We would like to thank the user, who found the bug and responsibly disclosed it to us. We do not have a formal bug-bounty program established, but rewarded his contribution with a cost-free device of his choice.

23.10.2019

Comments

Submitted by JanW on 26. February 2019 - 11:47
Do I understand correctly that the suggested steps erase all data from the device? In that case I am surprised you publish instructions saying "do this", without warning about the data loss or recommending to back up data? Having no data (anymore) is obviously the best way to keep it secure from disclosure to third parties, but is that what non-technical users following these instructions to secure their data had in mind?
Submitted by Jan Suhr on 26. February 2019 - 12:24
The referenced instructions to update the firmware contain a large bold "WARNING: You should backup all data from the device before upgrading, as firmware upgrades may destroy all data on the device".

Add new comment

Fill in the blank.