(reproduced from an email I received 2025-09-06 1:03AM AKT)
(Nitrokey Logo)
Recently, a significant security vulnerability in Infineon security chips was made public. Nitrokeys do not contain Infineon chips and are therefore not affected by this security vulnerability! Nevertheless, this incident holds interesting lessons for Nitrokey and our customers. In a nutshell: Security certifications are overrated and open source offers advantages over them. Nitrokeys offer a high level of investment security thanks to firmware updates. More on this below.
The affected chips are used in many smart cards and small devices such as FIDO security keys from different manufacturers. The YSA-2024-03 vulnerability allows cryptographic keys to be read from the chip and thus completely break the security expected from the hardware. For example, a digital clone of FIDO security keys can be created and thus ultimately access the victim's accounts. Perhaps the worst thing about this vulnerability is that it cannot be corrected by means of a software update.
NinjaLab unveils a new side-channel vulnerability in the ECDSA implementation of Infineon 9 on any security microcontroller family of the manufacturer. [...] The exploitation of this vulnerability is demonstrated through realistic experiments and we show that an adversary only needs to have access to the device for a few minutes. The offline phase took us about 24 hours; with more engineering work in the attack development, it would take less than one hour. [...] These small timing leakages allow us to extract the ephemeral key and then the secret key.
In the cited article it is speculated:
The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out only by nation-states or other entities with comparable resources and then only in highly targeted scenarios.
On this point, we disagree. 11,000 dollars is such a small investment that any serious cyber attack far exceeds it. The knowledge of the attack is now largely public and may still seem very challenging. However, clever hackers continue to show how easy it is to carry out attacks that were previously considered impossible or difficult. We would not be surprised if a simplification of this attack is demonstrated at one of the next CCCongress or Black Hats.
We estimate that the vulnerability exists for more than 14 years in Infineon top secure chips.
In this long period of 14 years, many millions of chips have been produced and delivered in smart cards and FIDO keys, all of which are now vulnerable to attack. Even if the scaling falls far short of purely software-based attacks, the potential gain from attacks is correspondingly huge, which increases the probability of attacks.
These chips and the vulnerable part of the cryptographic library went through about 80 CC certification evaluations of level AVA VAN 4 (for TPMs) or AVA VAN 5 (for the others) from 2010 to 2024 (and a bit less than 30 certificate maintenances).
The affected chips are not just any microcontrollers, but security chips that have received some of the strictest existing security certifications. Obviously, even these certifications did not protect against this development error. So are security certifications pointless? We don't think they are completely pointless, because as part of such certifications, manufacturers have to implement security mechanisms ranging from the banal to the sophisticated, depending on the level of certification, and their correct implementation is verified. However, this incident shows that security certifications do not offer absolute security. Moreover, this is not the first security incident of this kind and amateurish security errors have often been discovered in certified devices. In 2019, a similar security vulnerability in FIPS-certified dongles was published, which also could not be corrected via a software update. In 2010, it became known that FIPS 140-2 Level 2 certified encrypted USB storage devices from Kingston, SanDisk, Verbatim, MXI and PICO could be easily accessed using a standard password. We therefore consider security certifications to be nice-to-have but generally overrated.
Nevertheless, we have also carried out FIDO certification for the Nitrokey 3A Mini. The decisive factor was the desire of our users to use the Nitrokey in environments where such certification is required. We are planning further certifications for the future, but only where they are really necessary for our customers.
Security certifications are basically an incentive (or constraint) for manufacturers to develop sufficiently secure products. However, this is not the only way to create such an incentive. Instead of security certifications, we at Nitrokey rely on open source and independent, transparent security audits. This offers the following advantages:
- The public has access to the source code and can therefore see the implementation quality and any errors at any time. Security by obscurity is not possible. Similar to certifications, this represents an economic incentive that ensures high quality and security, as otherwise many customers would not buy our products.
- Unnecessary certification costs can be saved and used for development instead.
- The community can provide technical feedback, contributions and corrections to improve quality.
- Potential backdoors, whether malicious or out of convenience, could not be hidden and are therefore practically impossible.
- Theoretically, any user can check the correctness, quality and security of the implementation.
- To ensure that even technically inexperienced users and smaller companies can place their trust in us, we occasionally commission independent security audits. We always publish the results reports.
Let's come back to the actual security vulnerability. The fact that affected devices cannot be corrected by firmware updates is especially dramatic. This means that no patches can be installed to fix this security vulnerability. Affected customers must therefore hope that the manufacturer will replace the devices free of charge (so far there has been no word of this). The more serious the security vulnerability and the more devices are affected, the more expensive and therefore less likely a free replacement will be, as some manufacturers simply cannot afford it. If manufacturers do offer a free replacement, this may be an acceptable solution for private customers. However, it can be assumed that it is unrealistic for corporate and government customers to replace hundreds or thousands of devices within a short period of time because the organizational effort would simply be too great. Either way, a complete replacement of a large number of devices means significant costs for organizations. For this reason, millions of vulnerable devices will probably still be in circulation many years from now.
Nitrokey's security is also based on microprocessors that could potentially have security vulnerabilities. In particular, Nitrokey 3 uses a security element from NXP that performs similar functions to the Infineon chip now affected. However, our architecture is based to a much greater extent on software and this can be updated. Firmware updates not only allow us to correct many errors retrospectively, but also to introduce new functions and improvements at a later date. If, for example, a standard such as OpenPGP, FIDO2/WebAuthn/Passkeys is developed further, we make this available to our customers free of charge (FIDO/CTAP 2.2 is under development). This means that expenses for Nitrokeys offer greater investment security than for devices that cannot be subsequently corrected and updated via firmware updates.
(Nitrokey Logo)
Nitrokey GmbH Rheinstr. 10 C, 14513 Teltow, Germany Geschäftsführer / CEO: Jan Suhr AG Potsdam: HRB 32882 P
Unsubscribe this newsletter