A serious security vulnerability has been found in Nitrokeys, which directly affects Dasharo coreboot+Heads. We use the Nitrokey 3A Mini as a USB Security Device to verify the integrity of the boot process, in combination with Dasharo coreboot+Heads firmware. An attacker who has access to both the laptop and the USB Security Device could tamper the firmware and reseal the HOTP by giving the prompt any keystroke, as it would accept any PIN on HOTP secret sealing.
Solution
NovaCustom acknowledges the urgency of this issue and has taken action immediately. Here’s what to do to fix the vulnerability on your laptop and Nitrokey.
Backup
Before proceeding with any firmware update, please always make sure that you have backed up all important data of both your storage drive and the Nitrokey.
Update the Nitrokey’s firmware
While a Nitrokey firmware update has been published, our current Heads version (v0.9.0) is not compatible with it yet. This means that the Nitrokey 3A Mini cannot be detected by Heads if the Nitrokey has been updated to the latest firmware version.
Please wait with the Nitrokey firmware update until a new Heads firmware release has been published. As soon as the update for Heads is live, please update the firmware of your Nitrokey according to the firmware update documentation.
Update Heads
Update your Heads firmware to the latest version v0.9.1 as soon as it is available: ETA: week 27
Wessel klein Snakenborg (Director of NovaCustom)
About the author: Wessel Klein Snakenborg is passionate about technology since childhood. He launched NovaCustom in 2015, crafting tailor-made laptops with privacy and security in mind. With a focus on user-friendliness, NovaCustom continues to redefine the laptop experience, led by Wessel's commitment to innovation and collaboration.
