![](https://novacustom.com/storage/Nitrokey-Heads-vulnerability-300x203.png)
A serious security vulnerability has been found in Nitrokeys, which directly affects Dasharo coreboot+Heads. We use the Nitrokey 3A Mini as a USB Security Device to verify the integrity of the boot process, in combination with Dasharo coreboot+Heads firmware. An attacker who has access to both the laptop and the USB Security Device could tamper the firmware and reseal the HOTP by giving the prompt any keystroke, as it would accept any PIN on HOTP secret sealing.
Solution
NovaCustom acknowledges the urgency of this issue and has taken action immediately. Here’s what to do to fix the vulnerability on your laptop and Nitrokey.
![](https://novacustom.com/storage/backup-icon.png)
Backup
Before proceeding with any firmware update, please always make sure that you have backed up all important data of both your storage drive and the Nitrokey.
![](https://novacustom.com/storage/Nitrokey-3A-Mini-in-use-1-150x150.jpg)
Update the Nitrokey’s firmware
While a Nitrokey firmware update has been published, our current Heads version (v0.9.0) is not compatible with it yet. This means that the Nitrokey 3A Mini cannot be detected by Heads if the Nitrokey has been updated to the latest firmware version.
![](https://novacustom.com/storage/Heads-firmware-icon.png)
Please wait with the Nitrokey firmware update until a new Heads firmware release has been published. As soon as the update for Heads is live, please update the firmware of your Nitrokey according to the firmware update documentation.
Update Heads
Update your Heads firmware to the latest version v0.9.1 according to the Firmware Update documentation for Dasharo coreboot+Heads.