Hardware security tokens effectively prevent most password-related security issues and improve security indisputably. However, there are new threats from attackers with physical access which need to be discussed. Supply chain adversaries may manipulate devices on a large scale and install backdoors before they even reach end users. In evil maid scenarios, specific devices may even be attacked while already in use. For that reason, we thoroughly investigated the security and trustworthiness of seven commercially available open source security tokens, including devices from the two market leaders: SoloKeys and Nitrokey.
We identified and practically verified significant vulnerabilities in all seven examined tokens. The methods range from exploiting logical and architectural flaws to side-channel and fault injection attacks. Fortunately, due to the open source nature of the security tokens, we were able to propose firmware modifications which mitigate all identified vulnerabilities. Some of these modifications are already applied by the token manufacturers.
The results of this research will be presented at the Cryptographic Hardware and Embedded Systems (CHES) 2021 conference. The final and peer reviewed paper is already available on the Cryptology ePrint Archive.