blog.zapb.de (Posts about fido)https://blog.zapb.de/enContents © 2024 <a href="mailto:blog@zapb.de">Marc Schink</a> Except where otherwise noted, content on this site is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-nc-sa/4.0/">Creative Commons BY-NC-SA 4.0</a> license.Tue, 19 Mar 2024 21:11:05 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssSecurity and Trust in Open Source Security Tokenshttps://blog.zapb.de/security-and-trust-in-open-source-security-tokens/Marc Schink & Alexander Wagner<figure><img src="https://blog.zapb.de/images/security-and-trust-in-open-source-security-tokens/preview.jpg"></figure> <figure class="align-center"> <img alt="Electromagnetic fault injection (EMFI) setup with the Solo security token as target device" src="https://blog.zapb.de/images/security-and-trust-in-open-source-security-tokens/poster.jpg" style="width: 100%;"> </figure> <p>Hardware security tokens effectively prevent most password-related security issues and improve security indisputably. However, there are new threats from attackers with physical access which need to be discussed. Supply chain adversaries may manipulate devices on a large scale and install backdoors before they even reach end users. In evil maid scenarios, specific devices may even be attacked while already in use. For that reason, we thoroughly investigated the security and trustworthiness of seven commercially available open source security tokens, including devices from the two market leaders: <a class="reference external" href="https://solokeys.com/">SoloKeys</a> and <a class="reference external" href="https://www.nitrokey.com/">Nitrokey</a>.</p> <p>We identified and practically verified significant vulnerabilities in all seven examined tokens. The methods range from exploiting logical and architectural flaws to side-channel and fault injection attacks. Fortunately, due to the open source nature of the security tokens, we were able to propose firmware modifications which mitigate all identified vulnerabilities. Some of these modifications are already applied by the token manufacturers.</p> <p>The results of this research will be presented at the <a class="reference external" href="https://ches.iacr.org/2021/">Cryptographic Hardware and Embedded Systems (CHES) 2021</a> conference. The final and peer reviewed paper is already <a class="reference external" href="https://eprint.iacr.org/2021/640">available</a> on the <a class="reference external" href="https://eprint.iacr.org/">Cryptology ePrint Archive</a>.</p>fault injection attackfidohackingmicrocontrollernrf52securitysecurity tokenside-channel attackstm32https://blog.zapb.de/security-and-trust-in-open-source-security-tokens/Mon, 17 May 2021 08:00:00 GMT