Breaking the STM32F1 Read-Out Protection

A new attack on STM32F1’s read-out protection has been published (partially as of now).

The STM32F1 is used in some Nitrokey products as follows:

Nitrokey Start: Cryptographic keys and data objects (EF) are stored in the STM32F1. Private cryptographic keys are additionally encrypted with the user password (OpenPGP Card User PIN). Note that the product’s lower security (no tamper protection) has been communicated in our product description and that therefore the Nitrokey Start is positioned as an entry-level model (compared to our other smart card models).

Nitrokey HSM: No user information is persistently stored in the STM32F1.

Nitrokey Pro:

  • One-time passwords (HOTP, TOTP) are stored in the STM32F1. These serve as a second factor and are therefore accessible without authentication by default. Think of physical OTP tokens that display one-time passwords on an integrated display at the touch of a button.
  • The Password Safe stores passwords in the STM32F1. These are additionally encrypted with an AES key, which is stored in a tamper-proof smart card (and is PIN-protected).
  • Cryptographic keys are not stored in the STM32F1.

In summary, we are not surprised by such an attack and therefore we primarily use tamper-proof smart cards in our products. We assess the risk for our products as low and do not see any acute technical need for action. In the future we will change our products to other (more secure) microprocessors and smart cards.

1 Like