https://devzone.nordicsemi.com/f/nordic-q-a/82553/protect-modem-certificateHi, I have the following issue, maybe I have an error in thinking: For Access MQTT the Device has a Certificate in a storage slot, lets say 20. If now someone can gain access to the device, knows about the endpoints and the commands and also findsen-USTelligent Community 13Fri, 28 Jan 2022 08:22:13 GMThttps://devzone.nordicsemi.com/thread/350121?ContentTypeID=1Fri, 28 Jan 2022 08:22:13 GMT137ad170-7792-4731-bb38-c0d22fbe4515:03277715-301a-4745-b253-2379d5ccbb51&#216;yvind<p>Daniel, sounds good! Let us know if you have any issues with this solution.</p> <p>Kind regards,<br />Øyvind</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/349974?ContentTypeID=1Thu, 27 Jan 2022 12:45:43 GMT137ad170-7792-4731-bb38-c0d22fbe4515:7b3ff651-6ad6-4cbe-9215-9d1174d22051danielboe<p>Thanks for the response and investigation. We will consider this for our final product to close this attack weak point.</p> <p></p> <p>best regards</p> <p></p> <p></p> <p>daniel</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/349939?ContentTypeID=1Thu, 27 Jan 2022 11:09:33 GMT137ad170-7792-4731-bb38-c0d22fbe4515:eb6fa678-6b35-4e7d-8715-2ba8e26fc632&#216;yvind<p>Hello again Daniel,&nbsp;</p> <p>First of all, thank you for bringing this to our attention. The PSIRT team has assessed your PSIRT report. They write that the &quot;<span><em>official response to the DevZone request is to configure eraseprotect to mitigate this attack vector</em>&quot;</span></p> <p>The team&nbsp;acknowledges the scenario, and will discuss further measures to counter similar scenarios in the future products. That said the ERASPROTECT should be the countermeasure to use in your scenario as this will prevent others from erasing the device and thus programming another custom FW.&nbsp;</p> <p>Let me know if you have any further questions.&nbsp;<br /><br />Kind regards,<br />Øyvind</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/347225?ContentTypeID=1Tue, 11 Jan 2022 15:22:47 GMT137ad170-7792-4731-bb38-c0d22fbe4515:bd156bdf-63b9-4b42-935a-b8a7a5ec05f4&#216;yvind<p>Hi Daniel,&nbsp;<br /><br />Yes, I believe that is the next step. Please link to this ticket as well.&nbsp;</p> <p>Thank you!<br /><br />Kind regards,<br />Øyvind</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/347207?ContentTypeID=1Tue, 11 Jan 2022 14:35:56 GMT137ad170-7792-4731-bb38-c0d22fbe4515:2df9d522-e267-459a-aba1-e460b323264edanielboe<p>Okay good we have a final answer here. Still I see this as a big security issue on device level. What is next? Is it usefull to open a ticket here:</p> <p><a href="https://www.nordicsemi.com/About-us/PSIRT">https://www.nordicsemi.com/About-us/PSIRT</a></p> <p></p> <p>Best regards</p> <p></p> <p>Daniel</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/346958?ContentTypeID=1Mon, 10 Jan 2022 13:33:29 GMT137ad170-7792-4731-bb38-c0d22fbe4515:98045a31-9705-4f5b-9178-3b7e09dfb5f6&#216;yvind<p>Hello,&nbsp;<br /><br />This is the answer I got from one of our certificate experts:</p> <blockquote> <p><br /><span>&nbsp;The certificate is stored in the modem domain and the modem only acts based on commands it receives from the application. Modem does not validate the application, so even if the application is changed, the modem still responds to the commands it receives. Neither has the modem any way of detecting application ERASEALL.&nbsp;</span></p> </blockquote> <p>Kind regards,<br />Øyvind</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/346833?ContentTypeID=1Mon, 10 Jan 2022 07:34:51 GMT137ad170-7792-4731-bb38-c0d22fbe4515:b5bd18cf-1f8a-4904-bb5d-8ec244e3e775danielboe<p>Hi, are there any Ideas here how I can protect the certificate slot agains re-usage?. It would be great to close this door, even if its not that big</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/344111?ContentTypeID=1Fri, 17 Dec 2021 10:04:45 GMT137ad170-7792-4731-bb38-c0d22fbe4515:a0be903c-cf65-49e9-82ee-11d8af36b9a8danielboe<p>Yep this works but I can recover the chip and then I can gain access to the certificate slot again and use it for auth with a new firmware. That is my &quot;issue&quot; I see</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/344091?ContentTypeID=1Fri, 17 Dec 2021 09:05:15 GMT137ad170-7792-4731-bb38-c0d22fbe4515:ce3f4aea-2d48-417f-9a53-c30652bc7fcf&#216;yvind<p>Daniel,&nbsp;<br />have a look at the&nbsp;<a href="https://infocenter.nordicsemi.com/topic/nan_041/APP/nan_production_programming/approtect_eraseprotect_enabled.html">APPROTECT and ERASEPROTECT are enabled chapter in nAN41</a>, the <a href="https://infocenter.nordicsemi.com/topic/ps_nrf9160/chapters/dif/ctrl-ap.html">Control Access Port chapter in the nRF9160 Product Specification</a>, and the <a href="https://infocenter.nordicsemi.com/topic/ps_nrf9160/dif.html">Debug and Trace chapter</a>.</p> <p>If Approtect is enabled it&nbsp;<span>will block all debugger access, both secure and non-secure, and the secureapprotect will prevent debug on secure domain only.&nbsp;<br /><br />Kind regards,<br />Øyvind</span></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/343841?ContentTypeID=1Thu, 16 Dec 2021 10:29:26 GMT137ad170-7792-4731-bb38-c0d22fbe4515:657eaa4e-b291-416e-a1fb-68f52464a8a6danielboe<p>jep exactly. I tried&nbsp;APPROTECT and after the needed wipe the certificate is still in the modem memory. Can it may work with&nbsp;SECUREAPPROTECT? but this sounds for me like a smaler version of&nbsp;APPROTECT and secure is included in&nbsp;APPROTECT ? Or am I wrong?</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/343597?ContentTypeID=1Wed, 15 Dec 2021 10:35:29 GMT137ad170-7792-4731-bb38-c0d22fbe4515:05b6aeba-715f-4744-a266-71e6d7e6bbd3&#216;yvind<p>Hi Daniel, thanks for clarifying.&nbsp;<br /><br />Have you looked at the <a href="https://infocenter.nordicsemi.com/topic/nan_041/APP/nan_production_programming/device_protection.html">Enabling device protection chapter in the&nbsp;application note: nAN41 - nRF9160 Production Programming</a>?&nbsp;<br />This describes how to enable . Access Port Protection (APPROTECT), Erase Protection (ERASEPROTECT), and Secure Access Port Protection (SECUREAPPROTECT).</p> <p>Kind regards,<br />Øyvind</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/343378?ContentTypeID=1Tue, 14 Dec 2021 11:31:32 GMT137ad170-7792-4731-bb38-c0d22fbe4515:609d5d0b-e380-4ced-b54c-ed6f3be61fb8danielboe<p>Hi, thanks for the response. I am not talking about reading the content. I am talking about using them. In my case I have a cloud certificate for AWS IoT. Even if I wipe the complete device because it is read protected it does not wipe the certificate. So everybody can flash a new firmware, only needs the certificate slot and can connect to my endpoint and send custom messages. This is the scenario I have in mind.</p> <p></p> <p></p> <p>best regards</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/342827?ContentTypeID=1Fri, 10 Dec 2021 07:54:44 GMT137ad170-7792-4731-bb38-c0d22fbe4515:669e932e-7ee6-4f1e-ba2a-ded9549f1d98&#216;yvind<p>Hello Daniel,&nbsp;</p> <p>Are you referring to the <a href="https://infocenter.nordicsemi.com/topic/ref_at_commands/REF/at_commands/security/cmng_set.html">modem credential storage management</a>? If so, the following are not readable after configuration:<br /><pre class="ui-code" data-mode="text">1 – Client certificate (ASCII text). 2 – Client private key (ASCII text). 3 – PSK (ASCII text in hexadecimal string format).</pre></p> <p>Also, the read command is only available when modem is in offline mode.&nbsp;</p> <p>Kind regards,<br />Øyvind</p><div style="clear:both;"></div>