gfwilliams
commented
11 months ago This is a duplicate of https://github.com/espruino/Espruino/issues/2346 - but I will attempt to get that fixed at some point soon. You can of course submit a PR.
Just some background: uECC is only used in the bootloader, where it checks the firmware against the private key. The bootloader can only be accessed if you have physical access to the device and can power cycle it with the button pressed.
In addition as this is an open source project and we need users to be able to build their own firmware, the private key is public at https://github.com/espruino/Espruino/blob/master/targets/nrf5x_dfu/dfu_private_key.pem - so really the fact you can extract the private key with some effort via physical device isn't a big deal when you can just look it up on GitHub.
As CVE-2020-27209 described, the ECDSA operation of the micro-ecc library 1.0 is vulnerable to simple power analysis attacks which allows an adversary to extract the private ECC key. This vulnerability still exists in both nrf5x_15 and nrf5x_12 dir in this project. Would you please fix this so that I can use this repo safer? This can be easily fixed by apply the patch of this CVE ( CVE-2020-27209 )
CVE-2020-27209's description:https://nvd.nist.gov/vuln/detail/CVE-2020-27209 CVE-2020-27209's patch commit:https://github.com/kmackay/micro-ecc/commit/1b5f5cea5145c96dd8791b9b2c41424fc74c2172