[robryk]

Nitrokey claims on their homepage that the firmware of the Storage version of NitroKey can be updated by software. This seems to mean that there's someone out there with a key that can sign arbitrary code that can be loaded as an update and gains access to the crypto material on the device.

[Karunamon]

I had a look through their instructions and I'm not sure if there is a signing process that happens. You have to enable firmware access from the app, and then it's a bog standard DFU flash to load the new firmware.

[robryk]

Does it require you to perform any physical actions on the dongle? If not, why can't I straightforwardly extract keys if I own the machine the dongle is attached to?