Researchers discovered the ROCA vulnerability (CVE-2017-15361) which enables attackers to compute their victim's private RSA keys with little effort. Affected are RSA keys being generated in various hardware systems which contain the vulnerable chip from Infineon Technologies, such as computers with a Trusted Platform Module (TPM), smart cards and USB dongles. Some affected vendors are HP, Fujitsu, Google, Lenovo, Toshiba, Samsung, Acer, LG, Gemalto and Yubico.

Users of Nitrokey can relax because Nitrokey is not affected by this vulnerability. We don't use components from Infineon Technologies. Instead we use NXP and our own open source software implementation.

The attacker doesn't require access to the hardware and instead knowledge of the public key is sufficient. If you use a non-Nitrokey product you can check here if your RSA key is affected.