CODESYS Key physical side-channel vulnerability
Monitor4.9VDE-2025-001Jan 21, 2025
Attack VectorPhysical
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
The CODESYS Key USB dongle (based on WIBU CodeMeter technology) is affected by a physical side-channel vulnerability. An attacker with physical access to the dongle could use power analysis or timing measurements to extract the cryptographic keys that protect software licenses and control system authentication. Version 4.52 includes a fix. The vulnerability does not require network access or credentials, only physical possession of the dongle and specialized measurement equipment.
What this means
What could happen
An attacker with physical access to a CODESYS Key USB dongle could extract cryptographic keys through side-channel analysis, potentially enabling unauthorized access to protected software licenses and control systems that depend on the dongle for authentication.
Who's at risk
Water authorities and municipal utilities that use CODESYS-based automation systems rely on CODESYS Key USB dongles for software licensing and system authentication. Any facility with CODESYS software running on engineering workstations or supervisory control systems is affected, particularly those with physical access to network devices, control cabinets, or workstations.
How it could be exploited
An attacker must physically possess the CODESYS Key dongle and use specialized measurement equipment to analyze power consumption or timing variations during cryptographic operations. This allows them to deduce the encryption keys without needing the dongle's password. The extracted keys could then be used to generate fraudulent licenses or gain unauthorized access to CODESYS systems.
Prerequisites
- Physical possession of the CODESYS Key USB dongle
- Specialized equipment for power analysis or timing side-channel measurements
- No credentials or network access required
Physical access required but plausible in many industrial sitesHigh complexity attack but standard side-channel techniquesAffects cryptographic key material protecting software licensesPotential for widespread license fraud or unauthorized system access
Affected products (1)
ProductAffected VersionsFix Status
Key series 3<4.524.52
Remediation & Mitigation
0/4
Do now
0/3HARDENINGRestrict physical access to CODESYS Key dongles to authorized personnel only
HARDENINGImplement procedures to prevent unauthorized removal of CODESYS Key dongles from production control systems
HARDENINGStore CODESYS Key dongles in a secure, locked location when not in active use
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate CODESYS Key firmware to version 4.52 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/44a7b2ba-21b8-4ce8-b7ba-ad905d364bbb