Security Advisory SB-2025-03: DP Cards
Published: 2025-10
CVSS Severity: 4.6
Summary
A vulnerability has been identified that may allow bypassing the authentication mechanism of the Private Partition feature on certain Swissbit SD and microSD cards.
An adversary with local or physical access could potentially read out data from a protected Private Partition, circumventing the PIN / SO-PIN login mechanism.
This vulnerability does not allow data modification or deletion.
Affected Feature
- Private Partition (Private RO, Private RW) feature only.
- The issue affects devices actively using the Private Partition functionality.
- The vulnerability allows partial read-out of data from a protected area without proper authentication.
- Data modification, overwriting, or erasure cannot be performed using this vulnerability.
Not Affected Features
- The PIN / SO-PIN mechanism itself (authentication logic) is unaffected.
- Other protection features such as:
- Authenticity Secret
- NVRAM confidentiality
- Public protection profiles
- are not impacted.
- USB-based products and Fiscal SD products using Private Partitions are not affected.
Affected Product Series
End-of-Life Products
- PS-45 DP
- PS-45 SE/PE
- PS-450 SE/PE
- PS-450u DP
- PS-450u SE/PE
- PS-45u DP
- PS-45u SE/PE
- PS-46 DP
- PS-46u DP
Products in Production
- PS-66 DP
- PS-66 SE/PE
- PS-66u DP
- PS-66u SE/PE
- PS-66u
- Security Upgrade Kit
A complete list of affected part numbers can be found in the appendix below.
Fixed Software / Mitigation
- The affected firmware (CFE) cannot be upgraded in the field.
- Swissbit can perform firmware patching at its facilities upon customer request.
- An upgradable firmware feature is under development and will be released soon.
- Products manufactured after 01.08.2025 will include the security patch and are not affected.
Exploitation and Public Disclosure
- No known exploitation or public disclosure of this vulnerability has occurred.
- A responsible disclosure process is ongoing with the reporting researcher.
Source and Acknowledgments
Swissbit would like to thank an independent security researcher for responsibly reporting this vulnerability.
CVSS Information
- CVSS Score: 4.6 (Medium)
- Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Impact: Local attackers with physical access could gain unauthorized read-only access to data within the Private Partition.
Identification of vulnerable devices
Devices produced before August 2025 are affected. Our guide explains several ways to check the manufacturing date:
https://community.swissbit.com/c/tools-and-code/how-to-identify-the-production-date-of-your-swissbit-card
How-To identify vulnerable devices directly by the firmware version (CFE App Version) is described in our Firmware/Application version guide:
https://community.swissbit.com/c/tools-and-code/identification-of-firmware-application-versions-of-security-cards
Affected Products
|
Series |
Status |
CFE App Version |
|
PS-45 DP |
EOL |
Only products with a CFE Application version below 390 are affected. Product produced after 08/2025 are NOT affected
|
|
PS-45 SE/PE |
EOL |
|
|
PS-450 SE/PE |
EOL |
|
|
PS-450u DP |
EOL |
|
|
PS-450u SE/PE |
EOL |
|
|
PS-45u DP |
EOL |
|
|
PS-45u SE/PE |
EOL |
|
|
PS-46 DP |
EOL |
|
|
PS-46u DP |
EOL |
|
|
PS-66 DP |
Active |
|
|
PS-66 SE/PE |
Active |
|
|
PS-66u DP |
Active |
|
|
PS-66u SE/PE |
Active |
|
|
PS-66u Security Upgrade Kit |
Active |
Affected part numbers
|
SFSD032GL3PM1TO-I-LF-020-SW4 |
PS-45 DP |
EOL |
|
SFSD064GL3PM1TO-I-HG-020-SW4 |
PS-45 DP |
EOL |
|
SFSD016GL3PM1TO-I-GE-020-SW4 |
PS-45 DP |
EOL |
|
SFSD8192L3PM1TO-E-GE-921-HA1 |
PS-45 SE/PE |
EOL |
|
SFSD8192L3PM1TO-E-GE-921-HA0 |
PS-45 SE/PE |
EOL |
|
SFSD0512L1PM1TO-E-ME-921-HA0 |
PS-450 SE/PE |
EOL |
|
SFSD4096L1PM1TO-E-ME-921-SW2 |
PS-450 SE/PE |
EOL |
|
SFSD4096L1PM1TO-E-ME-921-HA0 |
PS-450 SE/PE |
EOL |
|
SFSD8192N1PM1MT-I-QG-020-SW4 |
PS-450u DP |
EOL |
|
SFSD0512N1PM1TO-I-ME-020-SW4 |
PS-450u DP |
EOL |
|
SFSD0512N1PM1TO-E-ME-020-SW4 |
PS-450u DP |
EOL |
|
SFSD2048N1PM1TO-E-QG-921-HA0 |
PS-450u SE/PE |
EOL |
|
SFSD016GN3PM1TO-E-LF-021-LNI |
PS-45u DP |
EOL |
|
SFSD8192N3PM1TO-I-GE-020-SW4 |
PS-45u DP |
EOL |
|
SFSD8192N3PM1TO-I-GE-020-RP0 |
PS-45u DP |
EOL |
|
SFSD032GN3PM1TO-I-HG-020-RP0 |
PS-45u DP |
EOL |
|
SFSD032GN3PM1TO-I-HG-020-SW4 |
PS-45u DP |
EOL |
|
SFSD8192N3PM1TO-E-GE-020-SW4 |
PS-45u DP |
EOL |
|
SFSD8192N3PM1TO-E-LF-121-SW2 |
PS-45u SE/PE |
EOL |
|
SFSD8192L3PM1TO-I-GE-02P-PC1 |
PS-46 DP |
EOL |
|
SFSD032GL3PM1TO-I-HG-02P-PC1 |
PS-46 DP |
EOL |
|
SFSD2048L3PM1TO-I-GE-02P-SW4 |
PS-46 DP |
EOL |
|
SFSD8192L3PM1TO-I-GE-02P-SW4 |
PS-46 DP |
EOL |
|
SFSD016GL3PM1TO-I-LF-02P-SW4 |
PS-46 DP |
EOL |
|
SFSD8192N3PM1TO-I-LF-02P-TR0 |
PS-46u DP |
EOL |
|
SFSD8192N3PM1TO-I-LF-02P-SW4 |
PS-46u DP |
EOL |
|
SFSD016GL1PT1TB-I-5E-02P-SW4 |
PS-66 DP |
in production |
|
SFSD032GL1PT1TB-I-6F-02P-SW4 |
PS-66 DP |
in production |
|
SFSD064GL1PT1MT-I-7G-02P-SW4 |
PS-66 DP |
LTB |
|
SFSD016GL1PT1MT-I-5E-02P-SW4 |
PS-66 DP |
LTB |
|
SFSD032GL1PT1MT-I-6F-02P-SW4 |
PS-66 DP |
LTB |
|
SFSD064GL1PT1TB-I-7G-02P-SW4 |
PS-66 DP |
in production |
|
SFSD016GL1PT1TB-E-5E-D2P-HA1 |
PS-66 SE/PE |
in production |
|
SFSD016GN1PT1TB-I-5E-02P-TR0 |
PS-66u DP |
in production |
|
SFSD016GN1PT1TB-I-5E-02P-SW4 |
PS-66u DP |
in production |
|
SFSD064GN1PT1TB-I-7G-02P-SW4 |
PS-66u DP |
in production |
|
SFSD032GN1PT1TB-I-6F-02P-SW4 |
PS-66u DP |
in production |
|
SFSD016GN1PT1MT-I-5E-02P-SW4 |
PS-66u DP |
LTB |
|
SFSD032GN1PT1MT-I-6F-02P-SW4 |
PS-66u DP |
LTB |
|
SFSD064GN1PT1MT-I-7G-02P-SW4 |
PS-66u DP |
LTB |
|
SFSD016GN1PT1TB-E-5E-D2P-SW2 |
PS-66u SE/PE |
in production |
|
SFSD016GN1PT1TB-I-5E-02P-SW8 |
PS-66u Security Upgrade Kit |
in production |
|
SFSD032GN1PT1TB-I-6F-02P-SW8 |
PS-66u Security Upgrade Kit |
in production |
|
SFSD064GN1PT1TB-I-7G-02P-SW8 |
PS-66u Security Upgrade Kit |
in production |
|
SFSD016GN1PT1TB-I-5E-02P-SB8 |
PS-66u Security Upgrade Kit |
in production |