An article collecting info, ideas and notes from many sources and thanks to robertobipunto. Here we go deep inside the hardware wallets subject.
As you know Ledger told about a new service for recovery of your keys. This put all the bitcoiner community into fear. Let’s checkout about this.
There is nothing to fear (or rather, no more than yesterday) until the firmware is updated, after the firmware is updated there may be additional fears compared to yesterday, but cases of hardware wallets that can ‘extract’ the mnemonic (on screen or on microSD) at the explicit request of the user are not uncommon.
You must enter the PIN to make the update (it is clear that in the case of theft of a hardware wallet, it is the case that the funds are transferred ASAP anyway)
Coldcard and Bitbox02 already allow you to have the mnemonic later after initializing the device (clearly after unlocking it) and this is not a security issue, because if you can do that it means that you can (after unlocking the device) transfer the funds immediately.
The Secure Element serves to avoid/reduce the probability of an extraction by an adversary, as well as (in some cases) to perform certain operations internally within itself to limit the amount of secret information that is handled outside the Secure Element (thus in less secure memories).
The Secure Element protects the secret (seed or private key of an ATM) until you enter the PIN, once you do that the data is readable. The Secure Element (if we trust the manufacturer’s claim) makes the data unreadable after entering a number of wrong PINs.
There are several hardware wallets (which also use Secure Element) that allow the mnemonic stored in the device to be displayed once the PIN has been entered.
So the ‘extraction’ of the mnemonic is nothing new if it is done with the user’s authorization; Ledger until yesterday did not allow this, with a new firmware it will be possible, always and only with the user’s consent of course.
Then, precisely, the fact that you can ‘extract’ the mnemonic is a non-issue if the operation is PIN-protected (clearly) because having the PIN, even if you can’t extract the mnemonic you can still move all the funds by signing the TXs.
Then you may not like the fact that they offer a custody service done the way Ledger is doing it, but it is still an optional service, just don’t join or even update the firmware.
A secure element (SE) is a tamper-resistant hardware component that is used to store sensitive information, such as encryption keys and personal identification numbers (PINs), in a secure manner. Why using secure elements?
- Security: Because the information stored on a secure element is protected by physical and logical security mechanisms, it is extremely difficult for an attacker to extract the information without detection.
- Isolation: The secure environment provided by a secure element ensures that sensitive information is kept separate from the main processing environment of a device, reducing the risk of data breaches caused by software vulnerabilities.
Coldcard does not allow you to flash a custom firmware if it has not first been initialized with your own PINs, once you have entered your PINs you cannot do anything else without being asked for them at boot time, and since the device cannot be reset to factory settings the mere fact of having a device that asks to be initialized at boot time should already be an indication of relative security of genuineness.
For more details, see https://blog.coinkite.com/understanding-mk4-security-model/
Firmware (MIT license): https://github.com/Coldcard/firmware/blob/master/LICENSE
from the Coldcard blog:
How can I trust this information? First, the bootloader (the computer program that handles starting a computer) will not run the device’s firmware (software that gives the basic instructions for how the hardware should operate and interact with other software running on a device) if it is unsigned or signed incorrectly.
Second, if anything were to be changed at the bootloader or firmware level, the red caution light would turn on, indicating that something went wrong.
And more, about secure elements and backdoors (from their documentation)
One of the key features that helps to protect against backdoors is the use of hardware-based security. The secure elements in the COLDCARD Mk4 are physically separate from the microcontroller unit, which is the part of the device that runs the software.
All Bitcoin signing is done in the MCU using the same code (libsecp256k1) as in Bitcoin Core. It’s been reviewed by hundreds of coders, both good and evil. The Secure Element ’s hold secrets, but they do not manage your Bitcoin. This is key for protecting from backdoors in those chips, since we cannot review them. Because of the dual Secure Element setup, a backdoor which leaks the secrets would need to exist for all 3 chips.
All communications with the Secure Element’s are done with bootloader code that is set in the Coinkite factory, thus not upgradeable. The signature verification of new firmware is done by the MCU boot code, which isn’t changeable.
What about bitbox02. Reading their documentation, we get a lot of useful information. First of all:
Within the hardware wallet industry, there are two contrasting approaches to security design: 1) relying on a secure chip (SC) as a black box, or 2) using open-source firmware on a general purpose microcontroller unit (MCU). With the BitBox02, we found a security architecture that allows us to combine the advantages of both approaches.
Since: “no open-source chip is commercially available today”. They use the following approach, using the advantages of both open-source firmware and secure chip by combining them in a way that
- the hardware wallet only runs open-source firmware,
- the device is hardened against physical attacks using a secure chip, and
- the secure chip does not need to be trusted, as it cannot learn any of the secrets.
SeedSigner is a solution that you can build yourself with generic hardware, it reduces the trust needed in the production chain, it has the disadvantage of not having a secure chip for seed storage (which is why they defined the SeedQR standard so that the importing of the mnemonic is faster when needed)
General purpose computers
If you are thinking to use a general purpose computer, you must take in consideration different important aspects.
- A standard computer is not suitable to produce real randomness used for producing cryptographic secrets.
- A standard computer is exposed to hacking or malware
In some cases, if the user well knows what he is doing, an offline computer running a tails distribution, can be used to create a sort of “air-gapped” wallet, where mnemonic is still created with a real entropy source (example dices, or other medium).
So do your own research and decide yourself if this is a method that can be considered for your case. Darthcoin wrote about this possibility, developing a procedure for achieving this result.
Small recap by robertobipunto:
– Coldcard to geeky ‘nerds’ because it is more complicated to use but very complete and versatile
– BitBox02 (Bitcoin-Only) is less versatile but significantly easier to use
– and finally I would recommend evaluating Jade which I find just as easy to use as BitBox02 (Bitcoin-Only), but works without a secure element and is not a shitcoin project (the choice not to use SE at this point in time might be something to appreciate given the Ledger affair).
As for Ledger I haven’t recommended it for years because even just as a feature-set it’s not on par with the others, especially in terms of secure usage as a share of a multi-sig (something I attach a lot of importance to) and I’ve never appreciated their ‘scammy’ marketing and blatant shitcoinism.
If you want a detailed comparison, you can have a look here:
About the list, this was not checked therefore we cannot guarantee the accuracy of the content, but in principle it seems to me to be a good starting point for an in-depth comparison.