Very Basic Question About The Jade Wallet

[FrameOfReference]

I am struggling to understand a basic property of the Blockstream Jade hardware wallet (I am not an owner yet), namely that an intruder who has both your wallet device and your PIN is unable to spend your Bitcoin.

I have studied the information in the Blockstream Jade Help Center regarding the Blind Oracle mechanism and had a conversation with the AI bot about my question.

What confuses me is that on the one hand you are able to switch to a different companion app on a different PC and connect your Jade to it and enter your PIN and then still be able to spend your Bitcoin via that new companion app, but if an intruder who has both your Jade plus your PIN installs a companion app on their own PC and connects your Jade to it and enters your PIN then somehow they will NOT be able to spend your Bitcoin. But these two things seem contradictory, as the exact same thing is being done in each case. So what is it that differentiates the legitimate user's access from the intruder's access?

Here are two quotes from the AI chat :

(1)
Me : So if I change my companion app how can I still access the oracle secret?
Blockstream Help Agent : You can still access the oracle secret with a new companion app, as it simply acts as a bridge to the blind oracle. As long as the app is compatible and you enter the correct PIN, the encrypted channel with the oracle will be established, allowing you to unlock your Jade.

(2)
Me : What stops the intruder with CORRECT PIN from accessing the remote PIN oracle ?
Blockstream Help Agent : If an intruder has the correct PIN, there is nothing in the described security model that stops them from accessing the remote PIN oracle. The oracle is designed to provide its part of the decryption process when the correct PIN is entered on Jade.

So that looks like an intruder with Jade device + PIN can after all spend your Bitcoin. I am just really confused by this circular logic, please can someone explain how this works definitively.

[mcdouglasx]

I asked questions in the Blockstream chat, and I came to the following conclusion:

"The blind oracle doesn't differentiate between the legitimate user and an attacker; it only responds if the correct PIN is entered. It doesn't store personal data or identify users. If someone has the device, the PIN, and knows how to install the oracle, they could unlock the Jade just like the original owner."

Alternatively, you can create a custom oracle, which is what they recommend for advanced users to prevent an attacker from replicating your configuration and obtaining enough information to spend the funds. However, their website says it's in beta.

[FrameOfReference]

Alternatively, you can create a custom oracle, which is what they recommend for advanced users to prevent an attacker from replicating your configuration and obtaining enough information to spend the funds. However, their website says it's in beta.

The custom oracle does appear to solve the problem of such an intruder, but with the default oracle it looks like the intruder can in fact spend the Bitcoin.

In the Blockstream Help Center section "Set up a personal blind oracle" :
https://help.blockstream.com/hc/en-us/articles/12800132096793-Set-up-a-personal-blind-oracle
it says :
"By default Jade will communicate with Blockstream's blind PIN oracle, however users also have the choice to run their own."

The AI confirms this feature is still in Beta.

The configuration of the Jade wallet described in the section "Point Jade to Personal Blind Oracle" requires a factory reset first, and to change that configuration you have to do another factory reset (putting it back to the default of Blockstream's blind PIN oracle) and then put the new configuration in. The given example configuration has "--set-url http://127.0.0.1:8096", ie the personal blind oracle is on the localhost, to which the Jade wallet is connected, but the personal blind oracle can alternatively be installed on a remote computer, and then accessed via the URL specified in --set-url.

So a personal blind oracle would prevent an intruder with Jade wallet plus PIN from spending your Bitcoin so long as that intruder did not also have access to your personal blind oracle (either physically for localhost, or remotely because the URL specified in --set-url was publicly accessible). The intruder would have to factory reset the Jade wallet to change the blind oracle that it is configured to point to, but then they would lose the seed phrase that is in the Jade wallet.

A Jade with the default oracle setting of Blockstream's blind PIN oracle would be compromisable by an intruder with the Jade wallet plus the PIN, using their own companion app on their own PC.

Thus the AI result for Google search on "blockstream jade can someone get my bitcoin with my PIN plus the jade wallet" is not strictly correct :
"No, someone cannot get your Bitcoin using just the PIN and the Blockstream Jade hardware wallet. The Blockstream Jade uses a PIN oracle, which means the PIN is used to unlock a highly encrypted wallet on the device, but the decryption mechanism is held off-device. This means that even with the PIN, an attacker would also need access to the remote PIN oracle (which is not directly connected to the internet) to decrypt the wallet."

since the attacker does have access to the remote PIN oracle when that oracle is at the default setting of the Jade wallet.

As most people will be running the default setting for the oracle it would be good if the Jade help documentation made it clearer that losing their Jade wallet plus their PIN to an intruder would mean loss of funds. It was one of the first questions that occurred to me on studying this wallet.

Unless there's something I am still misunderstanding, please correct me if I am wrong.

[mcdouglasx]

The documentation should explicitly warn that the default configuration allows theft if both (device + PIN) are compromised because the third part of the key or the third factor when using the public oracle is obtained from these, which is not clear, but you should be protected if you use a custom oracle, although it is still in beta, maybe you should consider waiting for a final version.

[FrameOfReference]

I think there is one further thing that would need to be done, I am not sure how this all works but it seems to me that someone running a personal blind oracle, for best security, should generate a random new keypair for their oracle, because if the default keypair that comes with https://github.com/Blockstream/blind_pin_server.git is used then the intruder may be able to access the oracle without having to reconfigure the Jade wallet, for example if the Jade wallet is configured to point to a personal blind oracle on the localhost and the default keypair was used for that oracle then the intruder can simply set up their own personal blind oracle on their own localhost and also just use the default keypair. But if the Jade owner generates their own keypair different from the default then the intruder cannot unlock the Jade wallet because even if they know the owner's keypair they couldn't reconfigure the Jade wallet to point to it without doing a factory reset first (thus losing the seed phrase within the wallet). Again I am just surmising, I don't understand how all this works, but it seems there must be a keypair in the oracle which is specified by the --set-pubkey option when the Jade wallet is configured to point to the personal blind oracle. As it stands I would not leave significant funds on a Jade wallet behind a PIN, or indeed any hardware wallet, I would factory reset it and keep the seed phrase safe.

[Pmalek]

A person who has physical access to a Jade hardware wallet and its decryption PIN have what's needed to unlock and spend from the wallet. I don't know the mechanisms of custom blind oracles that you install yourself. You should look at your PIN as any other local encryption system. Knowing the PIN, unlocks what the PIN is supposed to protect.

However, the best thing, in mind opinion, about the Jade is that it can function as a stateless signer. Once it's turned off, the device's memory is wiped, so there is nothing on it for an attacker to steal. Every time you turn it on you will need to scan your seedQR and enter an optional passphrase. Once your work is done, everything resets to factory settings. I would highly recommend that you look into this feature. It takes a bit more time to set up but it's worth it later.   

[bitcoin__help]

Rich from the Jade team here.

Like any HWW, if you know the PIN you can decrypt the seed and access the funds.

Where Jade is different, is that the part of the material needed to decrypt the seed is not stored on the device. This extra material is on the blind oracle and is completely useless and is only used in combination with the correct PIN and the encrypted seed on Jade to unlock the device.

This means if someone has your Jade alone, there is nothing they can do to access your funds. The necessary information is simply not there.

This is different than other, secure element based HWWs, which possess all necessary decryption material on the device itself. If you can crack the SE, you can steal the funds.

Also where the Blockstream-run oracle may win over a personal oracle, is that the attacker would need to locate and hack the Blockstream oracle and get your Jade (and hack it) to access funds. If you run an oracle yourself, it's likely going to be somewhere more accessible to an attacker and possibly near the same place as your Jade. When those two pieces are together, it becomes like a SE element based device where you need to hack the oracle and the Jade, at which point you can try to brute force the PIN (it's not as simple as just bringing the two pieces together)

[Pmalek]

Rich from the Jade team here.

Like any HWW, if you know the PIN you can decrypt the seed and access the funds.

Where Jade is different, is that the part of the material needed to decrypt the seed is not stored on the device. This extra material is on the blind oracle and is completely useless and is only used in combination with the correct PIN and the encrypted seed on Jade to unlock the device.

There are both pros and cons to this system. One of the pros being what you explained: the data isn't stored locally on the device but remotely on a server that you would have to access over the internet. If that oracle at Blockstream malfunctions, you would have issues with your Jade. At the same time, you can't manipulate the oracle material by having physical access to a Jade.

Not having an SE chip makes the private data easier to obtain by those who have the knowledge to retrieve it if it weren't for the second factor which is the blind oracle, either one run by Blockstream or a custom local one.