BC Vault hardware wallet - is this a reasonable answer to a question?

[dkbit98]

A lot of their code is open source.

No, it's not, don't spread lies and act smart.
There is no bit of open source, bit of closed source, don't mix apples and oranges.
Bc vault github is only for their wallet provider and for javascript API for integrating BC-Vault, not a single line of code regarding firmware or anything else.
I can also create fake Bitcoin code that is also open source, but nobody will use that, except maybe people who don't use their brain.
https://github.com/bc-vault

[eliaspoliceno]

Good luck Nice effort, but looong loong way from success.

We implemented proprietary security mechanisms (using standard aes256 of course) and thus we do not provide any shortcuts.

Sole purpose of any crypto wallet is to NOT MAKE IT EASY to even try to approach brute forcing….latest example of this is Ledger users receiving FAKE LEDGERS with changed software etc..sad but true. Open source is two edge sword and one edge is hackers exploiting it.

I wish you luck with trying the passwords.

Thanks for replying!
This thing is becoming interesting to me, because if i am not successful, my funds will be locked forever, so, no chance to fail here.

I think that you are right for looking for security in your device, this is the thing we want when we look for hardware wallets. But, i also think that open source is not the problem. The real question on open sourcing things is the way you do it. There are a lot of open source and secure things, like bitcoin itself, linux, and so much on. The problem is how you deal with people involved with your business. Wouldn't be great if we, the community, help you make BCVault even more secure then it is? Someone, maybe not me, WILL sooner or later decrypt the file, or hack the device. I just think that BCVault should be involved on this in a responsible and secure disclosure, not to get caught by surprise.

It is a great start to us to hear from you that this is an AES-256 secured device, but also, you mention you implemented security mechanisms. Which of the seven AES operation modes did you used? ECB, CBC, CTR, PCBC, CFB, OFB or GCM? How the password and PIN are hashed to form the key, is it an known hashing function?

Hope you get involved and hear to us, your actual, and possible clients.

[alien2108]

Sorry, no more security related details will be provided. As said, good luck with your mission though!

[puertadelfuego]

Good luck Nice effort, but looong loong way from success.

We implemented proprietary security mechanisms (using standard aes256 of course) and thus we do not provide any shortcuts.

Sole purpose of any crypto wallet is to NOT MAKE IT EASY to even try to approach brute forcing….latest example of this is Ledger users receiving FAKE LEDGERS with changed software etc..sad but true. Open source is two edge sword and one edge is hackers exploiting it.

I wish you luck with trying the passwords.

Thanks for replying!
This thing is becoming interesting to me, because if i am not successful, my funds will be locked forever, so, no chance to fail here.

I think that you are right for looking for security in your device, this is the thing we want when we look for hardware wallets. But, i also think that open source is not the problem. The real question on open sourcing things is the way you do it. There are a lot of open source and secure things, like bitcoin itself, linux, and so much on. The problem is how you deal with people involved with your business. Wouldn't be great if we, the community, help you make BCVault even more secure then it is? Someone, maybe not me, WILL sooner or later decrypt the file, or hack the device. I just think that BCVault should be involved on this in a responsible and secure disclosure, not to get caught by surprise.

It is a great start to us to hear from you that this is an AES-256 secured device, but also, you mention you implemented security mechanisms. Which of the seven AES operation modes did you used? ECB, CBC, CTR, PCBC, CFB, OFB or GCM? How the password and PIN are hashed to form the key, is it an known hashing function?

Hope you get involved and hear to us, your actual, and possible clients.

Hey eliaspoliceno, I have recently diagnosed the key derivation for bcvault using the global pin/password and wallet pin/password. If you still are having trouble accessing your wallet please let me know. I reverse engineered it in support of a crypto recovery effort. I just made this account to reach out as I couldn't find an email for you. I can decrypt all the binary backups on your GitHub page. If you want to reach out for now you can just send me a message on this with contact details or we can chat on here. If you want I can verify it with examples. Thanks! PdF

[Pmalek]

Hey eliaspoliceno, I have recently diagnosed the key derivation for bcvault using the global pin/password and wallet pin/password. If you still are having trouble accessing your wallet please let me know. I reverse engineered it in support of a crypto recovery effort. I just made this account to reach out as I couldn't find an email for you. I can decrypt all the binary backups on your GitHub page. If you want to reach out for now you can just send me a message on this with contact details or we can chat on here. If you want I can verify it with examples. Thanks! PdF

eliaspoliceno was last online on this forum in March 2022. It's unlikely that he will return. But you can try to send him a PM. He will then receive an email to the email address associated with his Bitcointalk account. If he still uses it, he might see that someone wrote to him on the forum and come back to visit.

Even better, make a public post and explain your method. You can create a brand-new thread or describe what you do and what you need right here. Other people who are in a similar situation could find your post and perhaps get the help they need.

[puertadelfuego]

Pmalek,

Thanks for the suggestion! I ended up posting it here (and on his github repo) because he has the default setting of not receiving PMs from newbie accounts. I will look at possibly starting a new thread. This basically just allows for brute force guessing of pin/passwords, which could be useful if others don't have the details yet. Thanks!!

[alien2108]

On this point I would like to mention that WE DO NOT derive any keys from passwords and pins (in a way as those are derived with seed words). Please be VERY CAREFUL with whom you share your backups or god forbids anything beyond that.

Each and every private key of a BC Vault wallet is completely random and NOT linked to any previous information (unlike in situation with seed words, where keys are derived from seed words).

Just a WARNING, proceed on your own risk!

Any such utility (if available) should be publicly accessible, so you can review it and know what you are doing by yourself (not sending your crypto data to anyone). Our official support is still available for any trouble related with BC Vault.

[puertadelfuego]

Hi again. I do agree with Alen that one should be careful. I did not say that the private key was derived from password and pin. The AES key that protects the private key is. The private key is securely generated using motion to capture entropy. This is not a flaw in the product just a way to recover / decrypt the wallet using software.

The password and pin go together to create the key to either
1. Decrypt the wallet metadata (global) or
2. Decrypt the encrypted private key in the metadata (wallet).

Yes. Do not trust people just posting on the internet. I won’t be publishing this because I work for a cryptocurrency recovery firm and this is a proprietary asset. I also am not going to advertise them here, but if you send me a message I can give you details. They are an established firm with KYC and have been in many media reports.

This was just to let folks know that there are other entities that can help. This is not a statement that they should not use BCVault direct support. Our primary customers are those who have misplaced or forgotten their passwords.

Thanks all.

PdF.

[alien2108]

Thnx for reaching out, we do not have anything against such services indeed, just wanted to point out people have to be very careful and always DYOR before sharing security critical details with anyone!

I must say that we have some amazing stories of "But I know what the password is, I even wrote it down" compared to what we then find out the mistake of the user was For example a pattern of the pin was claimed to start with UP, but it actually started with RIGHT....