Should Hardware Wallets Be Open Source?

[Ann1989]

An aspect of security hardware wallet owners need to be keenly aware of is zero-day attacks. In zero-day attacks, the period of time between when a previously unknown vulnerability is exposed or announced and when it is fixed presents a perfect window of opportunity for a hacker to carry out an attack.

Because vulnerabilities in hardware wallets are often resolved through firmware upgrades, it usually takes a while after official security patches have been released for users to actually install them and fix the issue. With some users who, after having set up their hardware wallet, don’t open it for months or even years, exposure to zero-day attacks is dramatically increased.

Perhaps counterintuitively for those experienced with open source software development, a black box, or device with a closed source code, is more secure than a white box with an open source code.

There's more here: https://medium.com/cobo-vault/should-hardware-wallets-be-open-source-52209e046cf2?source=collection_home---4------0-----------------------

It's a very interesting opinion!

[1714661580]

1714661580

[1714661580]

1714661580

[1714661580]

1714661580

[1714661580]

1714661580

[1714661580]

1714661580

[Pmalek]

That is why Ledger has something that is known as "Responsibly Disclosing of Vulnerabilities". https://www.ledger.com/our-shared-security-responsibly-disclosing-competitor-vulnerabilities/
They don't simply make the findings public when they are discovered. They analyze them and inform the affected party, in this case Trezor, about their findings. The developers are given time to fix the issues before they go public.

Open source is always better than closed source. You need to know what is going on under the hood. With closed source software your usage is based on just a promise that the developers intentions are good.

[Ann1989]

That is why Ledger has something that is known as "Responsibly Disclosing of Vulnerabilities". https://www.ledger.com/our-shared-security-responsibly-disclosing-competitor-vulnerabilities/
They don't simply make the findings public when they are discovered. They analyze them and inform the affected party, in this case Trezor, about their findings. The developers are given time to fix the issues before they go public.

Open source is always better than closed source. You need to know what is going on under the hood. With closed source software your usage is based on just a promise that the developers intentions are good.

It's more a matter of context. GitHub, the world’s largest host of source code, indicates that there are only around 180 contributors to the open source code of the oldest hardware wallet brand, Trezor. This statistic stands in sharp contrast with the communities of other hardware products such as the Raspberry Pi, whose contributors to its open source firmware number around 9,500. In the context of our relatively small development community, we need to be especially wary of the fact that sharing source code is a double-edged sword. For hardware wallets, the unfortunate truth is that releasing source code makes it easier for hackers to detect loopholes and carry out attacks. Open source code can even open the door for cybercriminals to produce counterfeit hardware wallets capable of deceiving consumers — a security threat Trezor has already been the victim of: https://cointelegraph.com/news/trezor-one-wallets-forgery-reveals-new-techniques-used-to-steal-crypto

[Ann1989]

That is why Ledger has something that is known as "Responsibly Disclosing of Vulnerabilities". https://www.ledger.com/our-shared-security-responsibly-disclosing-competitor-vulnerabilities/
They don't simply make the findings public when they are discovered. They analyze them and inform the affected party, in this case Trezor, about their findings. The developers are given time to fix the issues before they go public.

Open source is always better than closed source. You need to know what is going on under the hood. With closed source software your usage is based on just a promise that the developers intentions are good.

Ledger is not completely open source. Trezor is.

[bitmover]

Ledger is not completely open source. Trezor is.

You are right.
Every software should be open source, as it is much safer.
However trezor has vulnerabilities which ledger doesn't like this one

So everyone with a trezor device should use a strong passphrase to protect yourself against this vulnerability
https://cryptobit.media/en/news/other/1789/

[ThatRandom8543]

Ledger is not completely open source. Trezor is.

You are right.
Every software should be open source, as it is much safer.
However trezor has vulnerabilities which ledger doesn't like this one

So everyone with a trezor device should use a strong passphrase to protect yourself against this vulnerability
https://cryptobit.media/en/news/other/1789/

Yea, but this is a physical attack and still need the right tools and skills to take advantage of it, so the likelihood of such an attack being taken place is close to 0, though if someone has access to the device, knowledgeable and know it would be worth it (and assuming that there isnt additional security measures in place), they could do it. I do agree that people should be using a additional passphrase with their hw wallet (or any wallet in that matter).

However, with ledger, with it being close source, we dont know of any vulnerabilities that may not be fixable (I suspect that their ledger blue has an security bug that cannot be fixed, though it could just be that they know that was really a failure product). Furthermore, with them relying on a third party security chip (secure element), that raises alot more question about how reliable such a third party may be, if there are unknown backdoors, etc.

[DaveF]

Yes they should be. And some are down to the hardware level.
The issue becomes how far down the "rabbit hole" do you want to go?

Want to build your own ColdCard? Then follow their handy guide. And be really good with putting things on circuit boards:
https://blog.coinkite.com/coldcard-hardware-shared/

BUT....

For the software yes you can fully open source it. Go hardware and you eventually have to trust somebody.

The ATECC608A-MAHCZ-S auth / security chip is an off the shelf part. Do you want to have the source on that? What about the ARM M4? Etc.

Oh, and on a side note do you have to think about software used to make the firmware on the wallet?

-Dave

[bitmover]

Yea, but this is a physical attack and still need the right tools and skills to take advantage of it, so the likelihood of such an attack being taken place is close to 0, though if someone has access to the device, knowledgeable and know it would be worth it (and assuming that there isnt additional security measures in place), they could do it. I do agree that people should be using a additional passphrase with their hw wallet (or any wallet in that matter).

I agree, very unlikely to happen. Both wallets are safe, open source or not.

However, with ledger, with it being close source, we dont know of any vulnerabilities that may not be fixable (I suspect that their ledger blue has an security bug that cannot be fixed, though it could just be that they know that was really a failure product). Furthermore, with them relying on a third party security chip (secure element), that raises alot more question about how reliable such a third party may be, if there are unknown backdoors, etc.

There is no backdoor. There is no reason to believe that.
Ledger firmware is not open source for technical reasons, not because they are scammers.

All ledger nano applications are open source.

Look at this quote from ledger co-founder in reddit:

https://www.reddit.com/r/ledgerwallet/comments/6vgl1z/is_the_nano_ss_firmware_open_source/
btchip Ledger Innovation Lead & Co-Founder 2 years ago
The applications are Open Source and available on https://github.com/LedgerHQ

The firmware itself is not Open Source yet, but most parts will be in the future (see https://blog.ledger.co/secure-hardware-and-open-source-ecd26579d839 for an architecture description). In the meantime a motivated party can verify that the isolation works as described.

https://www.reddit.com/r/ledgerwallet/comments/amsc3t/is_ledger_open_source/
btchip Ledger Innovation Lead & Co-Founder 10 months ago
The applications are Open Source, more and more parts of the Operating System itself will be opened over time. We've chosen this architecture because it's not possible to achieve the level of physical security we're looking for with generic chips today. For more information about our architecture you can check https://www.ledger.fr/2016/06/09/secure-hardware-and-open-source/

[ThatRandom8543]

There is no backdoor. There is no reason to believe that.
Ledger firmware is not open source for technical reasons, not because they are scammers.

All ledger nano applications are open source.

The firmware is not open source for mainly legal reasons. Due to them using the secured element and having to sign a NDA (apparently), they arent allow to share code tied to the secure element. Rather if this is true or not is yet to be seen, but could still have the firmware open abit more without much exposure. Also, I never implied that they (ledger or any company) are scammers, however I wont rule out a "backdoor" either since. Not saying that ledger implemented directly either and keep in mind im also referring to zero day exploits that cannot be easily discovered like you could be able to find out with trezor (or other open source hw wallets) through auditing the code and have a understanding of how the hardware works with little to know reverse engineering.

[DaveF]

There is no backdoor. There is no reason to believe that.
Ledger firmware is not open source for technical reasons, not because they are scammers.

All ledger nano applications are open source.

The firmware is not open source for mainly legal reasons. Due to them using the secured element and having to sign a NDA (apparently), they arent allow to share code tied to the secure element. Rather if this is true or not is yet to be seen, but could still have the firmware open abit more without much exposure. Also, I never implied that they (ledger or any company) are scammers, however I wont rule out a "backdoor" either since. Not saying that ledger implemented directly either and keep in mind im also referring to zero day exploits that cannot be easily discovered like you could be able to find out with trezor (or other open source hw wallets) through auditing the code and have a understanding of how the hardware works with little to know reverse engineering.

Which goes back to what I said. How far down the rabbit hole do you want to go?
Let's say I make a secure element, the "Dave Chip". Knowing how it works only gets you so far. Unless you can really really really understand the microcode & design of the chip knowing how it talks to the application are only going to get you so far. Look at Meltdown and Spectre as prime examples. Yes, CPUs are vastly more complicated then a security chip, but there are also a lot less eyes on it. Same thing with the M4 that is in the ColdCard (I don't know what CPU the others use) if there is something lurking in there we may never find out.

It's all about reasonable security. I would think the bigger security issue would be there are probably still more people using the same 4 digit pin for their phone VM and their ATM card and their ColdCard then there are going to be vulnerabilities in all the hardware wallets combined. But, we can't stop that.

-Dave

[bitbro678]

Ledger is not completely open source. Trezor is.

You are right.
Every software should be open source, as it is much safer.
However trezor has vulnerabilities which ledger doesn't like this one

So everyone with a trezor device should use a strong passphrase to protect yourself against this vulnerability
https://cryptobit.media/en/news/other/1789/

Yea, but this is a physical attack and still need the right tools and skills to take advantage of it, so the likelihood of such an attack being taken place is close to 0, though if someone has access to the device, knowledgeable and know it would be worth it (and assuming that there isnt additional security measures in place), they could do it. I do agree that people should be using a additional passphrase with their hw wallet (or any wallet in that matter).

However, with ledger, with it being close source, we dont know of any vulnerabilities that may not be fixable (I suspect that their ledger blue has an security bug that cannot be fixed, though it could just be that they know that was really a failure product). Furthermore, with them relying on a third party security chip (secure element), that raises alot more question about how reliable such a third party may be, if there are unknown backdoors, etc.

It's not close to 0. Trezor has already been a victim of counterfeiting: https://cointelegraph.com/news/trezor-one-wallets-forgery-reveals-new-techniques-used-to-steal-crypto. I'm a strong advocate of open source, but in this case maybe it's not such a good idea to have everything out in the open, that even hackers can access.

[Tibu]

I will preach for my church : yes, hardware wallet should be open source AND use hardware that is built on an open standard.
Just like the Satochip hardware wallet... 

[Ann1989]

I will preach for my church : yes, hardware wallet should be open source AND use hardware that is built on an open standard.
Just like the Satochip hardware wallet... 

Maybe sometime in the future when we have a large developer community. For hardware wallets, the unfortunate truth is that releasing source code makes it easier for hackers to detect loopholes and carry out attacks.

[Pmalek]

the unfortunate truth is that releasing source code makes it easier for hackers to detect loopholes and carry out attacks.

Releasing the source code also makes it possible for developers to receive feedback from the community and valuable inputs that can be used to improve their future releases.
"Four eyes see more than two"

Using public transportation makes it possible for a mugger to rob you but you also get to work faster.

 

[Tibu]

I will preach for my church : yes, hardware wallet should be open source AND use hardware that is built on an open standard.
Just like the Satochip hardware wallet... 

Maybe sometime in the future when we have a large developer community. For hardware wallets, the unfortunate truth is that releasing source code makes it easier for hackers to detect loopholes and carry out attacks.

Yeah, right. But in the other hand, if the bug is found by an ethical hacker, he may push a corrective patch instead of trying to corrupt some hardware wallet.
This is a good example : https://satochip.io linked to the Github repo : https://github.com/Toporin/SatochipApplet/releases/tag/v0.9-0.1

[kwaskoff]

You can understand what you need if you read this
https://blog.trezor.io/satoshilabs-security-philosophy-manifesto-11791ac06f14

and this https://www.ledger.com/secure-hardware-and-open-source/

don't trust - verify! Only open source and open hardware

[Pmalek]

Snip

If the reasons of not releasing parts of the code outweigh the reasons to do it, the project developers have the right to protect their creation. I am talking about the secure element of Ledger hardware wallets. Open source is the right path but what if that path leads to a huge financial loss for everyone involved? Users and the company itself.

People will never come to an agreement on this. Some will advocate fully open-sourced software, others will understand that that bears a certain risk. But so does close-sourced software as well.
Those are the facts when it comes to Ledger. You either accept that and use it, or you move on to something else. I think that is the best way to look at it.

[LTU_btc]

Perfectly, hardware wallets should be open source. Though, most popular hardware wallet isn't open source and it's not a problem at all. But I think it's Ledger is more like exception from the rule, they already earned trust without being open source. But IMO every new hardware wallet which enter market, it must be open source. If they aren't open source, it creates some doubts about them, that they may have something what they want to hide.
By the way, how many of you actually verify source code yourselve before buying hardware wallet or other thing or downloading open source program? I'm sure that minority are doing that...