Secure Element in Hardware Wallets

[dkbit98]

You can order PCBs quite cheaply as well; maybe I'll order the parts and try my luck just for the heck of it

Yeah I know about PCBs and it's more complicated than other parts because it needs to be custom made, other things you just need to order and solder together.
Only problem is that it may be a bit harder to find some parts because of global chip shortage, so you need to look locally as well as doing some internet search.

Just one thing that I'm not sure of is how to program the chip (have to look into it). I have all sorts of programmers here though, so it should work.

All instructions are provided on their github pug, but if something is missing I would say that it's very similar with Trezor wallet that have everything posted in more details, and maybe Bitbox devs are willing to help.
Making some DIY wallet review article may bring more attention on their Bitbox wallet.

[1715192683]

1715192683

[1715192683]

1715192683

[1715192683]

1715192683

[n0nce]

~

Unfortunately, no gerber files in the GitHub. I'm not sure how to convert the PDF into Gerber, it may be easy, it may be a pain lol.

When looking online for someone who may have done it already, I came across this:
https://www.eevblog.com/forum/blog/eevblog-1374-diy-trezor-crypto-hardware-wallet-part-1/

EEVBlog attempted the same thing with the Trezor, this should be an interesting video which I now added to my personal 'watch later' list

[dkbit98]

Unfortunately, no gerber files in the GitHub. I'm not sure how to convert the PDF into Gerber, it may be easy, it may be a pain lol.

There are some paid software for doing pdf to gerber conversion, but I think this free and open source software is also good, or you can just extract images from pdf file and convert them to gerber files:
https://swannman.github.io/pdf2gerb/

[n0nce]

Unfortunately, no gerber files in the GitHub. I'm not sure how to convert the PDF into Gerber, it may be easy, it may be a pain lol.

There are some paid software for doing pdf to gerber conversion, but I think this free and open source software is also good, or you can just extract images from pdf file and convert them to gerber files:
https://swannman.github.io/pdf2gerb/

According to the documentation, it expects top, bottom and silkscreen layers. However, the BB02 PCB has two middle layers and a drill layer, so I don't think it will work unfortunately. Maybe they might send some gerber files, I'll open a GitHub issue.

[dkbit98]

News update about Secure Elements, Microchip Technology is migrating their old secure element ATECC608A to the new version ATECC608B.
ATECC608A chip is still used in some hardware wallets like ColdCard Mk3 and Passport, while Bitbox02 recently switched to new version ATECC608B.
Same chip was previously used in M5Stack Core2 ESP32 Development Kit for AWS and it's unknown if they updated it.

Differences between ATECC608A and ATECC608B:

- Low-Frequency I²C Issue fixed (that can cause data corruption and device responding incorrectly)
- Device Revision Differences (package marking on Microchip security devices does not identify the device type)
- Execution Time Differences (after implementing new security enhancements)
- Enhanced Temperature Range (extended range of -40°C to +100°C)
- New Packages (3-pin RBH contact package)

Both of this chips are nearly identical in every other way and devices should be able to replace them fairly easy, but problem is that they are hard to find on market because of chain supply and chip shortage issues.
It is still unclear if this flaws in ATECC608A could affect ColdCard or Passport wallet or if that can be somehow exploited, but manufacturer strongly recommended converting to ATECC608B to enhance overall system security.
Source document: https://ww1.microchip.com/downloads/en/Appnotes/Migrating-from-the-ATECC608A-to-the-ATECC608B-DS40002237A.pdf

[dkbit98]

List is updated with new and little known hardware wallet Husky HDW20 coming from Canada, that has well known secure element ATECC608A.
This same secure element is used in other hardware wallets like ColdCard Mk3, Passport and Bitbox02 previously used this same secure element before switching to new ATECC608B.
Wallet appears to be closed source, I couldn't find any github source, and all desktop and mobile applications are available on their website.
Note that I didn't test this wallet myself and I don't know anyone who owns this device, so I can't confirm if stated secure element is really in this device.

[giszmo]

OP presents SEs as green/good and lack thereof as red/bad. I agree that there is certain situations where a SE can save the day but equally does the SE with their NDA-requirement and secrecy lead to a situation where we trust a black box a whole lot for being our own bank and throw "don't trust - verify" too easily over board.

Especially hardware wallets that use their SE's TRNG as sole source of entropy should be called out! Nobody can prove the TRNG to be truly random and in the worst case it just creates hash("you won't guess this", serialNumber, sequenceNumber) "random" numbers that the inventor can trivially guess. Such a hardware wallet would allow the provider to know all the private keys generated by all the users, putting him in the position of being able to pull the rug at any time.

Please add in the OP:

• Is a single TRNG the sole source of entropy?
• Can the used entropy be audited or does the chip that mungs together all entropy spit out a master seed without accountability?
• Does the MCU trust the SE? To my understanding, BitBox02 does not entrust the SE even to hold the master seed. It only holds a symmetric key to decrypt the master seed stored outside the SE.

As you can see in my footer, I work on WalletScrutiny where my primary goal is to prevent rug pulls as I see them as a systemic risk if we get another MtGox situation where half the community is affected. Reliance on a compromised TRNG is one of my big concerns.

[dkbit98]

OP presents SEs as green/good and lack thereof as red/bad. I agree that there is certain situations where a SE can save the day but equally does the SE with their NDA-requirement and secrecy lead to a situation where we trust a black box a whole lot for being our own bank and throw "don't trust - verify" too easily over board.

I was neutral in this case, and I simply showed a color, green generally means GO, red color means STOP in traffic, but there is nothing good or bad about that.
I can also say that tomato is red and cucumber is green, but that doesn't mean either of them are good or bad.
If you read what I wrote, I actually said that secure elements can potentially be exploited by malicious firmware updates, and I wrote many times about dangers of hidden NDAs.

Especially hardware wallets that use their SE's TRNG as sole source of entropy should be called out! Nobody can prove the TRNG to be truly random and in the worst case it just creates hash("you won't guess this", serialNumber, sequenceNumber) "random" numbers that the inventor can trivially guess. Such a hardware wallet would allow the provider to know all the private keys generated by all the users, putting him in the position of being able to pull the rug at any time.

I already wrote a topic about Seed Generation in Hardware Wallets including entropy, and I am somehow aware of flaws with random generation (TRNG, HRNG, PRNG) but I am not at all expert and I don't understand deeply how they actually work.
You are free to contribute this or any other of my topics and correct any potential mistakes I made:
https://bitcointalk.org/index.php?topic=5317199.0

As you can see in my footer, I work on WalletScrutiny where my primary goal is to prevent rug pulls as I see them as a systemic risk if we get another MtGox situation where half the community is affected. Reliance on a compromised TRNG is one of my big concerns.

I know your work, but I doubt MtGox can be repeated with hardware wallets.
More likely scenario is that some government agency or malicious actor infiltrate any spy from the inside.

[JL0]

Trezor releasing their new device with SE in 2022? Any ETA?

[dkbit98]

Trezor releasing their new device with SE in 2022? Any ETA?

Nobody knows exact date and time especially with global chips shortage and problems with supply chain, but it is planned for the end of 2022.
You can follow Trezor Tropic Square for news, and I will probably post any new information I hear in due time here.
Important thing here is that this would be the first open source secure element, without secret NDAs signed.

List is updated and new secure element ST33K1M5C added for ledger Nano S Plus device that is not yet officially released.
I also made separate entries for currently available ledger hardware wallets because they all have different secure elements.

[JL0]

Trezor releasing their new device with SE in 2022? Any ETA?

Nobody knows exact date and time especially with global chips shortage and problems with supply chain, but it is planned for the end of 2022.
You can follow Trezor Tropic Square for news, and I will probably post any new information I hear in due time here.
Important thing here is that this would be the first open source secure element, without secret NDAs signed.

List is updated and new secure element ST33K1M5C added for ledger Nano S Plus device that is not yet officially released.
I also made separate entries for currently available ledger hardware wallets because they all have different secure elements.

Thank you.

[malevolent]

As you can see in my footer, I work on WalletScrutiny where my primary goal is to prevent rug pulls as I see them as a systemic risk if we get another MtGox situation where half the community is affected. Reliance on a compromised TRNG is one of my big concerns.

Thankfully the whole Bitcoin space/ecosystem is more mature and varied now, any rug pull involving a major hardware wallet provider would be limited in damage.

[dkbit98]

Thankfully the whole Bitcoin space/ecosystem is more mature and varied now, any rug pull involving a major hardware wallet provider would be limited in damage.

I have a feeling it's not mature enough, and bigger one hardware wallet manufacturer gets it increases the risk.
It's enough to shop how mature and pro company is when all private customer information is leaked online 

Nice little article about Secure Elements explaining how they work, and what disadvantages/advantages they have.
Like we talked before, biggest issue with secure elements is the fact that most of them are still closed source and we can't really verify chip security.
Second problem is all the Certification levels, that makes customer having to trust companies who are evaluating all this.
Having said that I noticed that ledger recently changed their certification to EALS+ and I can't find any information about that anywhere on internet...

They suggest best way for solving this problems and disadvantages is with using multi-vendor multisig with multiple hardware wallets.
https://unchained.com/blog/bitcoin-what-is-a-secure-element/

[malevolent]

I have a feeling it's not mature enough, and bigger one hardware wallet manufacturer gets it increases the risk.
It's enough to shop how mature and pro company is when all private customer information is leaked online 

But that's nothing to do security flaws with hardware, software, RNGs, etc. that non-technical users would have a difficult time protecting themselves against. Irresponsible behaviour of mature companies in other fields that results in leaks of customer info is also not an uncommon occurrence. (although an argument could be made that if they were sloppy with PI they might have been sloppy elsewhere, too)

[dkbit98]

Onekey hardware wallet team finally released security information about their device with more information about secure element they are using for latest model Onekey Mini.
This is well know microchip ATECC608A used in many other hardware wallets like Coldcard Mk3, Passport, Husky HDW20, in some M5stack Amazon AWS EPS32 device and it was previously used in Bitbox02.
Like i wrote before, microchip ATECC608A is not outdated and it has some flaws with low-Frequency I²C Issue that can cause data corruption and device responding incorrectly.
This was all fixed and updated in new version ATECC608B that is used only in Bitbox02 hardware wallet so far.

Onekey also talked about certification (EAL6 for secure element), random number generator they use, and about Ultrasonic Welding used to reduce risks of tampering with device.
Third party firmware can't be installed on their device because of use of security chip protection.
https://onekey.so/security

[dkbit98]

Secure element information updated for ColdCard Mk4 hardware wallet, that now have two secure elements SE1 Microchip ATECC608B and SE2 Maxim DS28C36B, along with STM32 main microcontroller.
They are using something called Pairing Secret, that means that secret is shared between three components, two secure elements and microprocessor.
If one of those chips get's compromised, wallet with secret will be safe, and they use trick PIN's for improving security of their devices.
ColdCard developers explained better in more details how Dual Secure Elements work on their github page:
https://raw.githubusercontent.com/Coldcard/firmware/master/docs/mk4-secure-elements.md

More information about second secure element they use - DeepCover Secure Authenticator Maxim DS28C36:
https://www.maximintegrated.com/en/products/embedded-security/secure-authenticators/DS28C36.html

[JL0]

Secure element information updated for ColdCard Mk4 hardware wallet, that now have two secure elements SE1 Microchip ATECC608B and SE2 Maxim DS28C36B, along with STM32 main microcontroller.
They are using something called Pairing Secret, that means that secret is shared between three components, two secure elements and microprocessor.
If one of those chips get's compromised, wallet with secret will be safe, and they use trick PIN's for improving security of their devices.
ColdCard developers explained better in more details how Dual Secure Elements work on their github page:
https://raw.githubusercontent.com/Coldcard/firmware/master/docs/mk4-secure-elements.md

More information about second secure element they use - DeepCover Secure Authenticator Maxim DS28C36:
https://www.maximintegrated.com/en/products/embedded-security/secure-authenticators/DS28C36.html

Are there other wallets that use such a procedure?

I think it's very good what ColdCard does. So you don't have to fully trust the SE.

[Pmalek]

Secure element information updated for ColdCard Mk4 hardware wallet, that now have two secure elements SE1 Microchip ATECC608B and SE2 Maxim DS28C36B, along with STM32 main microcontroller.
They are using something called Pairing Secret, that means that secret is shared between three components, two secure elements and microprocessor.
If one of those chips get's compromised, wallet with secret will be safe, and they use trick PIN's for improving security of their devices.
ColdCard developers explained better in more details how Dual Secure Elements work on their github page:
https://raw.githubusercontent.com/Coldcard/firmware/master/docs/mk4-secure-elements.md

More information about second secure element they use - DeepCover Secure Authenticator Maxim DS28C36:
https://www.maximintegrated.com/en/products/embedded-security/secure-authenticators/DS28C36.html

Are there other wallets that use such a procedure?

The term "pairing secret" sounded familiar and I could swear I saw it somewhere before. Turns out that Coldcard's Mk2 hardware wallets use pairing secret as well, but only between one secure element and the microcontroller. Ledger's Donjon team successfully attacked the older ATECC508A secure element chip with laser beans back in 2020, but such an attack is not possible on the newer chip models. 

[dkbit98]

Are there other wallets that use such a procedure?

I don't think anything similar was used in other currently available hardware wallets, and ColdCard was actually forced do invent this quick bandage solution after their older version Mk3 was recently hacked with extracted secret phrase and changed PIN.
If you ask me, I wouldn't use any of Coldcard devices, and all of them had big security flaws in past, so there is no reason to think anything better will happen with Mk4.
Mk2 had bad secure element that was revealed by ledger Donjon team, and most of Mk3 devices that exist today are all affected by their design flaw.

[Pmalek]

According to a well-known hardware hacker, STM microcontrollers are vulnerable to fault injection on a hardware level. You can patch it up or apply a bandage solution (like dkbit98 said) on the firmware and on a software level, but you are still dealing with an unsafe hardware component. Unsafe in the right hands.