Hardware wallets can steal your seed!

[dkbit98]

If you still trust your hardware wallet manufacturer for keeping your seed words, you should think again, especially if they are closed source devices.

Bitbox released interesting blog article few days ago, and they are talking more about Nonce Covert Channel Attack.
Most attacks could be mitigated by using third party open source wallets like Electrum connected with your hardware device, but this attack can bypass even that.
Malicious wallet can manipulate nonces (random number) with additional data like parts of the seed as a hidden secret, and third party app has no way of verifying that this data is really random or it contains some hidden data.

After sending more transactions attackers (malicious manufacturer or government agency) could have enough information to collect entire leaked master private key.
Using this covert channel manufacturer could collect the seeds of all users without anyone noticing that!
This attack is virtually impossible to prove and this gives additional motivation for malicious actors to perform attacks like this.
Nobody knows if this attacks have even been performed in real life, but it's possible that someone already made a database of users or this could happen in near future especially with closed source devices.


https://shiftcrypto.ch/blog/how-almost-all-hardware-wallets-can-steal-your-seed/

As a protection from this attacks Shift Crypto and Blockstream are working on Anti-Klepto protocol that is adding additional randomness by the host device.
This prevents the hardware wallet from manipulating the nonce and sending additional hidden information with every transaction.
BitBox02 and Blockstream Jade are the first hardware wallets to implement this protections, but they are calling all other manufacturers to add this open source protocol.
If someone don't want to add Anti-Klepto protocol or go open source, than you know you should stay away from this wallet manufacturer and move your coins to other device, if you want long term storage of your coins.

They didn't say anything about QR codes, but I think this attack could be even more dangerous with devices that advertise as airgapped but they use closed source QR codes (like Safepal).

[1714158831]

1714158831

[1714158831]

1714158831

[1714158831]

1714158831

[1714158831]

1714158831

[DaveF]

Have to read more about this, but I guess the main question is without actually taking it apart and verifying the hardware itself does it really matter?
Picking on coldcard:

If I follow the diagrams and buy all the parts and build myself a coldcard, unless the chip manufacturer was compromised I know what I have and can look at the code and compile it myself.
But, if I buy one premade I can see that the chip is a STM32L4S5VIT6. But, is it? Someone with enough time and effort build a chip that looks like and acts like one. But does have some really fun code embedded in it.

So unless I shave the top off the M4 CPU and look at it under a high power microscope do I really know it is one?

Crap....back to dice, air gapped and multisig.....

-Dave

[jackg]

I saw a Reddit thread that seems to suggest trezors generate random numbers from a mix of inputs from the host device and itself - if this is also used for the nonce when signing (and I can't imagine why it wouldn't be) then this likely isn't an attack vector with the trezor (aside from it being missed somewhere and just being a general bug).

I don't know why they'd make a report like this and use it on their own hardware wallet without proving the attack works on others though - unless something is going to come out about other wallets needing major security patches soon - although I would expect those wallet manufacturers to have been contacted privately before this release too if that was the case.

Edit: I used trezor as an example because they're the most trusted hardware wallet.

[witcher_sense]

Sorry, I ain't buying this. It all sounds like a very clever marketing trick to get people to buy BitBox and Blockstream products. We have discovered a very sophisticated attack vector that cannot be detected or proven. This attack can be made on any hardware wallet, except for those protected by our smart software, which, by the way, we developed beforehand to give people a way to protect against this sophisticated attack. There is a serious problem, there is only one solution developed by us. Anti-klepto means our idea is patented: you can't steal it, sorry. You can't verify that randomness coming from hardware wallet is actually random (especially if these wallets aren't BitBox or Jade), but you should trust that anti-klepto software generates true randomness. Just buy our program and sleep well. Anti-klepto. Beyond cryptography.

[SFR10]

As a protection from this attacks Shift Crypto and Blockstream are working on Anti-Klepto protocol that is adding additional randomness by the host device.

Not sure if it's just a coincidence that it overlaps some of the recent events with a certain exchange, but it's interesting that they suddenly "mentioned it again after a very long time"!
^{- It's worth noting that Blockstream uses a slightly different term: Anti-Exfil: Stopping Key Exfiltration}

[Pmalek]

<Snip>

It's a marketing trick to advertise their own product and highlight how much better and safer it is than those of the competition. At this stage it's all theory. That doesn't mean it can't be done, but it also doesn't mean it is being done by other companies, or that they know how to do it, or want to do it.

If this is a feasible threat, they should take a hardware wallet from the competition, manipulate the nonces of transactions to include sensitive data, broadcast them, and show the community how it looks like in practice. After dozens of transactions, the seed should in that case already be leaked and become obtainable from the blockchain. Reconstruct it and the the vulnerability has been proven. After that, do the same thing with your own hardware wallet and invite others to do it with active Anti-Klepto protocol and prove that it's impossible thanks to said protocol. Until then, it's only unproven theory.

[The Sceptical Chymist]

If this is a feasible threat, they should take a hardware wallet from the competition, manipulate the nonces of transactions to include sensitive data, broadcast them, and show the community how it looks like in practice.

All of my technical ignorance aside, this sounds reasonable to me, as does the claim that this is a marketing ploy to tap into people's fears about crypto, which have obviously been stoked as a result of the recent FTX debacle among other things.

This attack vector might sound plausible in theory--and it might actually turn out to be a successful one for hackers--but as of right now I haven't seen any reports of hardware wallets being hacked....at all.  Have any of you?  And I mean by any method, not just this one.  I'd imagine as soon as anyone proves that a Ledger, Trezor, or any of the better-known HW wallets have a vulnerability that's caused an actual loss, it'd blow up all over this forum.

I've got nothing against BitBox, BTW.

[NeuroticFish]

Theoretical issues are there from second one.
We don't know if the HW maker is honest or has included a backdoor in creation of the seed. It's not "stealing the seed" per se, it's more like creating the seed by somewhat simpler rules to allow easier brute forcing by them.
This would be even easier imho than this "Nonce Covert Channel Attack", although this nonce attack could reveal the seed no matter where and how it was generated.

I guess that no matter who is making the hardware wallet, the user unfortunately has to trust that company at least a little bit. But this was true from start, hence the hardware wallets should be used for "daily funds", not for a mix of daily funds and cold storage (safely generated paper wallet or seed is still more suitable for that).

But, as the others said, I don't see why a HW company would blew its reputation by doing this kind of shenanigans, especially one with great sales over many years. And since the "finding" brings nothing new, it may indeed be just for advertising.

Crap....back to dice, air gapped and multisig.....

How about SeedSigner? Since that's 100% open source, maybe it can bear more trust? Plus it already uses dice afaik.

[BlackHatCoiner]

Isn't this old news already? It's entirely possible for an intermediary to deliver you altered product. Note that this is true so for hardware wallets as for hardware in general. An intermediary can theoretically mess with the RNG of a laptop, or of a desktop in the same way.

How about SeedSigner? Since that's 100% open source, maybe it can bear more trust? Plus it already uses dice afaik.

Yes. First of all, the hardware parts come separately, so it's more transparent than a hardware wallet. Second, yeah, it does allow you to either roll dice or take a photo and use that as the entropy (the latter isn't recommended). You can verify that it's true by just feeding the hash function with your dice results outside Raspberry Pi.

[Pmalek]

This attack vector might sound plausible in theory--and it might actually turn out to be a successful one for hackers--but as of right now I haven't seen any reports of hardware wallets being hacked....at all.  Have any of you?  And I mean by any method, not just this one.

All hacks that have happened have required physical access to the device, a set of specialized hardware and tools, knowledge about what you are doing, outdated software, and luck. Joe Grand's hacking of the Trezor one fulfils all those criteria. I have never heard of a remote attack on a hardware wallet.   

[n0nce]

The chip might act completely normal and even show the correct firmware hash upon boot but run additional code that keeps a backdoor open.

Where exactly would that backdoor code be running, though, if not in the (verified) firmware?

In my opinion, you need to check that the build is reproducible and that the code is good. Then, by transitivity, you know that the code running on the wallet is also good.

Instead of solely relying on the randomness that the hardware wallet provides for the nonce, additional randomness is provided by the host device.

I honestly don't like this. The 'traditional hardware wallet model' assumes a compromised host and a secure hardware wallet. This guarantees users that their coins are secure, no matter what's happening on the host.
Now we're giving security responsibilities back to this compromised host, to account for potential security threats in the hardware wallet?

If we are confident trusting the host to be secure, why do we need the hardware wallet?
If we don't trust the host, how can we verify that the 'additional randomness' from the host is good?

I realize that the attackers for the 2 scenarios are probably different entities, but focusing on making the device secure, no matter what happens on the host - or what the manufacturer may try to sneak into the device, seems more intuitive and rational in my opinion.

Isn't this old news already? It's entirely possible for an intermediary to deliver you altered product. Note that this is true so for hardware wallets as for hardware in general. An intermediary can theoretically mess with the RNG of a laptop, or of a desktop in the same way.

Absolutely; it applies to any hardware and is more likely to happen with Bitcoin-specific products. Most hardware wallets either have supply-chain validation (other link), tamper-evident labels or other security measures against that.

DIY will be the safest way, also for your own op-sec, due to shipping. Even applies to very dumb metal plates, which by the simple fact of ordering online, can leak the fact that you own BTC to a number of entities.
However, no DIY device has secure, permanent storage, resistance against hardware attacks and is easy to set up and use quickly for the average (even advanced) user.

[dkbit98]

Sorry, I ain't buying this. It all sounds like a very clever marketing trick to get people to buy BitBox and Blockstream products. We have discovered a very sophisticated attack vector that cannot be detected or proven. This attack can be made on any hardware wallet, except for those protected by our smart software, which, by the way, we developed beforehand to give people a way to protect against this sophisticated attack. There is a serious problem, there is only one solution developed by us. Anti-klepto means our idea is patented: you can't steal it, sorry. You can't verify that randomness coming from hardware wallet is actually random (especially if these wallets aren't BitBox or Jade), but you should trust that anti-klepto software generates true randomness. Just buy our program and sleep well. Anti-klepto. Beyond cryptography.

Sorry, but this is just a bunch of assumptions you wrote here.
This guys worked together and released OPEN SOURCE solution that is FREE and can be implemented in any wallet, so they never said you should only buy their hardware wallets.
Randomnnes can be proved because everything is open source, so you don't have to trust anything if you can read the code, and I guess you can't.

Not sure if it's just a coincidence that it overlaps some of the recent events with a certain exchange, but it's interesting that they suddenly "mentioned it again after a very long time"!
^{- It's worth noting that Blockstream uses a slightly different term: Anti-Exfil: Stopping Key Exfiltration}

When there is a possibility there is always a chance someone is going to use this attack in future (if they are not using it already).
There is a saying better prevent than cure (better safe than sorry), but I guess people like to be ignorant, this reminds me on all this people that are keeping coins on centralized exchanges, because they are safu.
Question is why would anyone exclude possibility that closed source devices could send hidden information with every transaction?

But, as the others said, I don't see why a HW company would blew its reputation by doing this kind of shenanigans, especially one with great sales over many years. And since the "finding" brings nothing new, it may indeed be just for advertising.

Yeah I also don't understand why Scam Bankman would get his ''reputation'' ruined doing his shenanigans with FTX, but he still did it  
It's much easier to do crime if you have closed source product and you are collecting bunch of stuff from people all the time, and nobody can prove it.
This can also be done in cooperation with governments, so nobody would end up in jail like this.

If we don't trust the host, how can we verify that the 'additional randomness' from the host is good?

I don't see anything wrong with this, everything is open source and it sounds to me very similar like passphrase is used to add additional salt to passphrase, and nobody is complaining about it.


I also want to remind you all to check my old topic about Seed Generation in Hardware Wallets:
https://bitcointalk.org/index.php?topic=5317199.0

[n0nce]

If we don't trust the host, how can we verify that the 'additional randomness' from the host is good?

I don't see anything wrong with this, everything is open source and it sounds to me very similar like passphrase is used to add additional salt to passphrase, and nobody is complaining about it.

Choosing a passphrase doesn't rely on an uncompromised host that generates good 'additional randomness', though. That's the reason this feels different to me.

[Pmalek]

In my opinion, you need to check that the build is reproducible and that the code is good. Then, by transitivity, you know that the code running on the wallet is also good.

The problem is, one does not imply the other. A wallet and its code being reproducible doesn't make the code good, not vulnerable, or maliciously modified. While most people can check the reproducibility element or rely on sources like WalletScrutiny, there are very few of those among average users who have the skills to investigate the code and understand what does what. 

Sorry, but this is just a bunch of assumptions you wrote here.

Exactly. But the research by the BitBox folks is also based on theoretical assumptions and hasn't been proven in practice.

When there is a possibility there is always a chance someone is going to use this attack in future (if they are not using it already).

True, there is. But if someone is using it and dumping secret data, the BitBox devs can point that out on the public blockchain where it can in their own theory be found.

[n0nce]

In my opinion, you need to check that the build is reproducible and that the code is good. Then, by transitivity, you know that the code running on the wallet is also good.

The problem is, one does not imply the other. A wallet and its code being reproducible doesn't make the code good, not vulnerable, or maliciously modified. While most people can check the reproducibility element or rely on sources like WalletScrutiny, there are very few of those among average users who have the skills to investigate the code and understand what does what.

If the source code of a piece of software / firmware is not thoroughly analyzed for vulnerabilities and bugs, it defeats one of the main purposes of open-source.
The solution to this cannot be releasing yet another software (running on the host) to account for potential bugs in the hardware wallet. It will become a cat-and-mouse game. Now who verifies the host software?

More code = more to verify = less likelihood of good coverage.
KISS principle

[witcher_sense]

Sorry, but this is just a bunch of assumptions you wrote here.

Of course, but these are not mere assumptions, these are marketing tricks to attract users' attention and maybe even make them outraged by making ridiculous claims. These claims don't have to be the absolute truth, as you can explain everything in more detail later. First, you scare users but immediately offer them a solution.

This guys worked together and released OPEN SOURCE solution that is FREE and can be implemented in any wallet, so they never said you should only buy their hardware wallets.

Of course, that they are both hardware wallet manufacturers is just a coincidence. But why do I even need to install additional software to protect myself from malicious manufacturers? If I know or suspect they are being dishonest with their users, I just avoid their products completely. Dishonest manufacturers lose in the long run because rational customers start looking for more reliable options.

Randomnnes can be proved because everything is open source, so you don't have to trust anything if you can read the code, and I guess you can't.

Anti-klepto is open-source and alters the randomness generated by a malicious hardware wallet. Okay. But how can we verify that a malicious hardware wallet doesn't alter the randomness coming from open-source software? If hardware is closed-source, your ability to read code doesn't help much: there is no way to check if this randomness is better than that. If it is open-source, additional software doesn't make sense because you can read code. Therefore, it is just marketing to attract more users.

[hZti]

As it was said above you can not easily proof that a chip for example in a ColdCard is actually the chip that they claim it to be. They could invent a chip that looks and behaves the same. While this is somehow possible it will be easily detectable if the funds are stolen because then people will start to investigate and will soon find out that the thieves are the people of ColdCard (for example). So if the ColdCard owners are not in the mood to live a secret live in a 3rd world country with stolen funds, there is no reason for them to do it.
What I also don’t know is if it is even possible if you never connect your ColdCard to the computer and only use a SD Card.

[Hispo]

So we are actually going back to roll dices and generate our own entropy?
what are the chances that Trezor devices are vulnerable to this kind of attack?, I am not tech-savvy enough to figure it out by myself.

Also, in the mean time, it would be nice if someone could provide a nice tutorial on how generate my own 24-word seed phrase using coins, because I don't think I have any dices on hand. 

[n0nce]

So if the ColdCard owners are not in the mood to live a secret live in a 3rd world country with stolen funds, there is no reason for them to do it.

That's a pretty weak argument; it could be applied to any closed-source hardware and software wallet as well, whose founders are known.
You're basically trusting that the developers aren't malicious - at that point, you don't even need open source or anything. And we know what happens when people blindly trust others...

[Updated] List of cryptocurrency exchange hacks

What I also don’t know is if it is even possible if you never connect your ColdCard to the computer and only use a SD Card.

The attack presented in this topic works irrespective of the method used to transfer PSBTs between host and device.

So we are actually going back to roll dices and generate our own entropy?
what are the chances that Trezor devices are vulnerable to this kind of attack?, I am not tech-savvy enough to figure it out by myself.

Also, in the mean time, it would be nice if someone could provide a nice tutorial on how generate my own 24-word seed phrase using coins, because I don't think I have any dices on hand.  

Here's a guide: https://medium.com/the-capital/cryptocurrency-911-how-does-12-word-seed-phrase-work-9d892de9732
Do keep in mind that it shortly mentions (but doesn't further explain) how coin tosses might not have very great entropy, after all, according to some researchers. 'Random coin tosses' should generally be thought more as a model for visualizing a 50/50 random experiment, but not to create Bitcoin seed phrases.

To answer your question: no, I don't think anyone's going 'back to dice rolls'. Even live-booted TailsOS is ususally considered a really secure way to create an offline cold-storage wallet for large sums of BTC, using simply your PC's randomness.
I also don't understand how you get to this conclusion, since the attack presented in this topic doesn't target the hardware wallets' random number generator at all.

[hZti]

So if the ColdCard owners are not in the mood to live a secret live in a 3rd world country with stolen funds, there is no reason for them to do it.

That's a pretty weak argument; it could be applied to any closed-source hardware and software wallet as well, whose founders are known.
You're basically trusting that the developers aren't malicious - at that point, you don't even need open source or anything. And we know what happens when people blindly trust others...

[Updated] List of cryptocurrency exchange hacks

What I also don’t know is if it is even possible if you never connect your ColdCard to the computer and only use a SD Card.

The attack presented in this topic works irrespective of the method used to transfer PSBTs between host and device.

So we are actually going back to roll dices and generate our own entropy?
what are the chances that Trezor devices are vulnerable to this kind of attack?, I am not tech-savvy enough to figure it out by myself.

Also, in the mean time, it would be nice if someone could provide a nice tutorial on how generate my own 24-word seed phrase using coins, because I don't think I have any dices on hand.  

Here's a guide: https://medium.com/the-capital/cryptocurrency-911-how-does-12-word-seed-phrase-work-9d892de9732
Do keep in mind that it shortly mentions (but doesn't further explain) how coin tosses might not have very great entropy, after all, according to some researchers. 'Random coin tosses' should generally be thought more as a model for visualizing a 50/50 random experiment, but not to create Bitcoin seed phrases.

To answer your question: no, I don't think anyone's going 'back to dice rolls'. Even live-booted TailsOS is ususally considered a really secure way to create an offline cold-storage wallet for large sums of BTC, using simply your PC's randomness.
I also don't understand how you get to this conclusion, since the attack presented in this topic doesn't target the hardware wallets' random number generator at all.

There is always a point where trust is required, buhe question is how much do you want to do to minimize the tust that you need to give. For example your coins can be stolen when you send them to an exchange or somebody can simply come to your house and force you to give him your coins. With a lot of effort you can stop this from happening but the question is also how likely this is. Still it is concerning that there is a possibility of doing this.