My Interview with Famous Hardware Hacker Joe Grand aka Kingpin

[Pmalek]

Ever since the Trezor hacking video was released, I wanted to talk with Joe “Kingpin” Grand – the man himself. So, I reached out to him and asked if he was interested in doing an interview that would be posted on the Bitcointalk forum? He liked the idea, and the piece is now done after some back-and-forth.

For those who don’t know who Joe is, let me first introduce you to him.

Joe Grand has been a hacker since 1982 when he was just a 7-year-old kid. His older brother owned an Atari 400 computer and used it to collect video games. Joe was immediately drawn to technology and spent every day before and after school with the computer. He was interested in finding different ways to trade games with other people, and that’s how his story began. Eventually, he figured out how to make free phone calls and connect to bulletin board systems further away from him so he could get more games.

Joe soon realized that there were people trading things other than just video games. They possessed information about accessing various computer systems. They knew other methods of making free phone calls or creating party lines and teleconferences where multiple people could gather and talk on the phone. For Joe, it became a quest to possess information that other kids didn’t have.

Joe was arrested when he was 16 for breaking into a telephone company to steal equipment. Luckily, he was underage and didn’t end up in jail. Joe wanted to learn but realized that breaking the law wasn’t the right way to do it. Following that incident, he joined a hacking group called L0pht Heavy Industries that consisted of hackers who became his mentors.

The members of this group would hack their own setups to find vulnerabilities and contact the vendors about the problems (mostly Microsoft at the time). The L0pht taught Joe the importance of sharing information and doing good things to spread positive messages about hacking. In 1998, Joe testified before the US Congress together with other members of the L0pht about the state of computer security in government and how bad security was with the relatively new "Internet." That’s when the general public realized that hackers can be good and are worth working with.

Since the end of 2002, Joe has been working on his own, creating projects, speaking, teaching, and occasionally making videos about engineering and hacking.

The Interview

The interview was conducted in several ways and stages. I initially sent a list of questions to Joe via email. He answered some of those in his live YouTube AMAs (links provided below). The ones that weren’t covered that way were discussed on a Zoom call. Joe then edited the transcribed answers for clarity and to bring them up-to-date.
 

1. How does it feel to be a hacker? How do people who know what you can do look at you? Do they see a tech wizard or a villain?

Joe: Being a hacker is all I have ever known and all I have ever done. I'm curious and like to learn new things, especially things that aren't common knowledge. When I mention I'm a hacker, most people think I do something illegal. Even my wife initially thought so. But that's not the case - hacking can be used for good or evil just like anything else in life. I help people by discovering security problems and making vendors aware of those problems so they can be fixed. I help people by teaching what I know so they can defend themselves or make their products better. I guess it depends on the person; some see me as a villain, others as a "tech wizard."


2. You talk about a path change in your Live AMA and how getting arrested at 16 led you to stop delinquent hacking activities. Becoming a member of the L0pht made you better. What do you think would have happened if you had never met those guys? Do you believe your hacking could have resulted in serious prison time and a life of crime?

Joe: The members of the L0pht took me under their wing after I had gotten in trouble. It was a life-changing experience and a real turning point. All the other guys were older than me and seemed so responsible. I looked up to them and sort of mimicked their behavior. My parents let me go to the L0pht, which was a physical hacker space in my home town of Boston, Massachusetts, because they knew I was passionate about hacking and that the L0pht was a positive outlet for that. If I hadn't gotten arrested as a kid, I know for a fact that I would have kept causing trouble and could have ended up in jail.


3. After hacking the Trezor One, have you attempted other attacks against some other hardware wallet manufacturers? Can we expect something similar in the future? Are you maybe working on something as we speak?

Joe: Yes, we've been working on other wallet hacking projects, both hardware and software. We released another video in June 2022 (the Samsung Galaxy hack), but most of the wallet hacking we're doing isn't being filmed.

Software hacking is a well-defined problem, particularly for password cracking. The limitations of computing power and the strength of cryptography are known factors. It's unlikely that you'll lose someone’s crypto if you are cracking their wallet password or otherwise exploiting a software wallet. You either get access to the coins, or you don’t.

But hardware is different. Even with the attacks that are known, they're often unpredictable and not as reliable as the software side of things. The risk of losing access to the crypto is much higher - usually caused by accidentally wiping the memory or triggering some security countermeasure during an attack. It takes a lot of time to research to even get to the point where you can perform the attack on a particular hardware wallet. Then the attack still has to be successful in a way that you can obtain the private key, recovery seed, or other data you're targeting. There's also the issue of if the person actually had the crypto they thought they did. So we have to be more careful about what hardware hacking projects we take on.


4. I have been on Bitcointalk for several years and have seen threads where people have lost access to their crypto. Misplaced seeds, broken hard drives, forgotten PINs and passwords, etc. Have you ever thought about browsing this forum and searching for threads like that where both you and the other party could benefit from recovering the coins?

Joe: I actually wasn’t aware of Bitcointalk until you emailed me. I hadn’t been paying much attention to the cryptocurrency world until I hacked the Trezor wallet. I knew there was a community of crypto enthusiasts, but I didn’t realize there was such an active forum specifically for that. I never thought about searching threads on the forum - it's not really my style and I'd feel like an ambulance-chaser. It feels a lot more natural when people come to us instead of us reaching out to them. If someone offers unsolicited help in the cryptocurrency world, you definitely need to be careful and pay attention to who you're dealing with.

When looking for help in recovering your cryptocurrency, it's really important to make sure you're talking to the real person and not a scammer. There are Joe Grand impersonators on social media (especially Instagram, but also TikTok, Twitter, etc.) offering to help people and taking money upfront, and I usually don't hear about it until someone has gotten scammed by them. As soon as one impersonation account gets shut down, another pops up. I'm not a hard person to find - contacting me through my website is the best, most trusted way to know you're actually talking to me and not someone pretending to be me.


5. What can you tell us about offspec.io? How could your company help someone from Bitcointalk, for example?

Joe: offspec.io is a small team that we put together as a result of my hacking the Trezor wallet. While I was working on that project, my wife told me I should make a video about it because most of the videos I make are engineering-focused and "People need to see that you're still a hacker." I reached out to a friend of mine who is a filmmaker and we decided to film it. After successfully opening the wallet, my friend said this should become a business. And he was right - there are so many people that need help.

I'm primarily the hardware hacker and the one most people recognize because of our videos, but we also have some software folks that specialize in forensic analysis and password cracking and a few others that handle the business side and communicating with the customers.

Since the first video came out, we've received hundreds and hundreds of emails from various people with different problems. We help the ones we can, but unfortunately many of the people have been scammed in some way - either sending cryptocurrency to fake exchanges or investing in some fake coin, etc. We're not able to help people who have been scammed - the nature of cryptocurrency makes it unlikely to recover the funds in a legal manner without the help of law enforcement, which is also unlikely to happen.

Regardless of how people are locked out of their cryptocurrency, they need to know they're not alone. They shouldn't feel "stupid" for forgetting their password, losing a piece of paper with their recovery seed, or being scammed. It's all a matter of being human and these things happen to many of us.


6.What future do you see for the company, and where do you want it to be in 5 or 10 years?

Joe: We don’t have a plan. Whatever happens, happens. I would like to make more videos that combine the technical elements of cryptocurrency recovery with the personal side of the people who need help. And, of course, to keep helping people while it remains something we enjoy doing. Hacking wallets isn't our primary focus in life. It’s just a service we offer to try and help people free their coins.


7. Your focus is on hardware, but I assume you know more about software than the average Joe (pun intended). Am I right?

Joe: I'm a computer engineer by trade, so my focus is primarily on hardware, but I do have formal coding experience and I'm dangerous enough with software for what I need to do. I mostly write code for hardware projects I create, usually in either C or assembly, and for controlling hardware tools used for hacking, like writing Python to interface with the ChipWhisperer to perform fault injection or power analysis. I'm a decent coder, but I wouldn’t call myself a programmer by any means.


8. What is your honest opinion about cryptocurrencies, especially Bitcoin? It’s an open-source protocol. Have you ever inspected the codebase looking for vulnerabilities or to see how Satoshi and the other developers created the asset we have today?

Joe: I think there are some interesting elements of cryptocurrency and blockchain technologies that could actually have a practical purpose. The concept of digital currencies and decentralized finance among other things sound great and there are some legitimate, intelligent projects, but the number of scams, shitcoins, rug pulls, etc. are making it difficult for mainstream adoption and confidence. There are still many outstanding questions in how these technologies should be used. Is Bitcoin an asset or a currency? Are we are participants in a Ponzi scheme, HODLing in the hopes that other people in the future will value it higher so we can profit? Or, are we using it as currency instead of fiat? How can it be both at the same time? Does digital "ownership" of a non-fungible token really have any definable value or is it all just subjective? Is that any different than how physical collectables are valued? I don’t think crypto is an independent financial system yet. Even with the growth of cryptocurrency and blockchain in the past 10+ years, it still seems incredibly risky and speculative.


9. The best Bitcoin and crypto wallets and software are open-source. Have you ever looked into some of the most popular wallets, like Bitcoin Core or Electrum?

Joe: I haven't done any code reviews of open-source software wallets, but I've read through the code of open-source hardware wallets looking for potential vulnerabilities that I can exploit through hardware attacks. Open-source platforms make it easier to scrutinize the code, but it doesn't necessarily mean they're more secure, as we've seen plenty of examples of security vulnerabilities in open-source packages. With that said, I wouldn't personally trust or use anything cryptocurrency-related that isn't open-source, especially because of the risk of malware and scams. I'm a huge proponent of open-source projects and release most of my work this way - not necessarily for security but to allow people to look under the hood, to build upon it, or take a piece that's useful and put it into their own projects.


10. Do you use Bitcoin personally?

Joe: Not really. I barely hold any cryptocurrencies. I just don’t have the stomach for it, especially because I work for myself and never know where my next paycheck will come from. Back in 2010, my wife suggested that I should buy Bitcoin because all my friends were buying it, but I didn’t want to put my money into it and lose it. Of course, I should have listened to her.    


11. What can you tell us about secure elements in hardware wallets? Ledger wallets, for example, have secure elements, but those chips are closed-source. The Bitcoin community is generally worried about anything closed-source. What dangers do you see in closed-source software and hardware? Are we concerned for a reason? Have you ever attempted to hack a secure element?

Joe: When you're dealing with something closed-source, you're dealing with a black box. You don’t really know what you are getting. We can still reverse engineer closed-source systems, but it usually takes more effort. People who support closed-source projects will say that open-source makes it easier for adversaries to look at the code or hardware and find vulnerabilities, but it also means that as soon as somebody finds a problem and talks about it, everyone else can verify that right away and implement methods to protect themselves. This can be done independently of the product creator, vendor, etc. where otherwise we'd be waiting for them to "do the right thing" and fix the problems for us.

As for Ledger, they have a closed-source product. They use a secure element that you can only get documentation for if you sign a confidentiality agreement with the chip vendor, and that "privilege" is only given to select customers. While secure elements tend to be significantly more difficult to hack than a general-purpose microcontroller, the only way that their security can be tested or validated is by those with access to expensive, specialized equipment which limits the number of people that can actually do it.

In reality, both open-source and closed-source hardware designs can have fundamental flaws that could undermine the security or integrity of the entire product. We just might not know about them until someone decides to go public with that information. If they're bound by a confidentiality agreement, then that might never happen.


12. You work independently. One might say you are a freelancer. Have you ever worked for a big company or considered such a career path?

Joe: After graduating from college in 1997, I worked as an electrical engineer for Continuum, a product development company. That’s where I learned how to properly design electronic systems and how to bring them from prototype to mass production. At the time, they had about 100 people. In 2000, I left Continuum to start @stake, one of the first computer security consulting companies, with the guys from the L0pht. I went independent at the end of 2002 and never looked back. I've always had a hard time with people telling me what to do and I'm pretty sure I wouldn't be able to last very long at a large company. 


13. How does one maintain privacy and remain anonymous online today with all the technology around us?

Joe: My main concern these days is with how my data, browsing history, search queries, etc. is being collected, used, and sold. I'm also disgusted by the amount of advertising that's constantly being shoved in our faces. The main tools I use are advertising/tracker blockers like Adblock Plus, uBlock Origin, and Ghostery. I use Little Snitch to monitor or block incoming and outgoing connections from certain applications. I use either a VPN or the Tor Browser to help protect my privacy online. I'd also highly recommend subscribing to Bruce Schneier's Crypto-Gram newsletter to keep up-to-date on security and privacy matters.   


14. What would you say is your biggest hacking success story, and what is your biggest failure?

Joe: My biggest success is being able to have a career as a hacker and share what I love with other people. I never expected that to happen and I'm extremely grateful that I have this opportunity. It takes a lot of self-control and drive to stay focused, but I wouldn't want it any other way.

I sometimes reflect back on things I could have done differently or mistakes I've made, but instead of looking at those like failures, I look at them as opportunities to learn or grow. If anything in my past had happened differently, I might not have ended up where I am now. So, I don't really have any regrets.




For more information about Joe:
-   Main website and projects: https://www.grandideastudio.com
-   Wallet hacking and cryptocurrency recovery services: https://www.offspec.io
-   YouTube: https://www.youtube.com/@JoeGrand
-   Mastodon: https://chaos.social/@joegrand
-   Joe Grand's official Discord server: https://discord.gg/wud8KnF2Gm

Joe does not use any other social media platforms, so beware of impersonators and scammers.

Sources used for this thread are Joe Grand’s 1st and 2nd Live AMA, our Zoom talk, and words written directly by Joe.

[1714172347]

1714172347

[1714172347]

1714172347

[1714172347]

1714172347

[dkbit98]

Ever since the Trezor hacking video was released, I wanted to talk with Joe “Kingpin” Grand – the man himself. So, I reached out to him and asked if he was interested in doing an interview that would be posted on the Bitcointalk forum? He liked the idea, and the piece is now done after some back-and-forth.

Great idea Pmalek, and I am surprised he accepted it so easy, but hackers are probably not thinking the same way like normies
I know there are a lot of people who never heard about Bitcointalk forum, and Kingpin was one of them, so it would be cool if he can make a youtube video about this conversation.
It's free promotion and it would be even better to see him registering in bitcointalk forum and talking more about hardware wallets in his free time.

[Pmalek]

Who knows, maybe he will mention it one day. We will have to wait and see.
I am sure he is very busy balancing between his work, travels, lectures, and spending some quality time with his family. But perhaps he will turn up one day to say a few words to the community and introduce himself.

[BitcoinGirl.Club]

@Joe thanks for agreeing and sharing your interview with Pmalek. Bitcointalk is a place where you will meet OGs in bitcoin. It's awful that many of them are not still with us. Some left because they became busy with other projects or lost interest. Some of them died. It was the place of satoshi before he disappeared, Hal Finney R.I.P brother. Bruno, Zepher, TecShare and many are no longer with us.

But perhaps he will turn up one day to say a few words to the community and introduce himself.

It will be a good addition for the community.

[sokani]

Who knows, maybe he will mention it one day. We will have to wait and see.
I am sure he is very busy balancing between his work, travels, lectures, and spending some quality time with his family. But perhaps he will turn up one day to say a few words to the community and introduce himself.

Thank you Pmalek for sharing this with the community. Just as BitcoinGirl.Club said it would be nice to have him here and we look forward to that. The Trezor hack shows that wallets are not 100% secured. Although, the Trezor team claimed that he was able to successfully hack the Trezor one wallet because it's an older version, that the vulnerability has been fixed in the newer versions. I wish he could get his hands on the new version and crack it just to prove a point to them.

[Die_empty]

Who knows, maybe he will mention it one day. We will have to wait and see.
I am sure he is very busy balancing his work, travels, lectures, and spending some quality time with his family. But perhaps he will turn up one day to say a few words to the community and introduce himself.

I want to appreciate OP for investing his time in this uncommon interview. At least I have learned that hacking can be used either positively or negatively. It is also nice to hear from a person that has turned his negative behavior into a good one which is now beneficial to society. He would have been in jail if he didn't associate himself with the right company. This is also a proof that with the right influence, even the worst criminal can experience a positive transformation. His story is also a caution to the legal and prison system that some offenders just need counsel and not confinement.

I am very impressed with Hacker Joe Grand's family life because it seems he is very close to his wife. The failure to balance work and family is one of the reasons for the high rate of divorce experienced globally. He is indeed a motivation that one can still have a long-lasting marriage in this present age.

It would also be beneficial if he joins the forum because we have a lot to learn from him. He would indeed be an asset to the technical board of this forum.

[Pmalek]

Although, the Trezor team claimed that he was able to successfully hack the Trezor one wallet because it's an older version, that the vulnerability has been fixed in the newer versions. I wish he could get his hands on the new version and crack it just to prove a point to them.

The Trezor HW from the video had an old version of the firmware, which made it vulnerable to the type of attack that Joe carried out. The seed and PIN code could be retrieved from the devices' memory while booting it. Joe discovered that while going through the source code of that particular firmware and was able to build his attack around that information. The firmware version that was released immediately after that fixed this issue making the same type of physical attack unfeasible. So that window is closed now. However, an experienced hardware hacker could exploit something else if given enough time and resources to investigate. Trezors don't have secure elements, which makes them somewhat more susceptible to physical manipulation in the right hands.     

[dkbit98]

...

Pmalek can you tell me if you are still in contact with Joe Grand aka Kingpin?
I am interested to hear his opinion about recent exploit that affected OneKey hardware wallet, and maybe he can take a second look on OneKey devices since they forked from Trezor.
If he manages to find new bugs in this devices it could be chance for him to earn more bug bounty money rewards
I wrote more about that incident is one of my topics:
https://bitcointalk.org/index.php?topic=5439320.0

[Pmalek]

Pmalek can you tell me if you are still in contact with Joe Grand aka Kingpin?

I haven't spoken to him after the interview that we had but I have his contact details. I will send him an email to see what he thinks.

I am interested to hear his opinion about recent exploit that affected OneKey hardware wallet, and maybe he can take a second look on OneKey devices since they forked from Trezor.
If he manages to find new bugs in this devices it could be chance for him to earn more bug bounty money rewards

As you said in your thread, the bug that was found was already patched just like the old Trezor one that he found. It's good that it's no longer exploitable. I know that Joe and the team are working on a big hardware project and they will release a video about if when and if it they manage to finish it. Let's see if he has some time to comment on Onekey.

[digaran]

OP, please ask Joe if he can help me to recover more than 98 bitcoins? I just know their bit ranges and addresses, lost the private keys. We could share 50-40-10.

[Pmalek]

OP, please ask Joe if he can help me to recover more than 98 bitcoins? I just know their bit ranges and addresses, lost the private keys. We could share 50-40-10.

Your forum reputation doesn't ring bells of trustworthiness. Besides, you haven't provided any valuable information that I could give the guy. Joe is a hardware hacker, he hacks and manipulates hardware devices. But he has some guys who work on the software side of things as well.

What wallet did you have those bitcoins on? Do you still have it and in what condition?
Provide detailed information about what happened because he is going to need it and ask for it if he is interested.

[digaran]

Your forum reputation doesn't ring bells of trustworthiness. Besides, you haven't provided any valuable information that I could give the guy. Joe is a hardware hacker, he hacks and manipulates hardware devices.

Never mind, don't like the fact you are biased, judgmental. I am also a hacker, I hack ideas, and paid the price for them. 😔.

Lol.

[Pmalek]

Never mind, don't like the fact you are biased, judgmental.

I was only stating a fact that multiple people have given you negative ratings. None of them mention hacking initiatives but extortion, involvement in Ponzi schemes, harassment, and stuff like that. That's what I see. I don't know you and you don't know me. All I know about you is what I can see on your trust page, nothing else. Like I said, if you want me to take this information about the allegedly lost 98 BTCs to Joe, you have to provide much more information. If not, this topic of conversation is over for me.

[digaran]

Never mind, don't like the fact you are biased, judgmental.

I was only stating a fact that multiple people have given you negative ratings. None of them mention hacking initiatives but extortion, involvement in Ponzi schemes, harassment, and stuff like that. That's what I see. I don't know you and you don't know me. All I know about you is what I can see on your trust page, nothing else. Like I said, if you want me to take this information about the allegedly lost 98 BTCs to Joe, you have to provide much more information. If not, this topic of conversation is over for me.

Yeah, you are right, coming to think about it, those are some scary stuff, I used to shill for ponzis taking millions, managed to extort several thousands, even so, I did pretty much harass every single forum DT member.

What I don't get, why do you think I was asking for your trust in me? On the contrary I was the one entrusting you with the information on how to get 98 easy bitcoins.
Now I realize this could be considered as trolling deserving a ban, but I was wondering if Joe could hack the 100BTC challenge and split the loot? 50% Joe, 40% You, 10% Me. See? How I managed to trust you without judging a book by it's cover.

[Pmalek]

What I don't get, why do you think I was asking for your trust in me? On the contrary I was the one entrusting you with the information on how to get 98 easy bitcoins.

Trust and having a clean track record are essential elements to me for all business associations and matters concerning money. That's equally true if I am to talk to someone else on your behalf (sort of). I am not going to be the one saying there is this guy who needs your help to recover lost bitcoins. Btw, he was a scam promoter and extortionist, so good luck Joe.

At the end of the OP are contact details to Joe and his company that deals with hardware hacking and crypto recovery. Feel free to reach out if you need their help.
Good luck!  

[naira]

Thank you Pmalek for sharing valuable knowledge. I really enjoy all the text conversations you guys have and thanks also to the resource person @joe the person who seems honest and easy to share new things with us here. There are many lessons that I can take, especially in keeping our privacy safe. At least we can minimize unwanted actions.

[Pmalek]

@dkbit98

So I talked to Joe regarding the Onekey vulnerability and here is what he said.

He knows about the attack and the people who carried it out. But he is no longer chasing and breaking devices to get a bounty. He did that for most part of his career even before companies started paying money for it. If and when he discovers a vulnerability, he reports it to the manufacturers and releases an official report once the issue has been resolved.

[BitcoinGirl.Club]

Never mind, don't like the fact you are biased, judgmental.

I was only stating a fact that multiple people have given you negative ratings. None of them mention hacking initiatives but extortion, involvement in Ponzi schemes, harassment, and stuff like that. That's what I see. I don't know you and you don't know me. All I know about you is what I can see on your trust page, nothing else. Like I said, if you want me to take this information about the allegedly lost 98 BTCs to Joe, you have to provide much more information. If not, this topic of conversation is over for me.

Yeah, you are right, coming to think about it, those are some scary stuff, I used to shill for ponzis taking millions, managed to extort several thousands, even so, I did pretty much harass every single forum DT member.

What I don't get, why do you think I was asking for your trust in me? On the contrary I was the one entrusting you with the information on how to get 98 easy bitcoins.
Now I realize this could be considered as trolling deserving a ban, but I was wondering if Joe could hack the 100BTC challenge and split the loot? 50% Joe, 40% You, 10% Me. See? How I managed to trust you without judging a book by it's cover.

You are never going to learn your lessons and change from what you are. People changes but you are still the old digaran. But let's be positive. You need more time. Go to vacation again and come back after few more years.

[dkbit98]

He knows about the attack and the people who carried it out. But he is no longer chasing and breaking devices to get a bounty. He did that for most part of his career even before companies started paying money for it. If and when he discovers a vulnerability, he reports it to the manufacturers and releases an official report once the issue has been resolved.

Thank you for asking him and writing his fast reply.
I was asking about OneKey wallet because they use forked Trezor code, but I guess he earned good money from his previous gigs like this.
He is probably working on other stuff now, and I just checked his youtube channel and I saw he was working on his thinnest boombox project... he is a bit weird, but I like his style.

[digaran]

~snip.

Do I know you? Who is you?
I wanted to fuck around enough to find out, you know? Lol.
If Joe is a serious hacker with a team of expert programmers then there is at least 2M $ in the pot for now, and there are already so many people with millions lost in broken wallets, incomplete private keys, etc. Since he has shown his face, people know who he is, they know his face, and that is an advantage, people would trust such individuals more, I wanted to know if it's a good idea to send him some clients and maybe get a little something on the side for myself, you know?

I hope we're good.