Ever since the
Trezor hacking video was released, I wanted to talk with
Joe “Kingpin” Grand – the man himself. So, I reached out to him and asked if he was interested in doing an interview that would be posted on the Bitcointalk forum? He liked the idea, and the piece is now done after some back-and-forth.
For those who don’t know who Joe is, let me first introduce you to him.
Joe Grand has been a hacker since 1982 when he was just a 7-year-old kid. His older brother owned an Atari 400 computer and used it to collect video games. Joe was immediately drawn to technology and spent every day before and after school with the computer. He was interested in finding different ways to trade games with other people, and that’s how his story began. Eventually, he figured out how to make free phone calls and connect to bulletin board systems further away from him so he could get more games.
Joe soon realized that there were people trading things other than just video games. They possessed information about accessing various computer systems. They knew other methods of making free phone calls or creating party lines and teleconferences where multiple people could gather and talk on the phone. For Joe, it became a quest to possess information that other kids didn’t have.
Joe was arrested when he was 16 for breaking into a telephone company to steal equipment. Luckily, he was underage and didn’t end up in jail. Joe wanted to learn but realized that breaking the law wasn’t the right way to do it. Following that incident, he joined a hacking group called
L0pht Heavy Industries that consisted of hackers who became his mentors.
The members of this group would hack their own setups to find vulnerabilities and contact the vendors about the problems (mostly Microsoft at the time). The L0pht taught Joe the importance of sharing information and doing good things to spread positive messages about hacking. In 1998, Joe
testified before the US Congress together with other members of the L0pht about the state of computer security in government and how bad security was with the relatively new "Internet." That’s when the general public realized that hackers can be good and are worth working with.
Since the end of 2002, Joe has been working on his own, creating projects, speaking, teaching, and occasionally making videos about engineering and hacking.
The Interview
The interview was conducted in several ways and stages. I initially sent a list of questions to Joe via email. He answered some of those in his live YouTube AMAs (links provided below). The ones that weren’t covered that way were discussed on a Zoom call. Joe then edited the transcribed answers for clarity and to bring them up-to-date.
1. How does it feel to be a hacker? How do people who know what you can do look at you? Do they see a tech wizard or a villain?
Joe: Being a hacker is all I have ever known and all I have ever done. I'm curious and like to learn new things, especially things that aren't common knowledge. When I mention I'm a hacker, most people think I do something illegal. Even my wife initially thought so. But that's not the case - hacking can be used for good or evil just like anything else in life. I help people by discovering security problems and making vendors aware of those problems so they can be fixed. I help people by teaching what I know so they can defend themselves or make their products better. I guess it depends on the person; some see me as a villain, others as a "tech wizard."2. You talk about a path change in your Live AMA and how getting arrested at 16 led you to stop delinquent hacking activities. Becoming a member of the L0pht made you better. What do you think would have happened if you had never met those guys? Do you believe your hacking could have resulted in serious prison time and a life of crime?
Joe: The members of the L0pht took me under their wing after I had gotten in trouble. It was a life-changing experience and a real turning point. All the other guys were older than me and seemed so responsible. I looked up to them and sort of mimicked their behavior. My parents let me go to the L0pht, which was a physical hacker space in my home town of Boston, Massachusetts, because they knew I was passionate about hacking and that the L0pht was a positive outlet for that. If I hadn't gotten arrested as a kid, I know for a fact that I would have kept causing trouble and could have ended up in jail. 3. After hacking the Trezor One, have you attempted other attacks against some other hardware wallet manufacturers? Can we expect something similar in the future? Are you maybe working on something as we speak?
Joe: Yes, we've been working on other wallet hacking projects, both hardware and software. We released another video in June 2022 (the Samsung Galaxy hack), but most of the wallet hacking we're doing isn't being filmed.
Software hacking is a well-defined problem, particularly for password cracking. The limitations of computing power and the strength of cryptography are known factors. It's unlikely that you'll lose someone’s crypto if you are cracking their wallet password or otherwise exploiting a software wallet. You either get access to the coins, or you don’t.
But hardware is different. Even with the attacks that are known, they're often unpredictable and not as reliable as the software side of things. The risk of losing access to the crypto is much higher - usually caused by accidentally wiping the memory or triggering some security countermeasure during an attack. It takes a lot of time to research to even get to the point where you can perform the attack on a particular hardware wallet. Then the attack still has to be successful in a way that you can obtain the private key, recovery seed, or other data you're targeting. There's also the issue of if the person actually had the crypto they thought they did. So we have to be more careful about what hardware hacking projects we take on.4. I have been on Bitcointalk for several years and have seen threads where people have lost access to their crypto. Misplaced seeds, broken hard drives, forgotten PINs and passwords, etc. Have you ever thought about browsing this forum and searching for threads like that where both you and the other party could benefit from recovering the coins?
Joe: I actually wasn’t aware of Bitcointalk until you emailed me. I hadn’t been paying much attention to the cryptocurrency world until I hacked the Trezor wallet. I knew there was a community of crypto enthusiasts, but I didn’t realize there was such an active forum specifically for that. I never thought about searching threads on the forum - it's not really my style and I'd feel like an ambulance-chaser. It feels a lot more natural when people come to us instead of us reaching out to them. If someone offers unsolicited help in the cryptocurrency world, you definitely need to be careful and pay attention to who you're dealing with.
When looking for help in recovering your cryptocurrency, it's really important to make sure you're talking to the real person and not a scammer. There are Joe Grand impersonators on social media (especially Instagram, but also TikTok, Twitter, etc.) offering to help people and taking money upfront, and I usually don't hear about it until someone has gotten scammed by them. As soon as one impersonation account gets shut down, another pops up. I'm not a hard person to find - contacting me through my website is the best, most trusted way to know you're actually talking to me and not someone pretending to be me.5. What can you tell us about
offspec.io? How could your company help someone from Bitcointalk, for example?
Joe: offspec.io is a small team that we put together as a result of my hacking the Trezor wallet. While I was working on that project, my wife told me I should make a video about it because most of the videos I make are engineering-focused and "People need to see that you're still a hacker." I reached out to a friend of mine who is a filmmaker and we decided to film it. After successfully opening the wallet, my friend said this should become a business. And he was right - there are so many people that need help.
I'm primarily the hardware hacker and the one most people recognize because of our videos, but we also have some software folks that specialize in forensic analysis and password cracking and a few others that handle the business side and communicating with the customers.
Since the first video came out, we've received hundreds and hundreds of emails from various people with different problems. We help the ones we can, but unfortunately many of the people have been scammed in some way - either sending cryptocurrency to fake exchanges or investing in some fake coin, etc. We're not able to help people who have been scammed - the nature of cryptocurrency makes it unlikely to recover the funds in a legal manner without the help of law enforcement, which is also unlikely to happen.
Regardless of how people are locked out of their cryptocurrency, they need to know they're not alone. They shouldn't feel "stupid" for forgetting their password, losing a piece of paper with their recovery seed, or being scammed. It's all a matter of being human and these things happen to many of us.6.What future do you see for the company, and where do you want it to be in 5 or 10 years?
Joe: We don’t have a plan. Whatever happens, happens. I would like to make more videos that combine the technical elements of cryptocurrency recovery with the personal side of the people who need help. And, of course, to keep helping people while it remains something we enjoy doing. Hacking wallets isn't our primary focus in life. It’s just a service we offer to try and help people free their coins.7. Your focus is on hardware, but I assume you know more about software than the average Joe (pun intended). Am I right?
Joe: I'm a computer engineer by trade, so my focus is primarily on hardware, but I do have formal coding experience and I'm dangerous enough with software for what I need to do. I mostly write code for hardware projects I create, usually in either C or assembly, and for controlling hardware tools used for hacking, like writing Python to interface with the ChipWhisperer to perform fault injection or power analysis. I'm a decent coder, but I wouldn’t call myself a programmer by any means.8. What is your honest opinion about cryptocurrencies, especially Bitcoin? It’s an open-source protocol. Have you ever inspected the codebase looking for vulnerabilities or to see how Satoshi and the other developers created the asset we have today?
Joe: I think there are some interesting elements of cryptocurrency and blockchain technologies that could actually have a practical purpose. The concept of digital currencies and decentralized finance among other things sound great and there are some legitimate, intelligent projects, but the number of scams, shitcoins, rug pulls, etc. are making it difficult for mainstream adoption and confidence. There are still many outstanding questions in how these technologies should be used. Is Bitcoin an asset or a currency? Are we are participants in a Ponzi scheme, HODLing in the hopes that other people in the future will value it higher so we can profit? Or, are we using it as currency instead of fiat? How can it be both at the same time? Does digital "ownership" of a non-fungible token really have any definable value or is it all just subjective? Is that any different than how physical collectables are valued? I don’t think crypto is an independent financial system yet. Even with the growth of cryptocurrency and blockchain in the past 10+ years, it still seems incredibly risky and speculative.9. The best Bitcoin and crypto wallets and software are open-source. Have you ever looked into some of the most popular wallets, like Bitcoin Core or Electrum?
Joe: I haven't done any code reviews of open-source software wallets, but I've read through the code of open-source hardware wallets looking for potential vulnerabilities that I can exploit through hardware attacks. Open-source platforms make it easier to scrutinize the code, but it doesn't necessarily mean they're more secure, as we've seen plenty of examples of security vulnerabilities in open-source packages. With that said, I wouldn't personally trust or use anything cryptocurrency-related that isn't open-source, especially because of the risk of malware and scams. I'm a huge proponent of open-source projects and release most of my work this way - not necessarily for security but to allow people to look under the hood, to build upon it, or take a piece that's useful and put it into their own projects. 10. Do you use Bitcoin personally?
Joe: Not really. I barely hold any cryptocurrencies. I just don’t have the stomach for it, especially because I work for myself and never know where my next paycheck will come from. Back in 2010, my wife suggested that I should buy Bitcoin because all my friends were buying it, but I didn’t want to put my money into it and lose it. Of course, I should have listened to her. 11. What can you tell us about secure elements in hardware wallets? Ledger wallets, for example, have secure elements, but those chips are closed-source. The Bitcoin community is generally worried about anything closed-source. What dangers do you see in closed-source software and hardware? Are we concerned for a reason? Have you ever attempted to hack a secure element?
Joe: When you're dealing with something closed-source, you're dealing with a black box. You don’t really know what you are getting. We can still reverse engineer closed-source systems, but it usually takes more effort. People who support closed-source projects will say that open-source makes it easier for adversaries to look at the code or hardware and find vulnerabilities, but it also means that as soon as somebody finds a problem and talks about it, everyone else can verify that right away and implement methods to protect themselves. This can be done independently of the product creator, vendor, etc. where otherwise we'd be waiting for them to "do the right thing" and fix the problems for us.
As for Ledger, they have a closed-source product. They use a secure element that you can only get documentation for if you sign a confidentiality agreement with the chip vendor, and that "privilege" is only given to select customers. While secure elements tend to be significantly more difficult to hack than a general-purpose microcontroller, the only way that their security can be tested or validated is by those with access to expensive, specialized equipment which limits the number of people that can actually do it.
In reality, both open-source and closed-source hardware designs can have fundamental flaws that could undermine the security or integrity of the entire product. We just might not know about them until someone decides to go public with that information. If they're bound by a confidentiality agreement, then that might never happen.12. You work independently. One might say you are a freelancer. Have you ever worked for a big company or considered such a career path?
Joe: After graduating from college in 1997, I worked as an electrical engineer for Continuum, a product development company. That’s where I learned how to properly design electronic systems and how to bring them from prototype to mass production. At the time, they had about 100 people. In 2000, I left Continuum to start @stake, one of the first computer security consulting companies, with the guys from the L0pht. I went independent at the end of 2002 and never looked back. I've always had a hard time with people telling me what to do and I'm pretty sure I wouldn't be able to last very long at a large company. 13. How does one maintain privacy and remain anonymous online today with all the technology around us?
Joe: My main concern these days is with how my data, browsing history, search queries, etc. is being collected, used, and sold. I'm also disgusted by the amount of advertising that's constantly being shoved in our faces. The main tools I use are advertising/tracker blockers like Adblock Plus, uBlock Origin, and Ghostery. I use Little Snitch to monitor or block incoming and outgoing connections from certain applications. I use either a VPN or the Tor Browser to help protect my privacy online. I'd also highly recommend subscribing to Bruce Schneier's Crypto-Gram newsletter to keep up-to-date on security and privacy matters. 14. What would you say is your biggest hacking success story, and what is your biggest failure?
Joe: My biggest success is being able to have a career as a hacker and share what I love with other people. I never expected that to happen and I'm extremely grateful that I have this opportunity. It takes a lot of self-control and drive to stay focused, but I wouldn't want it any other way.
I sometimes reflect back on things I could have done differently or mistakes I've made, but instead of looking at those like failures, I look at them as opportunities to learn or grow. If anything in my past had happened differently, I might not have ended up where I am now. So, I don't really have any regrets. ![](https://ip.bitcointalk.org/?u=https%3A%2F%2Ftalkimg.com%2Fimages%2F2023%2F11%2F12%2Ft0npz.jpeg&t=663&c=YY7EL8y5s5fFqw)
For more information about Joe:
- Main website and projects:
https://www.grandideastudio.com- Wallet hacking and cryptocurrency recovery services:
https://www.offspec.io- YouTube:
https://www.youtube.com/@JoeGrand- Mastodon:
https://chaos.social/@joegrand- Joe Grand's official Discord server:
https://discord.gg/wud8KnF2GmJoe does not use any other social media platforms, so beware of impersonators and scammers.
Sources used for this thread are Joe Grand’s
1st and
2nd Live AMA, our Zoom talk, and words written directly by Joe.