BTChip' € 10 Hardware Wallet + GreenAddress review

[gdassori]

Hi, I did this review for the italian section, it's about the new BTChip hardware wallet, the cheapest of the market, and GreenAddress, one of the powerful multisig wallets out there. I guess both products are interesting, so I decided to crosspost to intl section. Sorry for my english :-)

BTChip: www.hardwarewallet.com
GreenAddress: www.greenaddress.com

Security disclaimer from HW-1 website:

Code:

HW-1 is powered by an ST23YT66 smart card - protected by design against passive and active attacks targeting typical microcontrollers
no JTAG connection
tamper resistant package
cryptographic accelerator offering protection against side channel attacks
Extracting keys from FPGAs... @ 30c3
We do not claim to be unbreakable - just not to be trivially hackable in a few hours / days, like any other highly secure smart card, giving you enough time to transfer your funds should your wallet be stolen or borrowed for some time

Yesterday, after ordering the BTChip last Thursday, I received a package: it took a total of 5 days with Saturday and Sunday in between.
Today when I finally had a chance to try it I found out I didn’t need to find much time in first place as it is quite simple.

BTChip, which looks a lot like a smartcard or even a credit card, is instead a tiny USB device, which handles storing and protecting your mnemonic passphrase as well as sign your outgoing transaction.

The setup procedure is quite simple and you can find it on the HW1 website. For my operating system, Linux, it was sufficient to tell the system about the USB IDs that the device requires. For Debian based distro (therefore including Ubuntu) there’s a premade script from BTChip that handles the entire procedure:

Code:

wget https://hardwarewallet.com/zip/add_btchip_driver.sh 
chmod a+rx add_btchip_driver.sh 
./add_btchip_driver.sh

The script configures the IDs and no extra drivers are necessary and as such it can easily be used on a live distribution, for the extra paranoid :-)

After using the device I opened the GreenAddress wallet, installed from GitHub (but you can install it from the Chrome Web Store) and I took the following steps:



When prompted with a login page I clicked in “Create a new wallet”, thus generating a new mnemonic passphrase, which is used to access and generate my deterministic wallet. Save that mnemonic passphrase in a safe place.



When I created the mnemonic passphrase there was a button “Write to a hardware wallet” which is what we are interested in doing (also NOTE the mnemonic, see later).

Clicking it (after having inserted the BTChip) has the following results:



The wallet has discovered the BTChip as not previously initialized. Later I found out that if the device is already initialized then the interface will have offered the ability to reset it.

Clicking the button “Save to BTChip”, the user is required to insert a PIN, PIN which is then required every time you will use the BTChip. It is to be noted that after 3 incorrect PIN the device is reset.



After inserting the PIN, the device is fully setup and it has all it needs to access the GreenAddress wallet.



The next steps configure the two factor authentication for the multisignature part of the wallet:

 

The two factor authentication, together with the BTChip, allows to use the GreenAddress wallet even in unsafe environments because all transactions are authenticated against both your device and the two factor authentication.

After configuring the 2FA and after the first login the wallet warns that you should do a mnemonic passphrase verification to make sure you have the passphrase properly backed up.

What does it mean? Since we got the device we should not care about the mnemonic passphrase right?



Nope. Wrong. Btchip is an electronic device and like all devices it may get lost or get broken, so it is highly raccomanded to properly manage a backup of the mnemonic passphrase.

Without this backup, in case you don’t have access to your BTChip, you won’t have any way of ever accessing your account again. That is because your mnemonic passphrase is only yours and not available to GreenAddress: this is a strength point as even if the service is compromised Bitcoin can’t be stolen so easily.

This is all, next logins are done with the BTChip and your PIN (the one you provided during the setup)



Notes:

- At this time it is not possible to create the mnemonic passphrase offline and then follow the online setup. Lawrence from GreenAddress has said that this option will be soon available too.

- As previously said, BTChip is not only an authentication device but also does the actual signature. This means that once you’re done with the setup the keys are never exposed outside of the device (as long as you don’t keep your mnemonic passphrase backup on a computer you should be safe)

- Even if the BTChip is quite useful to login it shouldn’t be used when you are just checking your balance or transaction list  as the ‘watch-only’ mode doesn’t load any keys and it is more secure. For transacting on the other hand BTChip is a great way to login.

- The device is rewritable so you can try as many times as you like.

- It is not necessary to create a new wallet to use the BTChip, it is instead possible to go to settings (after a full access login) and find a button similar to the one seen during the initial registration.



The button “write to a hardware wallet” writes the mnemonic passphrase on the device


Thanks for reading!

[1715090686]

1715090686

[1715090686]

1715090686

[1715090686]

1715090686

[btchip]

Coming from a fake italian, thanks for the review and the translation 

[joshuad31]

Hello,

I can say that I myself had some difficulties but two things really impressed me:
1. Very fast response times from Nicolas on the support team
2. Greenaddress's wallet is sleek and has a good UX experience

I have three laptops and each one had its own challenge:
1. windows 7 64 bit - I needed to install drivers and reboot the machine before the greenaddress app would recognize the wallet.  Wasn't clear I needed a reboot
2. On my windows 8 machine it would recognize the wallet but it would also store my pin on the computer so it seemed like it didn't even need the card to access any funds until I went into settings to turn the pin remembering feature off.
3. On my windows 7 - 32 bit machine (company laptop) with some restrictive settings running the drivers never installed correctly.

My overall experience is tentatively positive but having spent many hours working with bitcoin technologies I can still say there is plenty I don't understand about this wallet:

1. The initial setup experience caused some confusion because I am not sure if I was able to get my mnemonic for backup done correctly.  This is because greenaddress does not tell you its initializing with the hardware wallet BEFORE you create a new wallet and get your mnemonic.
There is no way to tell how the keys are generated.  Are they generated by greenaddress and then written to the HW.1?  Are they generated by the HW.1 and then the HW.1 tells greenaddress what the memonic should be?  Since its unclear at what point the greenaddress wallet actually initializes with the HW.1 I can' figure this out.

2. The private keys are on the HW.1 but because the *quick login* feature can be active resulting in access to your wallet without needing to access HW.1 this must mean that greenaddress also stores these keys in some other location.  How in the world was the greenaddress app able to open up the wallet with only a pin number when the *Quick login* - feature was selected?  Where were the private keys stored if they were not stored on the wallet?  Were they stored encrypted or unencrypted?  If they were encrypted by only my pin number how strong could the encryption possibly be?

3. I'm still not sure that I believe this is better than 2 factor authentication using a cell phone.  We already have seen that the greenaddress wallet has a habit of storing keys in some format (encrypted or unencrypted) on the computer anyways.  If the keys are only encrypted using a weak pin then obviously blockchain.info's wallet is the better option.

4. I am familiar with handing paper wallets and loading actual private keys into software wallets.  I am comfortable with adding / deleting private keys from a blockchain.info wallet to gain access to funds.  I am not familiar with using a memonic to recover lost keys.  There should be some videos to assist the consumer to learn more about this.  I assume that this memonic is a feature of a Hierarchical Deterministic wallet but I'm not sure.  So one memonic recovers all possible keys that could be generated by greenaddress / HW.1?  Also what is the different / benefits between writing down an encrypted seed memonic and an unencrypted one?  If greenaddress removes their app from the app store and I only have the memonic could I take and enter this into another wallet software to recover my private keys?

Also it would be really nice to have someone run a debugging program to isolate the type of communication taking place between the greenaddress wallet and the HW.1 to show us the following items:
1. Process of how private keys are generated - How is the mnemonic generated?
2. Showing how a request is inputted to the HW.1 and a signed transaction is outputted.

I'm not yet sold on this technology, I purchased it to learn about it.  To convince me (and I am a pretty tech savvy consumer) that there is a benefit to using HW.1 there needs to be way more work done to educate the consumer as to the workings of this product.

~JD

[tryexcept]

Hello,

I can say that I myself had some difficulties but two things really impressed me:
1. Very fast response times from Nicolas on the support team
2. Greenaddress's wallet is sleek and has a good UX experience

Thank you!

I have three laptops and each one had its own challenge:
1. windows 7 64 bit - I needed to install drivers and reboot the machine before the greenaddress app would recognize the wallet.  Wasn't clear I needed a reboot

I agree I think the page with drivers should inform the user a reboot may be necessary. I'm not even sure Windows 7 always requires a reboot for drivers but Nicolas may know more.

2. On my windows 8 machine it would recognize the wallet but it would also store my pin on the computer so it seemed like it didn't even need the card to access any funds until I went into settings to turn the pin remembering feature off.

People that don't have or want a hardware wallet can use a feature we call 'Quick access' which stores your mnemonic passphrase in your local storage encrypted with a random 256bit AES password. GreenAddress returns this password against the PIN.

This information was available in our FAQ:

 

How does the PIN work?
A random password (256 AES) is created and used to encrypt your mnemonics and store them on your device in encrypted form. The random password is sent server side and destroyed on the client. When during login the user provides the right PIN a mechanism will ask the server for the password which is used to decrypt the mnemnonic passphrase stored on your device and get you in your wallet. If the PIN is provided wrong for 3 times in a row the password is then deleted from our servers.

3. On my windows 7 - 32 bit machine (company laptop) with some restrictive settings running the drivers never installed correctly.

Yes I believe you need administration privileges to install drivers on some platforms. Perhaps Nicolas should mention this too on the BTChip help page.

My overall experience is tentatively positive but having spent many hours working with bitcoin technologies I can still say there is plenty I don't understand about this wallet:

1. The initial setup experience caused some confusion because I am not sure if I was able to get my mnemonic for backup done correctly.  This is because greenaddress does not tell you its initializing with the hardware wallet BEFORE you create a new wallet and get your mnemonic.

There is no way to tell how the keys are generated.  Are they generated by greenaddress and then written to the HW.1?  Are they generated by the HW.1 and then the HW.1 tells greenaddress what the memonic should be?  Since its unclear at what point the greenaddress wallet actually initializes with the HW.1 I can' figure this out.

There are two ways of creating your seed, either in the GreenAddress app (in which the creation happens locally using your platform secure random number generator) which gets displayed on screen and optionally written on a hardware wallet or you can create it straight on the hardware wallet (and to display it once you need to unplug the card and plug it in a separate computer to output the seed) - this mode is not well documented yet but is functional by pressing the button on the right bottom corner of the mnemonic passphrase box.

Once a seed is written on a hw1 (and output once) it can't be accessed, you can only use it to sign transactions or information.

At no time the seed is kept in the app, unless you explicitly setup the quick access mode manually.

2. The private keys are on the HW.1 but because the *quick login* feature can be active resulting in access to your wallet without needing to access HW.1 this must mean that greenaddress also stores these keys in some other location.  How in the world was the greenaddress app able to open up the wallet with only a pin number when the *Quick login* - feature was selected?  Where were the private keys stored if they were not stored on the wallet?  Were they stored encrypted or unencrypted?  If they were encrypted by only my pin number how strong could the encryption possibly be?

As mentioned early, it is quite secure, if you use a 4 digits PIN there are 10000 possibilities and only 3 chances. And you can use much longer PINs. Remember, even if the mnemonic passphrase is compromised that is not enough to steal your funds as long as your two factor authentication is also not compromised.

3. I'm still not sure that I believe this is better than 2 factor authentication using a cell phone.  We already have seen that the greenaddress wallet has a habit of storing keys in some format (encrypted or unencrypted) on the computer anyways.  If the keys are only encrypted using a weak pin then obviously blockchain.info's wallet is the better option.

They are not stored in a weak way and they are only local and unlike others we don't keep your private keys encrypted with a weak user password on our servers that any hacker worth their salt can bruteforce offline.

4. I am familiar with handing paper wallets and loading actual private keys into software wallets.  I am comfortable with adding / deleting private keys from a blockchain.info wallet to gain access to funds.  I am not familiar with using a memonic to recover lost keys.  There should be some videos to assist the consumer to learn more about this.  I assume that this memonic is a feature of a Hierarchical Deterministic wallet but I'm not sure.  So one memonic recovers all possible keys that could be generated by greenaddress / HW.1?  Also what is the different / benefits between writing down an encrypted seed memonic and an unencrypted one?  If greenaddress removes their app from the app store and I only have the memonic could I take and enter this into another wallet software to recover my private keys?

In our FAQ there's more information on how to recover funds, there is a tool designed for this (which specifically handles the fact that GreenAddress' wallet is multisignature.
Videos and more information on this is coming and I agree they are due.

Also it would be really nice to have someone run a debugging program to isolate the type of communication taking place between the greenaddress wallet and the HW.1 to show us the following items:
1. Process of how private keys are generated - How is the mnemonic generated?
2. Showing how a request is inputted to the HW.1 and a signed transaction is outputted.

I think some people have verified this but I can only welcome more people to verify the code and the network.

I'm not yet sold on this technology, I purchased it to learn about it.  To convince me (and I am a pretty tech savvy consumer) that there is a benefit to using HW.1 there needs to be way more work done to educate the consumer as to the workings of this product.

~JD

I think it is expected and right of people to be skeptical, more videos and information to come.
In the meantime, if we can answer any question we are at disposal.

[mmeijeri]

As mentioned early, it is quite secure, if you use a 4 digits PIN there are 10000 possibilities and only 3 chances. And you can use much longer PINs. Remember, even if the mnemonic passphrase is compromised that is not enough to steal your funds as long as your two factor authentication is also not compromised.

If you are not using a hardware wallet, is the encrypted mnemonic stored? If so, a 4 digit PIN should be trivial to crack since with overwhelming probability only one of the 10000 combinations will yield a valid mnemonic. I assume you use a different method, but it would be good to be sure and to know some of the details!

[tryexcept]

The mnemonic passphrase is not stored automatically and it is never stored in cleartext.

If you enable 'Quick access' a random password of 256 bit is created to encrypt the mnemonic passphrase, keep the encrypted mnemonic passphrase copy in local storage, send the password to the server to keep and return against correct PIN, destroy the password locally.

It is considered not feasible to brute force a 256bit random AES key encrypting a piece of data.
The server deletes the password after 3 wrong attempts (and  the client deletes the encrypted local copy given a chance) - either way without the server password the encrypted mnemonic is unusable.

Does this clarify?

We would never encrypt a mnemonic passphrase with a 4 digits PIN - that's just, nuts, to put it mildly.

[btchip]

1. windows 7 64 bit - I needed to install drivers and reboot the machine before the greenaddress app would recognize the wallet.  Wasn't clear I needed a reboot

a reboot is probably not necessary (with Windows you never know though) but for sure it's necessary to kill all Chrome windows (so all Chrome process) - I'll mention that in the installation page

2. On my windows 8 machine it would recognize the wallet but it would also store my pin on the computer so it seemed like it didn't even need the card to access any funds until I went into settings to turn the pin remembering feature off.

that one is weird. Did you log previously with your mnemonic on that computer ?

3. On my windows 7 - 32 bit machine (company laptop) with some restrictive settings running the drivers never installed correctly.

that's kind of expected and will be a thing of the past once Chrome 38 is released - then we can move to Generic HID instead of WinUSB for the communication protocol (the dongle already supports both - we just configure it for WinUSB by default because Chrome 38 is still in beta)

[mmeijeri]

The mnemonic passphrase is not stored automatically and it is never stored in cleartext.

If you enable 'Quick access' a random password of 256 bit is created to encrypt the mnemonic passphrase, keep the encrypted mnemonic passphrase copy in local storage, send the password to the server to keep and return against correct PIN, destroy the password locally.

It is considered not feasible to brute force a 256bit random AES key encrypting a piece of data.
The server deletes the password after 3 wrong attempts (and  the client deletes the encrypted local copy given a chance) - either way without the server password the encrypted mnemonic is unusable.

Does this clarify?

Yes, thanks!

We would never encrypt a mnemonic passphrase with a 4 digits PIN - that's just, nuts, to put it mildly.

I figured as much...

[btchip]

I'm not yet sold on this technology, I purchased it to learn about it.

which is great

also GreenAddress is probably the most complex integration example since it's already pretty secure when configured in paranoid mode (i.e. with an external second factor on a dumb phone), so here HW.1 adds a little bit of security by preventing a malware owning the computer or Chrome to get access to the seed when HW.1 is not connected, and that's pretty much it. It just reduces the attack surface a little bit more, and makes using the service more convenient when logging in and transacting, since you don't have to remember anything but your PIN and nothing is stored anywhere but on the dongle.

you'll see the full HW.1 second factor mode with Electrum, and on upcoming integrations with less sophisticated wallets.

To convince me (and I am a pretty tech savvy consumer) that there is a benefit to using HW.1 there needs to be way more work done to educate the consumer as to the workings of this product.
~JD

work in progress indeed, but I think there'll be many opportunities to get convinced in the coming weeks/months as different scenarios get deployed. Also we'll have more marketing/communication resources in the team soon, which might help a bit  

[joshuad31]

also GreenAddress is probably the most complex integration example since it's already pretty secure when configured in paranoid mode (i.e. with an external second factor on a dumb phone), so here HW.1 adds a little bit of security by preventing a malware owning the computer or Chrome to get access to the seed when HW.1 is not connected, and that's pretty much it. It just reduces the attack surface a little bit more, and makes using the service more convenient when logging in and transacting, since you don't have to remember anything but your PIN and nothing is stored anywhere but on the dongle.

Id like someone trying to sell me on the scenario where I want to give bitcoin to a person and I am comparing using HW.1 to using blockchain.info to create a paper wallet and put it in an encrypted zip folder and emailing it to someone.

I hope we all know how dangerous it is to give the uneducated person a digital paper wallet where they copy paste the private key into wallet software.  If I was a hacker I would write code which does only one thing, namely it would monitor the clipboard for a 51 character string beginning with "5" and immediately send it off to a program which would empty that address from all of its funds.

There may be malware which does more sophisticated attacks at stealing bitcoin funds but I only know the type of malicious code I would write being an incredibly lazy person.

I've told people several times that they should type in the first few characters and then only copy a portion of the private key for the purpose of importing into wallet software.  Not sure how much this minimizes the possibility of attack because I don't write malicious code and understanding malware is not my expertise.  Would greatly appreciate getting a professionals POV on the subject.

Being that I could give HW.1 to a friend and this would save them from needing to be exposed to this kind of attack I am weighing its value with respect to this specific scenario.

So I would really really like a video showing someone wanting to give bitcoin to a friend and considering the various possibilities of how they might do that with HW.1 being compared to an encrypted zip file with a paper wallet inside and sent via a dropbox link which is later deleted.

If someone can do a video on this and provide some genuine insight 0.025 BTC reward (10 dollars at time of writing).  Video must contain the perspective of a minimally technical person receiving a HW.1 in comparison to receiving a paper wallet and the exact steps they take to initialize a new wallet software to be able to send the funds.  In the youtube video comments link back to this post and provide a bitcoin address.  Also email me joshuad31 -a t- yahoo -d o t- com.

~J

[btchip]

Yes, we'll elaborate on that and how it can be done in a trustless mode

[joshuad31]

Yes, we'll elaborate on that and how it can be done in a trustless mode

My absolute dream is a HW wallet that stores ethereum private keys tied into a smart contract.  All of the keys have the same Hierarchical Deterministic seed which means that although all of the keys have different private keys that are not known between parties one HD seed can recover all the keys.

So then I give these keys out and
1 key can unlock > 50$ per day
2 keys can unlock > 150$ per day
3 keys can unlock > 300$ per day
4 keys can unlock > 800$ per day
5 keys can unlock > 1500$ per day
6 keys can unlock > 2400$ per day
7 keys can unlock > 10000$ per day
8 keys can unlock > 20000$ per day
9 keys can unlock > all funds

This would be my dream way to secure my funds within an ethereum smart contract and to secure my employees private keys with an affordable hardware wallet.

Then I could just give these out to whomever needs it even if they are not technical and bundle them with a usb low profile thumbdrive / keychain with etherbrowser app software to provide the interface for the non technical user and VIOLA!

Its my dream.  Hope there is a product on the market someday that can allow me to make it happen !

[btchip]

The hardware platform should be there, for the remaining part let's hope 19.8 and 19.9 won't apply 

[AussieHash]

After using the device I opened the GreenAddress wallet, installed from GitHub (but you can install it from the Chrome Web Store) and I took the following steps:



When prompted with a login page I clicked in “Create a new wallet”, thus generating a new mnemonic passphrase, which is used to access and generate my deterministic wallet. Save that mnemonic passphrase in a safe place.



When I created the mnemonic passphrase there was a button “Write to a hardware wallet” which is what we are interested in doing (also NOTE the mnemonic, see later).

Clicking it (after having inserted the BTChip) has the following results:



The wallet has discovered the BTChip as not previously initialized. Later I found out that if the device is already initialized then the interface will have offered the ability to reset it.

Clicking the button “Save to BTChip”, the user is required to insert a PIN, PIN which is then required every time you will use the BTChip. It is to be noted that after 3 incorrect PIN the device is reset.

...

- At this time it is not possible to create the mnemonic passphrase offline and then follow the online setup. Lawrence from GreenAddress has said that this option will be soon available too.

I have just cloned the github repository, and created a WalletCrx.crx and WalletCrx.pem
https://github.com/greenaddress/WalletCrx

Would it not be possible to transfer these files to a fully cold offline raspberry Pi,  drag/drop the WalletCrx.crx extension onto the Pi's Chrome, launch the extension and then generate the mnemonic AND write it to btchip, all fully offline ?

Edit : ok, WalletCrx required internet connectivity after the mnemonic step, both to display the 2fa screen, and to confirm the Google Authenticator password, even though the browser "enable" button turns green.

This makes sense as greenaddress "We offer our second signature : Which allows us to offer and enforce 2 factor authenticated payments and daily, weekly and monthly limits, rate limiting your transactions per hour, day, week and month and make your payment instant by providing a double spend checks with GreenAddress!"

So greenaddress.it stores 1/2 keys and the user's mnemonic (which can be PIN protected) is the other 1/2 keys.

This allows 2fa authentication with spending, and basically means if my computer is backdoored/keylogged, then the only protection saving my BTC is my Google Authenticator phone app or SMS or Phone call.

If I were to instead write the user mnemonic to a btchip +/- PIN, then the btchip becomes a physical "something you have" as well as a PIN "something you know" which would also work somewhat like a BitID login token - correct ?