Wired Wednesday: Breaking Bitcoin Hardware Wallets
TL;DR
Tools and techniques used to "break" hardware wallets demystified ...
"Why do I need to
careworry about technical details 'n' stuff?!" you might ask."I've been down with crypto currency for over a decade!" you say.
"Crypto is secure!" you say.
"I'm a crypto legend!" you say.
OK OK! I get it; you know what you are doing!
Scenario A:
Thanks to ALL that Blogging, You are Targeted
Please see/use: Hide Your TREZOR Wallets with Multiple Passphrases
Scenario B:
First, You Learned the Value of Decentralization ...
(w1nn1ng!)
Then You Learned the Importance of Cold-Storage ...
(w00t!)
(Bravo!)
Whoops, LOST that Shit!
(D0h!)
Order a Replacement via Amazin Drone ...
(nice!)
Call Grandma and Get the Necessary Key(s) ...
(WHEW!)
Reconfigure Hardware Wallet
(ahhhhh)
Continue Living the Dream
(YES sauce!)
What are Side-Channel Attacks?
Per Wikiedia:
"In cryptography, a side-channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms (compare cryptanalysis).
For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited to break the system.
Some side-channel attacks require technical knowledge of the internal operation of the system on which the cryptography is implemented, although others such as differential power analysis are effective as black-box attacks."
Common classes of side channel attacks include:
- Cache Attack
- Timing Attack
- Power-Monitoring Attack
- Electromagnetic Attack
- Acoustic Cryptanalysis
- Differential Fault Analysis
- Data Remanence
- Software-Initiated Fault Attacks
- Optical
Intro to Side-Channel Analysis Course
RSA Power Analysis Side-Channel Attack
Demonstration Against RSA (MUST watch. Reality happens @ 9:00)
Side-Channel Analysis Hardware Buying Guide
Breaking Bitcoin Board
@ DIY
If you aren't into soldering, a local shop ought be able to help you out.
ChipWhisperer-Lite (CW1173) Basic Board
@ $250.00 USD
If you love to solder or just on a budget, go for this is the entry level option from Mr. O'Flynn.
ChipWhisperer-Lite (CW1173) Two-Part Version
@ $325.00 USD
If you'd rather not solder (just how many more hours do you need to work to cover the additional $75?) and just "get to it", this step above the entry level option is a good balance of bang for the buck.
Side-Channel & Glitching Starter Pack (Level 1)
@ $550.00 USD
If you expect to be performing this type of research regularly, you might want to consider this package with a helpful few extras. The extras are available individually also so, you are free to build your test lab as you grow.
SAKURA-X
@ ¥ 370,000 (Roughly $3,500 USD!)
If you've secured Gov't funding, this might be up your ally!
Reference
Breaking Bitcoin Hardware Wallets @ DC25
Bitcoin hardware wallets security
Here's some other posts you might be interested in:
Steemit's Easiest Personal Setup Guide
Steemit's Easiest Witness Setup Guide
Steemit's Easiest EOS Setup Guide
The 2nd video is really briliant. I want to write posts like he does the video explanation.
So to summarize. Keep your HW in a safe ;-) And once a week or month transfer some little amount to some USB key or smartcard you can take with you. Just like with a bank account but then you have mutliple accounts, one for savings (secure in vault) and for spending, you send it each week to that one.
Yea, that guy is fuckin' great eh!?
To summarize I might say: whether it's an exchange or a daily-carry hardware wallet, "Don't keep ALL the eggs in one basket." From talking with a few users and seeing responses to HWs online, I believe that many users feel they are a "silver bullet". The greater the attack surface, the greater the risk.
Fundamental understanding of crypto keys and how digital signing works is key to any solution. The other factor which you have alluded to that can greatly increase likelihood of success is operations/process management.
I figured yesterday that as soon as you noticed your HW wallet is stolen transfer the funds so the secret key they'll find will be worthless to them. Not sure how long it takes them.. ?
The guy is funny! Admitting his mistakes and all LOL!
@cayce this is awesome and insightful info thankss!!! I think simply awareness of threats is crucial part of just participating in the new industry.
This.... is totally not for N00bs to understand at this point of time.... I am already fainting, I need to read this again to digest it better. Probably without the gifs making my head spin.
So let me try to grasp it in a n00b's point of view.
It is safer to make your own hardware wallet than to buy it off from 3rd party production?
Yet I have this saying that I have learned (to be less stressed)
If you intend to use COTS products, the same scenario will likely be present.
For the same reason most do not walk around with more cash they can spend in a day, don't do the equivalent with a HW!
Congratulations @cayce! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Do not miss the last post from @steemitboard:
Vote for @Steemitboard as a witness to get one more award and increased upvotes!