Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crypto hardware wallets security

Crypto hardware wallets security

« Cette présentation aborde la sécurité des portefeuilles matériels de cryptomonnaie (« hardware wallets »), en particulier à travers l’analyse de leur architecture interne et des composants électroniques courants utilisés dans les portefeuilles matériels : les MCU (MicroController Unit), CPU (MicroProcessor Unit) et SE (Secure Element). Elle décrit l’architecture simplifiée ainsi que l’architecture « idéale » et « pratique » des portefeuilles matériels et les interactions impliquant l’utilisateur, l’appareil externe (PC) et la blockchain. Les évaluations de sécurité existantes telles que CSPN, Critères Communs (ISO 15408) sont aussi discutées, avec un focus sur les niveaux d’assurance (EAL) et des exemples de portefeuilles matériels certifiés. Les différents risques associés aux portefeuilles matériels sont examinés, y compris le vol, la perte, la falsification et les attaques sur la chaîne d’approvisionnement (« supply chain »). Des modèles de sécurité pour différents types de portefeuilles connus tels que Jade et SeedSigner sont analysés. La présentation traite également de vulnérabilités courantes comme les bus en texte clair entre le MCU et le SE, les accès non authentifiés aux bus d’affichage et de boutons, et les risques de censure des transactions de certaines infrastructures. »

Renaud Lifchitz

June 20, 2024
Tweet

More Decks by Renaud Lifchitz

Other Decks in Technology

Transcript

  1. Hardware WalletsSecurity Date 2024/06/20 TLP GREEN TLP : GREEN Hardware

    Wallets Security Renaud Lifchitz, Chief Scientific Officer Séminaire de cryptofinance Institut Henri Poincaré – June, 20th 2024
  2. Hardware Wallets Security Date 2024/06/20 TLP GREEN • Interest in

    Bitcoin since July... 2010 ! (BTC/USD was around $0.05) • June 2011: author of the very first public presentation about Bitcoin in France : "Bitcoin : une monnaie électronique pour tous" (https://bit.ly/rl-btc2011) • 2013 : Co-author of the proof-of-work of DataCoin et PrimeCoin ("EulerLagrangeLifchitzPrimalityTest" function), first useful PoW according to Vitalik Buterin, tens of world records found: https://bit.ly/rl-pow • 2013 : Development of a Bitcoin miner on FPGA, profitable for 2 years • IT & IoT cybersecurity expert, interested in cryptography • Advisor, auditor and trainer for about twenty blockchain companies About the speaker 2
  3. Hardware Wallets Security Date 2024/06/20 TLP GREEN HOLISEUM Pure Player

    in critical and industrial infrastructures protection KEY FIGURES Of expenses in R&D 2018 Creation year of Holiseum 40 Cybersecurity consultants 20% Continents covered with ¼ of turnover achieved abroad 5 Innovation & disruption Excellency & expertise Holistic vision & 360° approach Legitimacy resulting from field experiences Scalability & operational efficiency OUR DNA Consulting & Services Education & training Software editing 3 MAIN PILLARS OUR MAIN CLIENTS
  4. Hardware Wallets Security Date 2024/06/20 TLP GREEN QUALIFICATIONS PASSI* (ANSSI)

    ** on all scopes Selection for the PACS*** experimental phase Referred by France Relance (audits & remediation) Certified : innovative young company Ransomware Dry Run® referred by UGAP BUSINESS SECTORS Maritime Finance Others Luxury Energy *PASSI: Information systems security audit providers **ANSSI: French National Cybersecurity Agency ***PACS: Support & advice providers on information systems security KEY FIGURES 360 Audits 1st Ransomware Dry Run 3 Awards for our innovative solutions +150 Pentests / year +250 HOLISEUM Pure Player in critical and industrial infrastructures protection HOLISEUM IS A MEMBER OF
  5. Hardware Wallets Security Date 2024/06/20 TLP GREEN Outline 1. Security

    of common electronic components 2. Architecture of a hardware wallet 3. Security evaluations 4. Risks regarding hardware wallets 5. Security model of well known wallet types
  6. Hardware Wallets Security Date 2024/06/20 TLP GREEN • MCU: MicroController

    Unit • CPU: CentralProcessing Unit / processor • MCU and CPU are quite easy to debug, dump, reflash (like flash and RAM chips...) • They cannot be used to store sensitive data like private keys Security of common electronic components (1/2) 7
  7. Hardware Wallets Security Date 2024/06/20 TLP GREEN • SE: Secure

    Element o Kind of vault for private data (keys) & secure processing o Very similar to the one you have on your credit card o Similar to TPM ("Trusted Platform Module", hardware) or TEE ("Trusted Execution Enclave", software) on computers and smartphones o Usually tested against logical and physical attacks, even side- channel attacks! o However, the security functions should be correctly used by the developers... Security of common electronic components (2/2) 8
  8. Hardware Wallets Security Date 2024/06/20 TLP GREEN Practical architecture 12

    When the SE doesn't implement the signature algorithm, key might be exposed...
  9. Hardware Wallets Security Date 2024/06/20 TLP GREEN • CSPN ("Certificat

    de Sécurité de Premier Niveau", mostly recognized in France) • CC ("Common Criteria") standards o ISO 15408 o comes with the EAL ("Evaluation Assurance Level") scale, from 1 to 7 What are existing open security evaluations? 14
  10. Hardware Wallets Security Date 2024/06/20 TLP GREEN • EAL scale:

    o EAL1: Functionally Tested o EAL2: Structurally Tested o EAL3: Methodically Tested and Checked o EAL4: Methodically Designed, Tested and Reviewed o EAL5: Semiformally Designed and Tested o EAL6: Semiformally Verified Design and Tested o EAL7: Formally Verified Design and Tested • EAL > 5+ doesn't provide a lot more security against attacks (mostly against bugs) Common Criteria 15
  11. Hardware Wallets Security Date 2024/06/20 TLP GREEN • Examples: o

    EAL7: NGrave o EAL6+: CoolWallet SE, Tangem o EAL5+ & CSPN: Ledger Nano X SE o EAL5+: Mastercard & Visa debit cards (EMVCo) EAL rankings 16
  12. Hardware Wallets Security Date 2024/06/20 TLP GREEN • Theft •

    Loss • Tampering (hardware or software) o Before use: supply chain attacks o After use: to recover the PIN or steal funds from a user • Substitution • Malfunction (hardware or software) • Access to backup Risks regarding hardware wallets 18
  13. Hardware Wallets Security Date 2024/06/20 TLP GREEN • Probably the

    most underrated and probable risk • Allows the complete bypass of hardware wallets security model • Backups are in general much more vulnerable than hardware wallets: you have to think about securing your backups first! Access to backup (1/3) 19
  14. Hardware Wallets Security Date 2024/06/20 TLP GREEN • Best practices

    for seed backups: 1. Resistance: resistance to disasters (fire/flood), for ex. stainless steel plates 2. Redundancy: have it at several places (in case of place/seed destruction by disaster) 3. Passphrase/25th word: to add security on top of the raw BIP-39 seed (don't forget it!) 4. Opaque envelope/bag : to avoid direct view of the backup by unauthorized persons (family, housemates, guests, thieves) 5. Tamper-proof security envelope/bag: to check if the seed has been accessed without your knowledge 6. Time-locked backup key: ex.: unsaved operational seed + saved and protected non-operational seed with Liana Access to backup (2/3) 20
  15. Hardware Wallets Security Date 2024/06/20 TLP GREEN • Bad practices:

    o Plaintext digital backup by default (ex.: BitBox02) o Plaintext seed needed for every signature (ex.: Seedsigner requires it!)  very difficult to secure in practice (cannot be tamper-proof) Access to backup (3/3) 21
  16. Hardware Wallets Security Date 2024/06/20 TLP GREEN • If device

    is tampered: o attacker can remotely accept arbitrary transactions o attacker can display inaccurate transactions for the user to validate them (wrong amount/recipient) • Goal: stealing funds... • Often requires a 2-step attack: 1. physical access: hardware implant (wired or wireless) 2. user interaction Device tampering 22
  17. Hardware Wallets Security Date 2024/06/20 TLP GREEN • HW with

    certified SE: Ledger Nano X • HW with non-certified SE: Safepal S1 • HW without SE: classic Trezor models • Smartcards (often Java-based): Tangem, TapSigner • HW without long-term key storage: SeedSigner Hardware wallet types 24
  18. Hardware Wallets Security Date 2024/06/20 TLP GREEN • "Virtual Secure

    Element" • Cloud or self-hosted service (server) • Basically the seed is split between the device (encrypted seed) and the server (key) • Risks: o Censorship/DoS ("Denial of Service"): ISP or country can block Jade server IPs o Logical or physical access to server implies: o PIN trials reset  PIN bruteforce possible o access to Jade users encryption keys Jade (FOSS) 25
  19. Hardware Wallets Security Date 2024/06/20 TLP GREEN • You load

    the seed temporarily into a signing device • Risks: o Seed is physically exposed to housemates and thieves o Device is exposed and easy to modify (hardware and software) SeedSigner (FOSS) 26
  20. Hardware Wallets Security Date 2024/06/20 TLP GREEN • Risks: o

    Seed is extractible from MCU/CPU, but it takes time (hardware debug and/or side-channel attacks) Most hardware wallets without SE 27
  21. Hardware Wallets Security Date 2024/06/20 TLP GREEN • Seed is

    terribly hard to extract from the device (only very big companies or countries might try) • Risks: o Mostly finding the backup paper seed Most hardware wallets with SE 28
  22. Hardware Wallets Security Date 2024/06/20 TLP GREEN • Happened because

    of open source (access to git commits) • Ledger lack of anticipation for communication • People (even security experts) confuse self-custody and being trustless: self-custody doesn't imply being trustless! • In a hardware wallet, you always rely on hardware (rarely open source) and firmware (sometimes open source) The "LedgerGate" case 29
  23. Hardware Wallets Security Date 2024/06/20 TLP GREEN • Plaintext bus

    between MCU and SE (no "Secure Channel"): PIN and/or private key can be sniffed • Unauthenticated access to the screen display bus / button bus • Key temporary leaving SE because of lack of algorithm implementation within the SE • Censorship: ISP or country filtering DNS/IP access to wallet provider servers HW common found vulnerabilities 30
  24. Hardware Wallets Security Date 2024/06/20 TLP GREEN Faïz DJELLOULI CEO

    & Co-Founder +33 6 69 72 29 64 | [email protected] An NGUYEN COO & Co-Founder +33 6 98 84 39 97 | [email protected] Holiseum | SAS au capital de 10.000€ | RCS Paris 841 088 024 | n°TVA FR 77 841088024 | 20 Place de la Défense (Morning) | Tour Légende, 92800 Puteaux www.holiseum.com Questions?  [email protected] Propaganda memes by phneep.com