Stop Doing Tamper Evident Security Seals Wrong!

Disclosures:  Digital Bitbox sent me two devices to take a look at.  I sent them no money in return.  I am going to destroy one and keep the other.  Nobody reviews my content before I post it, and my posts are my own opinions.

 

 

A pair of Digital Bitboxes just arrived at stellaw.info HQ, and I've got to address this straight away -- even before a Teardown/First Impressions post.  After removing the box from a sealed anti-static bag, I saw this:

A tamper-evident seal!

Branded even!  The shiny hologram has 'security' repeated in the background.

Seal completely intact, and the product easily skips out of the 'secure' packaging.

Seal intact, both the bitbox and sd card easily removed.  This is 100% of the contents of the box. (I broke the seal and opened the box later to confirm this.)

Stop half-assing security measures.

I thought we all learned this exact lesson from the Mycelium Entropy's shameful showing

The purpose of a tamper-evident seal is to make it clear that something has been opened or tampered with upon inspection.  These seals can be a deterrent against some adversaries who do not have the tools or skills to bypass them.  In this case, the bypass was slightly squeezing the box and letting the product slide out the side.

This is security theater.  This seal serves no purpose but to communicate that either:

  1. The manufacturer thinks that their customers are idiots and will be fooled into thinking that this shiny piece of tape adds any amount of security.  or:
  2. The manufacturer does not understand how to implement security features and wants to make that clear upon first impressions.

Either case is pretty lousy.  I guess they aren't mutually exclusive.  From the first moments of experiencing their product, my level of confidence in Digital Bitbox to not screw up other security details is not high.

Hardware Bitcoin wallets are not toys.  They are financial products that you are asking your users to trust with their money.  This is important.  Get the details right.  If you are going to include a security feature, make sure it works.

In this case, it would be cheaper and more effective to not include a seal at all.  You would not have had to spend the money in procuring a custom seal, and the time in applying them to the box -- and you would not be implying that part of the security model of your device is a strip of shiny tape poorly applied.

 

Teardown and second impressions coming soon. 

Trezor *is* open source hardware!

One of my major criticisms of Trezor has not been valid since <I'm not sure when>!

At some point, SatoshiLabs released the EagleCAD files for the Trezor, available here:  https://github.com/trezor/trezor-hw/tree/master/electronics

Well done, SatoshiLabs!  You use the 'open source hardware' label without shame.

I have not yet looked at the posted CAD files in detail, but at first glance they appear to be correct and complete.

From:&nbsp;https://github.com/trezor/trezor-hw/blob/master/electronics/trezor.brd.png

From: https://github.com/trezor/trezor-hw/blob/master/electronics/trezor.brd.png


I wonder when the exact clones are going to hit the market?  Or have they already?  Is the Trezor in your pocket genuine?

KeepKey first impressions and teardown

I emailed the KeepKey folks, and they sent me a developer unit!

So I guess the 'full disclosure' here is that they sent this to me and I didnt send them any money in exchange.  Or the promise of anything.  They really didnt ask me much other than the address to send it to.

Oh well.  Now we're all on the same page here.

It comes in a classy box.

image.jpg

This is kinda-sorta what it looked like when I opened the box for the first time.  Its a lovely shade of green inside.

It comes with a nice fabric-covered USB cable and a quality paper to write down your seed words.

image.jpg

The back of it is a pleasant aluminum.

image.jpg

The front is plastic, with a tinted window for the screen to shine through.  You can see the damaged clips that held the two halves together.

It was a bugger getting the thing apart.  Those retention clips are solid, and its not going to go back together in any pretty way.  Inside there is a custom molded plastic bracket that holds the board and screen in place, and that was glued solidly in place.

I dont believe that it would hold up submerged in water, but I'd say its fairly tamper-evident.

image.jpg

And here's the guts.  I havent looked at this in close detail yet, but there are some nice surprizes in here.  The ZIF socket for the screen is very nice, the silkscreen comments many components nicely, and it looks like there's a set of debugging pads nicely lined up in the lower left there.

There's even a pair of LEDs on the board that most people will never see.  I assume those will be gone in future revs.

I was hoping to see a second button hidden on the board.  The one button is labeled SW2, but I didnt find a SW1 on there.  This is a fork of Trezor, but with the omission of a second button, there's no hope of running original Trezor code on this.  What a shame for a product with such great fit and finish.

image.jpg

The backside is not very interesting.

image.jpg

powered by an STM32F205RGT6, along with its full MB of flash (more than Trezor, same as the Black Arrow eWallet)

image.jpg

. . .and she still works!  I'll be taking a look at the software and the user experience soon.

image.jpg

From a hardware quality perspective, KeepKey is solidly designed and feels 'premium'.  I have no idea what the expected price is going to be, but I sure hope they can be very competitive with Trezor pricing.  

 

Memory Protection Test

I was perusing the Trezor code and noticed this function:

This is called early in the bootloader and checks if the memory protections have been set, and if they are have not been, then it sets them.

The setting is permanent and the code will only be hit once -- the first time the chip powers up into application mode after the bootloader has been written to the chip.

But has this happened before or after the wallet has been put into the retail packaging?

Lets find out!

First, lets make sure we have a valid way of testing by using a fresh factory blank chip:

IMG_0640.JPG

With the factory fresh chip in this rig and the boot pins in this configuration, I can verify that the chip boots into DFU mode via JTAG and openOCD.

So lets sacrifice a factory sealed wallet.  For Science!

Apply tools:

Extracted safely:

 

Now the sad conclusion: when testing this chip in the test rig, openOCD would not communicate with the chip.  This implies that BWallet powers up each unit in the factory in application mode, executing the code that trips the memory protection fuses.

I'd like to test a Trezor in a similar way.  Donate if you are interested!

Mycelium Entropy Impressions

Today, my Mycelium Entropy arrived.  I was excited about this one -- a simple device designed to do one simple thing.

Here are my initial thoughts:

Nice packaging.  Decent enough build quality.  What's that on the right side?

Branded holographic security seal?

Branded holographic security seal?

This, my friends, is called "Security Theater." &nbsp;The 'security seal' is *easily* bypassed. &nbsp;Makes me wonder what other security 'features' they got boneheadedly wrong.

This, my friends, is called "Security Theater."  The 'security seal' is *easily* bypassed.  Makes me wonder what other security 'features' they got boneheadedly wrong.

Its an ATMEL ATSAM4LS4 ARM Coretx M proc

Its an ATMEL ATSAM4LS4 ARM Coretx M proc

wat. &nbsp;"We're 'open source'! &nbsp;So f*ck you, you're on your own!"

wat.  "We're 'open source'!  So f*ck you, you're on your own!"

This product is a toy. &nbsp;This is clever, but does not instill any confidence in their ability to make a financial product.

This product is a toy.  This is clever, but does not instill any confidence in their ability to make a financial product.

I'd reach for&nbsp;any of the other three products before the Mycelium Entropy.

I'd reach for any of the other three products before the Mycelium Entropy.

These are just initial impressions, but man am I disappointed with the presentation and apparent lack of confidence in their own product.

What's the purpose of the holographic sticker?  It fails miserably as a tamper-evident seal.  Its just to look pretty?  Its got Mycelium branding, so some (non-insignificant) part of the price of this device went to a shiny sticker that some folks might interpret incorrectly as adding to its security.  blech.

This is another Bitcoin hardware company throwing around that term 'open source'.  Sure, there's a repo with some code, but the way I found out what processor was running inside was by disassembling mine.

More to come.

Drop your questions for me in the comments section.

(Donations appreciated here: 1Adq8SP8WBWJGHyq8N3bGty8n1m9A3ms81)