Topic: Extracting the Private Key from a TREZOR ... with a 70 $ Oscilloscope (Read 5187 times)

You obviously have to be in possession of the physical device to use the Oscilloscope, so by the time the owner of the device

picked up that his Trezor was stolen, he or she could have used the seed to access the coins and to move it to another Bitcoin

address. This is not a massive threat, because this is very difficult to pull off and you need specialized tools. To protect you

from this, make sure you know where your device is and do not store your device with your seed. 

The one in the first post?

https://web.archive.org/web/*/http://johoe.mooo.com/trezor-power-analysis/
http://archive.is/WhLkl

great read, crazy what people can do with technology these days. even though a trezor might be considered incredibly safe, its clear there are always workarounds for anything.

Best option would be to use multi-sig across multiple devices ...
It could be a couple of years before you can trust a single device with your "stash"

This was very cool, how do they make this immune to the side channel attack ?

Keep up the great work and looking forward to seeing your analysis of Ledger Wallet once ready.

He mentions it at the bottom of his report:

Any wallet software that has offline signing functionality will work using software like minimodem. An example using Armory:
https://bitcointalksearch.org/topic/tx-signing-via-minimodem-735111

How fast it works depends on your tx size. I agree slow don't matter much in this case, as security should be our main concern.

Hired could make him less independent,donating to pay for testing equipment upgrade makes more sense iMHO. At least that's what I plan to do.

Wow much respect for johoe.

He should be hired as a professional tester by BTC hardware wallet companies.

Just curious what Johoe himself uses to store his bitcoins? Hardware wallet? Air-gapped machine?  Multisig?

Thank you for raising important issues. To refrain from spamming, the following prior link discusses the technical points raised here:
https://bitcointalksearch.org/topic/m.11295854

EliptiBox Team

It should be pretty easy to use because Electrum supports plugins, does it come as a patch for the source code 

You are spamming;  advertising your product is off-topic for this thread, doubly so since its already been spamvertised once here;  but since you've been so bold--  I inquired and found out that your product is based off the same weak, barely tested/reviewed, and slow as heck naive cryptographic code used in the product being discussed here.  The information leak here is so severe that I am very doubtful that your (quite laudable) improved hardware isolation can prevent-- e.g. the code in question leaks several bits of information about the key from just the time it takes.

Furthermore, Your "directly in silicon" is an FPGA with a loading procedure 'under the seal', this is potentially yet another back door vector, it sinks a lot of power, and really seems to be of dubious value. I would have preferably seen all the external interfaces over simple low-ish-speed serial interfaces with good electrical isolation, rather than a huge power sucking FPGA under the secure-area can.  Use of a BGA probably also means you need a 4 layer board for signals routing and thus probably can't use an extra layer as a separate ground to complete the shield can. The FPGA just seems like a costly gimmick to me, and that you're misrepresenting this as a solution to bad cryptographic code (which you have made a similar failure by selecting to use it) doesn't bode well for the security of your product.

We have just the solution for this problem - firewall between the crypto controller and the interface, implemented directly in silicon:
http://www.eliptibox.com/#!Hardware-Firewall-for-Hardware-Wallet/cw4e/54ecb8670cf27a657a44c314

EliptiBox Team
www.eliptibox.com

It is already implemented in Electrum, just not easy to setup and use...

Be it slow or fast it seems a nice and secure idea, I think...

The TREZOR definitely has some filtering caps; Beyond 10 kHz I can see no signal.  The main problem was that the bn_inverse function is noisy (several branches) and quite slow in executing (it does a thousand additions of 256 bit numbers).  One could filter these out with larger caps but it probably was never a design requirement to put the largest cap that would fit inside the casing of the TREZOR.  And of course you can always break it open.  The problem with the noisy bn_inverse function has been fixed (now, it is only used once on the z coordinate of the public key, which is even randomized).

My next project is analysing the Ledger.  This has no filtering caps worth mentioning.  It is just the secure element with a USB connector.  The oscilloscope shows much more details.  However, some of it is noise the device is producing deliberately to make these kinds of analysis more difficulty.  It also randomizes the timing.  I will probably report more of this, once the analysis is finished.  Still, even with the secure elements, you can see a lot of details of the executed code on the power line.  The producers of the Ledger are aware of this and use constant time code to compute the public from the private key.  We will see, whether they did this right.

In the article they also write about emission from signal lines. Electronic designers have been working for decades on such problems to avoid interference with other devices and to satisfy regulatory requirements. Simple layout changes of the PCB can achieve this at marginal cost. On the other hand electromagnetic emissions can't be completely avoided and an attacker can use more sophisticated measurement and analysis methods, but a good PCB design can drive the costs for such an attack significantly up. Therefore EMI-engineering should be mandatory for the development of security hardware.

Unlikely.  Power filtering cannot help you when the leak is so gross that it makes timing differences you could darn near measure with a stopwatch.

Though the device looks pretty interesting and would be good for applications where the software is already largely protected! But the invest page makes it severely smell like a scam.

A good read. Demonstrates how a chain is only as strong as its weakest link. This attack is so easy for someone who knows the stuff. 512bit key generation defeated by a current meter.  

Did you saw this?

http://www.eliptibox.com/#!The-perfect-hardware-part-1-REDBLACK/cw4e/54fdf26b0cf24585978defdb

Looks that it is claims to be protected against all of these attucks

This is why I always advise people to wait a few more years before using hardware wallets to store significant amounts of Bitcoin. They are too new, untested and unstudied and due to this they may have undiscovered flaws like this, in fact my opinion is that there are many other side-channel attacks similar to this, however in a few years once they have been better studied, tested and improved and we fully understand all the security concerns involved then hardware wallets will really shine.

You never break into my Trezor collection.

wooow. crazy shit. reminds me of the hollywood movie "eagle eye". But not long ago i ve read an article about some scientists from Tel Aviv University who were able to extract RSA keys from the "noise" of a CPU!!! So the above scenario, where a nearby computer "attacks" a victim within his noise-recognition area by "listening to its processor", should be practically possible. maybe we should start adding noise protection measures to our computers and trezors... LOL

Actually, from the computer the Trezor is connected to itself (after all, the point of the Tezor is the assumption the host computer is compromised); nearby would be an even more impressive stunt--  in terms of nearby but not connected; that would better be done with a software defined radio receiver (e.g. not merely a remote compromise).

All of that is a long shot, but thats the annoyance about defense; you have to defend against all attackers, and an attacker may spend a lot of time and resources on a single valuable target.  It's quite hard to be confident that you do not have an exploitable weakness. If you're sure you're secure you're probably not being creative enough.

It took me a while to realize that gmaxwell was talking about secretly recording the audio interference from a nearby compromized computer which would then be retrieved and decoded by the attacker at a later time.

I always feel uneasy to connect a device with private key directly to an untrusted online computer

I hope something like a audio modem could be implemented but seems it's too slow to be practically used?

https://bitcointalksearch.org/topic/bounty-25-btc-audiomodem-based-communication-library-135423

That's true, 'swhy I specified power only at the USB port.  It would allow the tamper-evident feature to do its job, as only needing non-invasive monitoring would let someone try without being noticed.  It really only needs to withstand attack long enough for its owner to notice it missing.

Hmm, I wonder if it's FCC class B certified.  Seems unlikely if it's throwing out a noticeable amount of RFI, so maybe using more elaborate shielding and coupling to the detector would help passive monitoring succeed.  Might try placing it near a machine with an old taiwanese ISA-bus soundblaster clone in it; those were great at picking up noise!

It isn't connecting to the jtag is easier than the power analysis.

But-- not quite the same, it's conceivable that a sufficiently creative attacker could do basically the same power analysis attack just by recording EMI picked up by the soundcard in the computer or via RF emissions from the device. (It's apparently quite easy to pick up noise from the trezor from across the screen with a radio receiver).  People who've tried this have been frustrated by the extreme amount of noise put off by the screen and power regulators, but sufficiently advanced DSP may overcome it.

Adding caps will not stop anyone to measure directly at the processor pins. And the device is tamper-evident, not resistant. Nothing is. The goal is to slower and make attack more expensive.

Going by the pulse widths, it seems like a few cents worth of power filtering caps in the device would have prevented seeing anything exciting on the USB port.  He mentioned removing the screen as well to clean up the signal, so I guess the device isn't even tamper-resistant? It doesn't seem to be going by the Trezor website. Too bad everything has to be made as cheaply as possible.

Wow that is a creative attack!

Wow, that was some crazy shit

Good read, great to see security research in this space.  Hope you get a tip!

nice link and good read thanks.

so every trezor user shoulda update their firmware asap

http://johoe.mooo.com/trezor-power-analysis/

Paper claims that private keys from a TREZOR device could be extracted via a side channel attack, but newer firmware fixes the vulnerability.