Author

Topic: Possible hardware backdoors (Read 627 times)

legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
July 23, 2023, 04:13:16 AM
#48
Some linux distro (such as Debian) works fine with old PC though.
It depends. Depending on how old and how good the machine was at the time, you can get Debian running on it. Choose the right architecture here: https://cdimage.debian.org/cdimage/release/current/

In my personal experience though, sometimes latest versions of packages are not available for 32-bit CPUs, for instance. You will then need to try compiling them yourself. Only to run into issues with your toolchain being updated and so on (you get the idea). Sometimes compilation needs several GB of RAM which you may not have. Just to name a few problems with reeeeally old hardware.

Indeed it's tricky when you use 32-bit CPU, especially when there are very few 64-bit Intel CPU without Intel ME. Although both Electrum[1] and Bitcoin Core[2] available on Debian repsitory which prevent some headache.

[1] https://packages.debian.org/bookworm/python3-electrum
[2] https://packages.debian.org/sid/bitcoin-qt
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
July 22, 2023, 12:03:28 PM
#45
Hi n0nce
Please, forgive for the question but I'm a bit newbie at this.
Can you name some hardware wallets that are made with both open source software and hardware?
No need to apologize! @dkbit98 maintains a list of open source hardware wallets, with extra notes regarding hardware and reproducibility: [L​I​ST] Open Source Hardware Wallets

As of right now, due to latest changes (September 2022) at Trezor, I would only recommend Foundation Passport; find my (obviously independent, unpaid) honest reviews here:
​​​
To avoid doubts, better use an old computer or a hardware wallet (made with open source software and hardware) Wink
You will be much better off with an open-source, open hardware, airgapped hardware wallet.
I can't believe that nobody is really criticizing this 'old computer' idea. Your 15-16 year old PC will most likely run outdated OS and / or packages, which are much more likely to be exploited than bugs in the CPU.
Some linux distro (such as Debian) works fine with old PC though.
It depends. Depending on how old and how good the machine was at the time, you can get Debian running on it. Choose the right architecture here: https://cdimage.debian.org/cdimage/release/current/

In my personal experience though, sometimes latest versions of packages are not available for 32-bit CPUs, for instance. You will then need to try compiling them yourself. Only to run into issues with your toolchain being updated and so on (you get the idea). Sometimes compilation needs several GB of RAM which you may not have. Just to name a few problems with reeeeally old hardware.

Every case is very individual. If you live in third countries, in small cities or towns, or in poor villages, you can definitely feel very safe in terms of spying.
It is quite unlikely that anyone here is specifically targeted by 'individual' spying; most of it takes place as mass surveillance. Mass surveillance (as the word implies) targets everyone, no matter where you are located.

I'm really afraid that when I buy a very expensive CPU, it may come with another surprise. What if every CPU since 2012 comes with secret nano microphone that doesn't need internet and uses radio frequencies to transmit data? Does it sound sci-fi? Probably, but doesn't mean that I am crazy and out of mind. There is a possibility that what I said is a real threat.
But it's my personal opinion that old CPUs can be safer.
It can be your opinion, but it makes little sense. Although the possibility you keep bringing up can exist, the possibility of an old chip being vulnerable is actually much higher. As mentioned before; outdated OS, outdated kernel, outdated packages, weak PRNG, are just a few known vulnerabilities. Meanwhile the threats you think of are purely hypothetical.
Furthermore, stuff like hidden microphones inside the CPU package would be spotted by anyone opening it up and creating die shots. Which is usually done right after release by some PC enthusiasts every single year.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
July 22, 2023, 08:02:47 AM
#44
Given the current technical possibilities for surveillence, I think IF a powerful organisation or government does want to spy on someone or a company, they have plenty of tools available.
One tech that comes to mind, which seemed pretty mind boggling to me at the time (already a few years old), is a special video-analyzing software that can be used to analize micro-vibrations on surfaces of objects to reconstruct the sound emitted to create these vibrations.
I guess it depends on the quality of the video, however as technology advances these limitations will also be less and less of an obstacle.
Every case is very individual. If you live in third countries, in small cities or towns, or in poor villages, you can definitely feel very safe in terms of spying. It's very individual, if one knows the undeveloped/developing country well, he/she can manage the situation very well. There are countries where police isn't advanced, lacks knowledge, equipment and athletism and so on.

However, to the best of my knowledge, officially backdoored CPUs don't have (enough) persistent, read- and writeable storage on die to allow for such an attack. Furthermore, anyone with the amount of resources to set up such an attack, usually aims for other goals than stealing some BTC.

If you want to be extra paranoid though, just unplug any other secondary storage before booting Tails and fully turn off the device after creating the seed and remove all power (to flush dynamic memories).
For the maximum level of paranoia, simply never reconnect the hardware to the internet, at all. Keep it as a forever-offline signing-only Tails PC.

To avoid doubts, better use an old computer or a hardware wallet (made with open source software and hardware) Wink
You will be much better off with an open-source, open hardware, airgapped hardware wallet.
I can't believe that nobody is really criticizing this 'old computer' idea. Your 15-16 year old PC will most likely run outdated OS and / or packages, which are much more likely to be exploited than bugs in the CPU.
It's a very different what's official and what's unofficial. I'm really afraid that when I buy a very expensive CPU, it may come with another surprise. What if every CPU since 2012 comes with secret nano microphone that doesn't need internet and uses radio frequencies to transmit data? Does it sound sci-fi? Probably, but doesn't mean that I am crazy and out of mind. There is a possibility that what I said is a real threat.
But it's my personal opinion that old CPUs can be safer. The reason why I think so is that there was a time in technology that the development was more important than spying. Now, things are pretty developed and monetized, it's time to make some powerful things more affordable, spy on people and control them.

I think we need to group together and find a way to stop the governments from doing this to us. They cannot be allowed to permit such spying to be possible in the first place. Laws are supposed to protect our freedoms, not exploit them.

Although I also think that private companies would not want to miss out on customers, if they make such devious devices in the first place. Perhaps the free market will take care of the problem?
You can't imagine how many people like the idea of everything being controlled by the government. There are a lot of people who like the idea of government controlling your messages, transactions, your footsteps, etc. You can't make an independent person out of slave.



For maximum individual cyber security, you have to do a big research and choose a different country to live in. You have to choose a specific country, specific city, specific street, specific neighborhood, change your personality and openness, absolutely everything matters.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
July 22, 2023, 06:07:15 AM
#43
Oops: https://www.bleepingcomputer.com/news/security/critical-ami-megarac-bugs-can-let-hackers-brick-vulnerable-servers/
Quote
Furthermore, the two MegaRAC BMC firmware vulnerabilities disclosed today can be chained with the ones mentioned above.

Specifically, CVE-2022-40258, which involves weak password hashes for Redfish & API, could help attackers crack the administrator passwords for the admin accounts on the BMC chip, making the attack even more straightforward.

Although not 100% related to this, since I do not think most of us are running enterprise servers for ourselves. But, there are some higher end workstations that have the vulnerabilities. However, if you have the hadware management port on your home machine exposed to the internet, you already have other issues....

But still, makes you wonder how many hacks have happened to other places because they had servers like this with the out of band access not secured properly and people got in.

But, in reference to the OP this is not really a back door, just a front door with a really crappy lock on it.

-Dave
legendary
Activity: 2268
Merit: 18748
July 22, 2023, 03:39:06 AM
#42
Your 15-16 year old PC will most likely run outdated OS and / or packages, which are much more likely to be exploited than bugs in the CPU.
The number of bugs which have been discovered in older PRNGs alone makes me never want to do this.

Can you name some hardware wallets that are made with both open source software and hardware?
Passport - https://foundationdevices.com/

They cannot be allowed to permit such spying to be possible in the first place. Laws are supposed to protect our freedoms, not exploit them.
I admire your optimism, but none of that is true. Governments the world over are fully committed to mass surveillance via any and all means available to them. The information which has been leaked regarding these programs is shocking enough, but will be absolutely dwarfed by all the true scope of the surveillance.
legendary
Activity: 2254
Merit: 2003
A Bitcoiner chooses. A slave obeys.
July 21, 2023, 03:28:00 PM
#41
Hi all!

I've recently seen a video where a hacker holds a conversation about possible hardware backdoors in some pcs and other devices, mainly in the processor but also in more parts. Those backdoors would come with an OS preinstalled that could spy you.
If you are afraid of this, then how about taking your / friend / relative's old PC / laptop to generate a wallet and then use it? It is unlikely that hardware backdoors will be possible on older devices. The problem with the pre-installed OS on these devices is solved simply by reinstalling on a Linux distribution of your choice (You voice Tails OS).

That is, this way you will surely be safe by not buying new devices, in which backdoors can be pre-installed by manufacturers in the OS and hardware parts, such as the processor. Also, save on expensive purchases.


In this case I think that the worry lies in the fact that most people are not working with (or will not be working with- in the near future) PC's or other devices which are old and outdated. We live in a world where software as well as hardware is being constantly updated and renewed.

So your solution of using old devices is not a sustainable one for the future. Which, only goes to show how serious OP sees the problem to be, I would say.

I think we need to group together and find a way to stop the governments from doing this to us. They cannot be allowed to permit such spying to be possible in the first place. Laws are supposed to protect our freedoms, not exploit them.

Although I also think that private companies would not want to miss out on customers, if they make such devious devices in the first place. Perhaps the free market will take care of the problem?
jr. member
Activity: 43
Merit: 5
July 21, 2023, 03:15:04 PM
#40
You will be much better off with an open-source, open hardware, airgapped hardware wallet.
I can't believe that nobody is really criticizing this 'old computer' idea. Your 15-16 year old PC will most likely run outdated OS and / or packages, which are much more likely to be exploited than bugs in the CPU.

Hi n0nce

Please, forgive for the question but I'm a bit newbie at this.

Can you name some hardware wallets that are made with both open source software and hardware?
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
July 21, 2023, 12:25:02 PM
#39
Not something worth worrying about. If your machine is disconnected from the Internet, that's all you need to know. Network cable unplugged and Wi-Fi password not entered.
I believe one risk of hardware backdoors to be aware of is persistent storage; either secondary / mass storage or (if disconnected) theoretically even on-die. This could allow a 'hardware virus' to persistently store a seed phrase that has been created while the machine is booted in a secure, offline environment (e.g. Tails on USB) and then upload it to a server upon reboot into a regular network-attached operating system.

However, to the best of my knowledge, officially backdoored CPUs don't have (enough) persistent, read- and writeable storage on die to allow for such an attack. Furthermore, anyone with the amount of resources to set up such an attack, usually aims for other goals than stealing some BTC.

If you want to be extra paranoid though, just unplug any other secondary storage before booting Tails and fully turn off the device after creating the seed and remove all power (to flush dynamic memories).
For the maximum level of paranoia, simply never reconnect the hardware to the internet, at all. Keep it as a forever-offline signing-only Tails PC.

To avoid doubts, better use an old computer or a hardware wallet (made with open source software and hardware) Wink
You will be much better off with an open-source, open hardware, airgapped hardware wallet.
I can't believe that nobody is really criticizing this 'old computer' idea. Your 15-16 year old PC will most likely run outdated OS and / or packages, which are much more likely to be exploited than bugs in the CPU.
jr. member
Activity: 43
Merit: 5
July 20, 2023, 01:44:35 AM
#38
No wallet or OS is completely safe. Any wallet and pc can be compromised. Regarding the hardware backdoors, I totally believe they exist (we're livin g in the age of surveillance) but the question is if the manufacturers want your Bitcoin or something else?

Some may think this: if they can, they will.

To avoid doubts, better use an airgapped old computer or a hardware wallet (made with open source software and hardware) Wink
legendary
Activity: 2422
Merit: 1191
Privacy Servers. Since 2009.
July 19, 2023, 05:18:21 PM
#37
Hi all!

I've recently seen a video where a hacker holds a conversation about possible hardware backdoors in some pcs and other devices, mainly in the processor but also in more parts. Those backdoors would come with an OS preinstalled that could spy you.

My question is: if that is the case, how secure would be a wallet that you generate in those devices?

Would an electrum wallet that you generate with Tails OS and completely offline be safe?

thx!

No wallet or OS is completely safe. Any wallet and pc can be compromised. Regarding the hardware backdoors, I totally believe they exist (we're livin g in the age of surveillance) but the question is if the manufacturers want your Bitcoin or something else?
legendary
Activity: 2114
Merit: 1403
Disobey.
July 19, 2023, 03:29:25 PM
#36
Your CPU also has Intel ME though. If people really want to avoid Intel ME and AMD PSP, they need to use Intel CPU before 2008 or AMD CPU before 2013. So it's at least 16 years old PC for Intel and at least 11 years old PC for AMD.
Oh, didn't know about Intel ME and AMD PSP, sorry, a little bit young for that Cheesy

To be completely honest, my main concern is that there can be a spy microphone on modern complex equipment. Otherwise, if we air-gap old 2011's CPU, I think we can feel safe. Or in the worst case, build a special room and block radio waves in that area.
It worth to mention that air-gapping of your device is absolutely more than necessary if you don't hold thousands of bitcoins and aren't someone special.
Given the current technical possibilities for surveillence, I think IF a powerful organisation or government does want to spy on someone or a company, they have plenty of tools available.
One tech that comes to mind, which seemed pretty mind boggling to me at the time (already a few years old), is a special video-analyzing software that can be used to analize micro-vibrations on surfaces of objects to reconstruct the sound emitted to create these vibrations.
I guess it depends on the quality of the video, however as technology advances these limitations will also be less and less of an obstacle.
legendary
Activity: 3822
Merit: 2703
Evil beware: We have waffles!
July 17, 2023, 07:55:40 PM
#35
Your CPU also has Intel ME though. If people really want to avoid Intel ME and AMD PSP, they need to use Intel CPU before 2008 or AMD CPU before 2013. So it's at least 16 years old PC for Intel and at least 11 years old PC for AMD.
Oh, didn't know about Intel ME and AMD PSP, sorry, a little bit young for that Cheesy

To be completely honest, my main concern is that there can be a spy microphone on modern complex equipment. Otherwise, if we air-gap old 2011's CPU, I think we can feel safe. Or in the worst case, build a special room and block radio waves in that area.
It worth to mention that air-gapping of your device is absolutely more than necessary if you don't hold thousands of bitcoins and aren't someone special.
The Intel & AMD CPU's don't have ME or PSP 'in them' per se but they *do* have the IO microcode used by the ME/PSP System Management Engines hard wired into the chips. ME/PSP are part of the main motherboard IO controller chip with their own embedded CPU's (ME uses 1 Pentium and 3 486's) running their own micro-OS and as pointed out already since around 2011 the Intel & AMD CPU's require the core functionality of that chip to operate at all.

Now, it's nice that apparently the 'extra bits' outside of CPU/system initialization can be switched off but - it is a lot simpler to use a system with a different CPU. Like um, a RasPi 3B or higher that does NOT contain a System Management Engine like ME/PSP. Hell you can even hack their bootloader code or at least look at it if desired.

When I'm at the RasPi 3B system I use to run my Sidehack USB miner sticks I find browsing and other 'desktop' functions speed to be more than acceptable. It is really amazing how downright snappy an OS can be even on low performance (compared to a modern desktop/laptop) hardware like a RasPi when the OS is not doing a gazillion other things in the background...
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
July 16, 2023, 07:32:26 AM
#34
Your CPU also has Intel ME though. If people really want to avoid Intel ME and AMD PSP, they need to use Intel CPU before 2008 or AMD CPU before 2013. So it's at least 16 years old PC for Intel and at least 11 years old PC for AMD.
Oh, didn't know about Intel ME and AMD PSP, sorry, a little bit young for that Cheesy

To be completely honest, my main concern is that there can be a spy microphone on modern complex equipment. Otherwise, if we air-gap old 2011's CPU, I think we can feel safe. Or in the worst case, build a special room and block radio waves in that area.
It worth to mention that air-gapping of your device is absolutely more than necessary if you don't hold thousands of bitcoins and aren't someone special.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
July 16, 2023, 06:46:22 AM
#33
If processor manufacturers are caught with a smoking gun to spy on computer user's activities via ME or AMD counterpart it would be like business suicide. I don't really believe this is happening, but I can't be sure because there's a lot of obscurity involved.

The thing that bugs me more are the intrinsic vulnerabilities that ME have and add to systems. No complex subsystem is free or errors and bugs. Issues with ME have been reported by security researchers in the past and very likely this will continue in the future. The security by obscurity around ME doesn't make security any better, it just hopes to hide things. Good luck with that!

If you're lucky you get a BIOS update which addresses found flaws in ME or AMD counterpart. How often are you lucky? Sigh...
hero member
Activity: 2114
Merit: 603
July 15, 2023, 11:19:23 PM
#32
You really wan to go down this rabbit hole, checkout just what Intel's Management Engine (ME) and AMD's version of it do https://en.wikipedia.org/wiki/Intel_Management_Engine
It's access to system functions is so pervasive that the NSA required an 'off switch' to disable most of its functions for secure hardware... https://web.archive.org/web/20201201175708/http://blog.ptsecurity.com/2017/08/disabling-intel-me.html?m=1

Great, you just made me more scared of the technology and the computer from which I am making this post. Literally, I can imagine all the buttons I am pushing right now have an undetectable connection with the IME and every command is going through them. It means Intel knows every bit of me as I am living today.

I just read the document that is quoted by NotFuzzyWarm, and it's excellent explanation of IME can be watching you from their backdoors. If they can control our hardware then they can control anything at their end.

Is there any evidence that they can operate our machines via the internet and remotely without ever letting us know about it? If you read this then it kinda started to give the feeling of the rise of machines. Lolz

Quote
Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) chip and a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer. The ability to execute third-party code on Intel ME would allow for a complete compromise of the platform.

The reality goes like this . . .

Quote
The disappointing fact is that on modern computers, it is impossible to completely disable ME. This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor. Another complication lies in the fact that some data is hard-coded inside the PCH chip functioning as the southbridge on modern motherboards. The main method used by enthusiasts trying to disable ME is to remove everything "redundant" from the image while maintaining the computer's operability. But this is not so easy, because if built-in PCH code does not find ME modules in the flash memory or detects that they are damaged, the system will not start.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
July 15, 2023, 06:52:53 AM
#31
--snip--
You need to block radio waves in that area.
--snip--

This part is overkill, unless you're very sure that you're specifically targeted by government or other group which could harm you.
Well, that's definitely overkill but I have seen questions where people were asking for that kind of security, one user was even looking for hardware wallet that would be impossible to be detected by modern and expensive metal detectors.

Computer without Intel ME (or AMD counterpart) is definitely older than 10 years though and not viable in long term. You might want to look for CPU which use RISC-V architecture instead. AFAIK Bitcoin Core and few Linux distro (such as Debian) already support RISC-V. Although take note device which use RISC-V CPU might still use closed-source hardware parts.
Long-term, that's definitely a problem. Btw, at the moment I have Intel Pentium G630 on my old computer, works absolutely fine. But I guess there were way better models available in 2011, so one can easily go with old PC for 5 years and more.
By the way, my approach is to always use as old hardware as possible to protect yourself from hardware backdoors. I just believe that years ago the real motive was to develop things, right now, the real motive is to control things.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
July 15, 2023, 04:24:44 AM
#30
--snip--
You need to block radio waves in that area.
--snip--

This part is overkill, unless you're very sure that you're specifically targeted by government or other group which could harm you.

--snip--
Using old computers can be a good idea (always has been), as you and m2017 said. Nevertheless, I think we should support new open source hardware developments in order to have trustworthy computers in the future.

Thx all for the answers! Wink

Computer without Intel ME (or AMD counterpart) is definitely older than 10 years though and not viable in long term. You might want to look for CPU which use RISC-V architecture instead. AFAIK Bitcoin Core and few Linux distro (such as Debian) already support RISC-V. Although take note device which use RISC-V CPU might still use closed-source hardware parts.
jr. member
Activity: 43
Merit: 5
July 14, 2023, 06:30:33 AM
#29
Hi all!

I've recently seen a video where a hacker holds a conversation about possible hardware backdoors in some pcs and other devices, mainly in the processor but also in more parts. Those backdoors would come with an OS preinstalled that could spy you.

My question is: if that is the case, how secure would be a wallet that you generate in those devices?

Would an electrum wallet that you generate with Tails OS and completely offline be safe?

thx!
If your hardware, for example, CPU is backdoored, then you can do nothing other than to change it with another hardware. By the way, like you, I'm afraid there is a high chance that modern expensive PCs or Laptops may be backdoored, that's why I prefer to use old device for that purpose.
Along with the air-gapped device, you need to take care of the special environment where you plan to store that computer. You need to block radio waves in that area.
Also, everything depends on where you live. If you live in a country and in a neighborhood where people are in their 40s and don't know how to use tech and kids/teens around you are having fun and rarely know a thing about IT and coding and they only use pc for gaming or gambling, then you can feel more secure.

Using old computers can be a good idea (always has been), as you and m2017 said. Nevertheless, I think we should support new open source hardware developments in order to have trustworthy computers in the future.

Thx all for the answers! Wink
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
July 14, 2023, 06:03:18 AM
#28
You really wan to go down this rabbit hole, checkout just what Intel's Management Engine (ME) and AMD's version of it do https://en.wikipedia.org/wiki/Intel_Management_Engine
It's access to system functions is so pervasive that the NSA required an 'off switch' to disable most of its functions for secure hardware... https://web.archive.org/web/20201201175708/http://blog.ptsecurity.com/2017/08/disabling-intel-me.html?m=1

That's what I was referring to. If that exists (and it seems so), no matter the knowledge you have, or the OS or the encryption you use. They can know what you're doing.

Right now there are devices specifically made for Linux users, focused on privacy. They can be a good option as long as they don't use hardware made by big corporations to make their machines. It would be nice if someone can say that these devices are made using not only free open source software, but open source hardware.

Management Engine has been around for over 15 years... it's not going anywhere anytime soon.

The idea was for office administrators to be able to remotely turn on/off/diagnose computers (and specifically the processors) on the local LAN a la vPro or similar software, but nobody seems to use it now except for spies. Nobody that I know manages computers like that either, especially now that IPMI consoles are so prevalent now.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
July 14, 2023, 05:33:19 AM
#27
Hi all!

I've recently seen a video where a hacker holds a conversation about possible hardware backdoors in some pcs and other devices, mainly in the processor but also in more parts. Those backdoors would come with an OS preinstalled that could spy you.

My question is: if that is the case, how secure would be a wallet that you generate in those devices?

Would an electrum wallet that you generate with Tails OS and completely offline be safe?

thx!
If your hardware, for example, CPU is backdoored, then you can do nothing other than to change it with another hardware. By the way, like you, I'm afraid there is a high chance that modern expensive PCs or Laptops may be backdoored, that's why I prefer to use old device for that purpose.
Along with the air-gapped device, you need to take care of the special environment where you plan to store that computer. You need to block radio waves in that area.
Also, everything depends on where you live. If you live in a country and in a neighborhood where people are in their 40s and don't know how to use tech and kids/teens around you are having fun and rarely know a thing about IT and coding and they only use pc for gaming or gambling, then you can feel more secure.
legendary
Activity: 2268
Merit: 18748
July 14, 2023, 04:11:19 AM
#26
What's after that, really? Backdoor for altering the k value in Bitcoin transactions?
It is endless. So you generate your seed phrase using coin flips. Do you manually verify your seed phrase generates the master private key your wallet returns? Do you manually verify every individual private key? Do you manually verify each k value is generated using RFC 6979?

-snip-
It's fairly well known that such companies are constantly spying on you. Google have already been sued for gathering location data from people who had turned off location sharing. All Alexa type devices record everything that is said in their vicinity and transfer it to central servers for analysis and storage. Google, Amazon, Meta, Microsoft, Apple, they are all doing the same stuff. If you are serious about privacy, then you need to avoid them all.
jr. member
Activity: 43
Merit: 5
July 14, 2023, 01:17:29 AM
#25
You really wan to go down this rabbit hole, checkout just what Intel's Management Engine (ME) and AMD's version of it do https://en.wikipedia.org/wiki/Intel_Management_Engine
It's access to system functions is so pervasive that the NSA required an 'off switch' to disable most of its functions for secure hardware... https://web.archive.org/web/20201201175708/http://blog.ptsecurity.com/2017/08/disabling-intel-me.html?m=1

That's what I was referring to. If that exists (and it seems so), no matter the knowledge you have, or the OS or the encryption you use. They can know what you're doing.

Right now there are devices specifically made for Linux users, focused on privacy. They can be a good option as long as they don't use hardware made by big corporations to make their machines. It would be nice if someone can say that these devices are made using not only free open source software, but open source hardware.
legendary
Activity: 3822
Merit: 2703
Evil beware: We have waffles!
July 13, 2023, 11:51:45 PM
#24
You really wan to go down this rabbit hole, checkout just what Intel's Management Engine (ME) and AMD's version of it do https://en.wikipedia.org/wiki/Intel_Management_Engine
It's access to system functions is so pervasive that the NSA required an 'off switch' to disable most of its functions so they can make secure hardware based on non-custom CPU's... https://web.archive.org/web/20201201175708/http://blog.ptsecurity.com/2017/08/disabling-intel-me.html?m=1
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
July 13, 2023, 11:07:31 PM
#23
I could be really off the main topic but does it mean everything Google or Apple like companies do is associated with such type of backdoors? I saw a court filing where CEO of Google was being questioned about the privacy of users. Though I convinced myself that Google is truthful with their users since they ask for the "Consents"from the user and then go for the tracking location, fetching the data, uploading photos and files etc etc. Now recently I have read that Alex from the Amazon is able to make purchases for you from the voice commands. You can ask it to add the items from amazont o your cart and also make the checkout with predefined payment system or balances on the wallet.

It has been studied that all type of devices including our phone, alexa like devices are able to activate the mics now and then to hear what we are saying and tailor the advertisements that way.

Isn't this is already a back door access to the hardware and to our privacy? If we consider this then whatever is being mentioned in the OP can easily happen?

I am just trying to correlate things here.
They aren't backdoor in the sense that they've always existed and the capabilities are always there. It's just a matter of if they want to, they can. The backdoor that we're referring to would be more of the covert ones that are inserted by the manufacturer to compromise the security/privacy which exists more on the hardware rather than the software level.

And yes, to answer your question, it isn't that difficult nor rare.
full member
Activity: 1092
Merit: 227
July 13, 2023, 11:04:42 PM
#22
Totally possible. In fact,  NSA has routinely inserted backdoors into computers and various devices to conduct mass surveillance. As such, it would be very much possible that there is some form of backdoor in devices that you interact with on a daily basis. I think the crux of the issue is whether your Bitcoins would be stolen or your privacy would be compromised in this case.
[...]

I could be really off the main topic but does it mean everything Google or Apple like companies do is associated with such type of backdoors? I saw a court filing where CEO of Google was being questioned about the privacy of users. Though I convinced myself that Google is truthful with their users since they ask for the "Consents"from the user and then go for the tracking location, fetching the data, uploading photos and files etc etc. Now recently I have read that Alex from the Amazon is able to make purchases for you from the voice commands. You can ask it to add the items from amazont o your cart and also make the checkout with predefined payment system or balances on the wallet.

It has been studied that all type of devices including our phone, alexa like devices are able to activate the mics now and then to hear what we are saying and tailor the advertisements that way.

Isn't this is already a back door access to the hardware and to our privacy? If we consider this then whatever is being mentioned in the OP can easily happen?

I am just trying to correlate things here.
legendary
Activity: 1792
Merit: 1296
Crypto Casino and Sportsbook
July 13, 2023, 11:20:22 AM
#21
Hi all!

I've recently seen a video where a hacker holds a conversation about possible hardware backdoors in some pcs and other devices, mainly in the processor but also in more parts. Those backdoors would come with an OS preinstalled that could spy you.
If you are afraid of this, then how about taking your / friend / relative's old PC / laptop to generate a wallet and then use it? It is unlikely that hardware backdoors will be possible on older devices. The problem with the pre-installed OS on these devices is solved simply by reinstalling on a Linux distribution of your choice (You voice Tails OS).

That is, this way you will surely be safe by not buying new devices, in which backdoors can be pre-installed by manufacturers in the OS and hardware parts, such as the processor. Also, save on expensive purchases.

My question is: if that is the case, how secure would be a wallet that you generate in those devices?
For sure it will not be safe to create a wallet on a device with backdoors.

Would an electrum wallet that you generate with Tails OS and completely offline be safe?

thx!
Perhaps yes, but with a preliminary verification of the Tails OS signature:

https://tails.boum.org/install/linux/index.ru.html#verify

legendary
Activity: 1512
Merit: 7340
Farewell, Leo
July 13, 2023, 11:12:55 AM
#20
If you don't feel confident with using a specific hardware device, consider setting up a multi-sig wallet, as that would mitigate the risk.

If you don't trust the entropy being generated, then use a combination of von Neumann's coin flips, the SHA256 function on Tails, and the BIP39 word list to generate your own entropy and seed phrase manually.
What's after that, really? Backdoor for altering the k value in Bitcoin transactions? It's trivial to verify that the entropy from coin flips creates a certain seed phrase, but it's really hard to do that for every single transaction made by the specific wallet. (Just because there is no standard application for that matter, so you'll have to do it manually, which is difficult)
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
July 13, 2023, 07:08:39 AM
#19
Such backdoors exist in firmware, not necessarily in hardware, though there is only rumors, that's because these backdoors are being used for big targets like using them to spy on nations military bases, and sensitive locations where secrets exist, they would never use it on populations at random.

Hardware is in fact a big target for backdoors because a vulnerability in hardware cannot be patched without manufacturing a new version. That's how Meltdown (and to some extent Spectre) proliferated. It's just that hardware is a lot harder to bug if you're a bad actor in the supply chain, than firmware, which is pretty hard to notice unless signed firmware images are utilized.
hero member
Activity: 714
Merit: 1298
July 12, 2023, 11:38:16 AM
#18
Nevertheless, in my interaction  with Bitcoin I rely on Passport 2, so, hardware backdoor  is  not  realistic attack vector against me.
How could you tell if there was indeed some backdoor on the hardware in your device?


Noway.

BTW, I have raised the similar concern in one of my topics.

As to Passport 2 . I  rely on its openness regarding both hardware (that assembled from components available virtually at every  corner ) and software. Nevertheless, I have asked them to share "the  p-values (relevant to Passport's TRNG) for each test from NIST suite" to evaluate the degree of randomness produced by their device.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
July 12, 2023, 11:18:35 AM
#17
It would be safe if it remains airgapped. I do not know if it would be completely safe if you are using USB stick to transfer signed transactions, but It is safe if you are using QR code for that. No information leaves the airgapped device than the signed transaction. Airgapped device means that no internet connection and no other means of interaction that can make the spyware to work out. There has been no wallet that is safer like airgapped devices.

Airgapped and sole communications via QR codes doesn't prevent possibility of leaking of information as has been discussed in this thread: Hardware wallets can steal your seed!

Not everybody buys this attack vector, but to me it is a valid and possible attack vector nonetheless. It is particularly interesting because it would work even airgapped!

The Nonce Covert Channel Attack isn't too exotic and surely a problem with software and hardware wallets that are opaque blackbox closed-source pieces of crap. This attack would make it possible to slowly leak pieces of your seed and bury them in signatures in transactions recorded in the blockchain from such a malicious wallet and you wouldn't even notice it until it is too late. The signing cold wallet could perfectly be offline and airgapped, it would still be able to leak all necesarry data within a certain number of transactions. It might take a while but the attacker has time and can wait. He can put some recognition pattern in the nonce to find his "rigged" transactions. If you're covert enough, likely no one would notice or have you ever checked the randomness of nonces for signatures?
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
July 12, 2023, 09:31:52 AM
#16
Airgapped device means that no internet connection and no other means of interaction that can make the spyware to work out. There has been no wallet that is safer like airgapped devices.

The airgapped device may be safe, but how about the wallet you are using to make transactions. You will need a watch-only wallet for broadcasting any transaction signed on on the airgapped device. If the device that you have the airgapped device is having the spyware, that still only means that you will be affected. The airgapped device is not affect, but the watch-only wallet is affected.

That is why it is good to use open source operating system like Linux.
Not necessarily. Most of the airgapped devices are not sufficiently hardened against sidechannel attack vectors, so in technically, they are definitely not the safest form of cold storage. ColdCard, which I have been using now can offer both and generally hardware wallets are sufficiently safe and fool-proof.

Any software/hardware can suffer from having insufficient entropy and thus there are more steps and precautions (validations, sanitization, etc) to take than to just run your wallet on an airgapped device.
legendary
Activity: 2268
Merit: 18748
July 12, 2023, 08:52:15 AM
#15
Nevertheless, in my interaction  with Bitcoin I rely on Passport 2, so, hardware backdoor  is  not  realistic attack vector against me.
Why not? How could you tell if there was indeed some backdoor on the hardware in your device?

Don't get me wrong - as I said above, I think such attacks are incredibly unlikely and even someone as paranoid as me does not flip coins for every new seed phrase (although I do have some manually generated seed phrases). But if we are talking about hardware backdoors then influencing your entropy is a better backdoor than stealing your private keys or changing your clipboard. It is significantly harder to detect and works regardless of whether the device is airgapped or not.
hero member
Activity: 714
Merit: 1298
July 12, 2023, 07:12:57 AM
#14
Yeah, it would  be safe being installed on  airgapped machine.
If you are think that hardware backdoors are a realistic attack vector against you, then airgapping is not enough as you also need to be concerned about the malicious hardware returning compromised random numbers or entropy and therefore generating weak seed phrases and private keys. It's incredibly unlikely, yes, but if this is in your threat model then you will need to generate your entropy and seed phrase using another method, which is why I mentioned coin flips above.

Agreed, but it would be highly specific backdoor focused on narrow community for which a true randomness  really matters. I think, it is highly unlikely to found such backdoor in computer components from  global manufactures oriented on mass production.

Nevertheless, in my interaction  with Bitcoin I rely on Passport 2, so, hardware backdoor  is  not  realistic attack vector against me.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
July 12, 2023, 06:24:47 AM
#13
Windows xp is one of the safest operating systems to use in order to avoid getting backdoored!

I hope for your mind's sanity that this is only a joke and frankly it isn't even a good one. Just don't use an OS that was widely used in terms of user percentage AND doesn't receive any fixes anymore, where EOL applies. You can use it offline of course but why would you bother to use M$ Windows crap for that. (Not interested in OS flame wars...)

For crypto I recommend a Linux base as there's less malware attraction to those, compared to M$ Windows. If you like golden caves you can "punish" yourself and your fiat wallet with Apple's ecosystem. Just my opinion, don't take it too seriously, I'm just no Apple fanboy. If you like it, that's your decission, I'm not here to judge.

...
Well said, I'm with you. No need to fuel paranoia. Problem is only that IT noobs have no clue. For them it's better there's no wireless card in their device that could accidently be turned on.
legendary
Activity: 2268
Merit: 18748
July 12, 2023, 06:18:55 AM
#12
Yeah, it would  be safe being installed on  airgapped machine.
If you are think that hardware backdoors are a realistic attack vector against you, then airgapping is not enough as you also need to be concerned about the malicious hardware returning compromised random numbers or entropy and therefore generating weak seed phrases and private keys. It's incredibly unlikely, yes, but if this is in your threat model then you will need to generate your entropy and seed phrase using another method, which is why I mentioned coin flips above.
copper member
Activity: 1330
Merit: 899
🖤😏
July 12, 2023, 05:35:22 AM
#11
Such backdoors exist in firmware, not necessarily in hardware, though there is only rumors, that's because these backdoors are being used for big targets like using them to spy on nations military bases, and sensitive locations where secrets exist, they would never use it on populations at random.

Windows xp is one of the safest operating systems to use in order to avoid getting backdoored!😅
hero member
Activity: 714
Merit: 1298
July 12, 2023, 05:14:05 AM
#10

I've recently seen a video where a hacker holds a conversation about possible hardware backdoors in some pcs and other devices, mainly in the processor but also in more parts. Those backdoors would come with an OS preinstalled that could spy you.


Yeah, and the irony of the situation is that one can get such hardware backdoors right  off the shelf. One of the latest case is the sell of  millions of GigaByte products with backdoor in firmware.


My question is: if that is the case, how secure would be a wallet that you generate in those devices?

Not secure at all. Potential treats of such backdoor: hijacking of clipboard content, keystrokes catching by keyloggers installed against your will, theft of wallet file, to name only a few.

Would an electrum wallet that you generate with Tails OS and completely offline be safe?

Yeah, it would  be safe being installed on  airgapped machine.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
July 12, 2023, 04:48:53 AM
#9
Not something worth worrying about. If your machine is disconnected from the Internet, that's all you need to know. Network cable unplugged and Wi-Fi password not entered.

That's all you really have to worry about. Yes, in theory it could do something that would have a way to store an old Wi-Fi password that you entered into something else so this mystery device could then connect to the Internet and do something. The odds of that really happening on your average home desktop computer or somewhere between slim and none.

Nobody wants to admit it, but I keep telling people the same thing, I could hand you a totally compromised virus infected PC. And I could hand you a totally clean secure PC. The biggest vulnerability on both of them it's still you. Not all the vulnerabilities on the infected machine.

-Dave

legendary
Activity: 2268
Merit: 18748
July 12, 2023, 04:18:39 AM
#8
Would an electrum wallet that you generate with Tails OS and completely offline be safe?
No wallet or security set up in the world is 100% immune to attacks, but this is about the safest as you can get. You need to ensure that "completely offline" means a dedicated and permanently airgapped device. It should be airgapped at that hardware level, with cards/modules for WiFi, Bluetooth, etc., physically removed from the device. Also make sure you verify Tails before you use it. You can also pull the hard drive entirely and just run from a live CD or USB.

If you don't trust the entropy being generated, then use a combination of von Neumann's coin flips, the SHA256 function on Tails, and the BIP39 word list to generate your own entropy and seed phrase manually.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
July 12, 2023, 02:13:52 AM
#7
Would an electrum wallet that you generate with Tails OS and completely offline be safe?
It would be safe if it remains airgapped. I do not know if it would be completely safe if you are using USB stick to transfer signed transactions, but It is safe if you are using QR code for that. No information leaves the airgapped device than the signed transaction. Airgapped device means that no internet connection and no other means of interaction that can make the spyware to work out. There has been no wallet that is safer like airgapped devices.

The airgapped device may be safe, but how about the wallet you are using to make transactions. You will need a watch-only wallet for broadcasting any transaction signed on on the airgapped device. If the device that you have the airgapped device is having the spyware, that still only means that you will be affected. The airgapped device is not affect, but the watch-only wallet is affected.

That is why it is good to use open source operating system like Linux.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
July 11, 2023, 10:35:24 PM
#6
Totally possible. In fact,  NSA has routinely inserted backdoors into computers and various devices to conduct mass surveillance. As such, it would be very much possible that there is some form of backdoor in devices that you interact with on a daily basis. I think the crux of the issue is whether your Bitcoins would be stolen or your privacy would be compromised in this case.

The answer to that is probably not, and nothing is ever completely safe.

Your hardware can get compromised by an evil maid attack because there is probably not a good way to ensure the integrity of your supply chain and thus it becomes an attack vector. However, keep in mind that most of your hardware wallet and devices are shipped in tamper-proof packaging which helps to mitigate this risk significantly.

If you're using your wallet on a normal air-gapped computer, then the possibility is slim. The entropy of your keys are unlikely to be compromised if you properly verify the installation. An airgap makes it a lot harder for information to be transferred and your keys to be compromised.

In an air-gap, your wallet probably utilizes counter-measures against side-channel attacks which makes it difficult for your keys to be compromised without your knowledge (cold boot attack, signal analysis etc). So it would be difficult as well.

Tl;dr: Is your airgap perfect? No. But the attack vector would be reduced by so much such that it becomes so difficult to compromise your keys such that it probably isn't worth it for any attacker.
copper member
Activity: 1330
Merit: 899
🖤😏
July 11, 2023, 04:32:35 PM
#5
Do you have any factual evidence to back your claim? If this is speculation and imagination/science fiction then no need to think about it, show some real world proof other than youtube video.
member
Activity: 77
Merit: 19
July 11, 2023, 02:59:15 PM
#4
are you sure that you are not connected? depends what kind system you have.

it can be for user not connected, but for system is a idle.

there is no real one answer. depends on whether you believe corporations that they want your good

We live in times of surveillance, both covert and overt
jr. member
Activity: 43
Merit: 5
July 11, 2023, 02:44:12 PM
#3
it can be safe then and only then when :
1. No one has access to your hardware
2. hardware is offline.


if it is online...you know..


Online - I mean Blouetooth, WIFI, LAN, 5G, WIDI, and direct connect.

Few years ago I have read about GPS connection- it can be virused too , and their had "connect". at the time it was weird for me. but now, no. Everything is signal, code.

hi

what if the router is on but you are not connected?

thank u!
member
Activity: 77
Merit: 19
July 11, 2023, 02:29:24 PM
#2
it can be safe then and only then when :
1. No one has access to your hardware
2. hardware is offline.


if it is online...you know..


Online - I mean Blouetooth, WIFI, LAN, 5G, WIDI, and direct connect.

Few years ago I have read about GPS connection- it can be virused too , and their had "connect". at the time it was weird for me. but now, no. Everything is signal, code.
jr. member
Activity: 43
Merit: 5
July 11, 2023, 02:25:54 PM
#1
Hi all!

I've recently seen a video where a hacker holds a conversation about possible hardware backdoors in some pcs and other devices, mainly in the processor but also in more parts. Those backdoors would come with an OS preinstalled that could spy you.

My question is: if that is the case, how secure would be a wallet that you generate in those devices?

Would an electrum wallet that you generate with Tails OS and completely offline be safe?

thx!
Jump to: