Secure Element in Hardware Wallets - page 2.

ranochigo

legendary

Activity: 2954

Merit: 4158

Quote from: dkbit98 on August 09, 2023, 05:53:11 PM

Oh no, it looks like we are going to see new version ATECC608C version coming out soon (this is just my speculation).
But seriously now, all secure elements have flaws and I think all other secure element chips are more closed and it's much harder to find security flaws in them because of signed NDA crap Tongue

I never heard of anyone having success with exploiting even older ATECC608A chips in hardware wallets, but it's always better to upgrade if possible.

They have: https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Defeating-A-Secure-Element-With-Multiple-Laser-Fault-Injections.pdf.

ATECC608B is still vulnerable in the same fashion. However, it is very difficult to execute and requires specialized equipment and skills with little to no room for error.

Quote from: zherbert on August 09, 2023, 09:01:50 PM

Thank you for sharing this. NVK came after us pretty hard about using the 608a while they were shipping with the 608b, even going as far as pulling our investors and employees aside at conferences to tell them that we are shipping insecure "pwned" hardware.

Interesting. They had an article on how the laser fault injection is not practical and not likely to be exploited and dismissed their reports. Talk about twisting narratives.

zherbert

member

Activity: 58

Merit: 104

Quote from: dkbit98 on August 09, 2023, 05:53:11 PM

Quote from: satscraper on August 09, 2023, 02:24:14 AM

Research published in that paper claims that ATECC608B can still be defeated with the laser beam. What would you say about this?

Oh no, it looks like we are going to see new version ATECC608C version coming out soon (this is just my speculation).
But seriously now, all secure elements have flaws and I think all other secure element chips are more closed and it's much harder to find security flaws in them because of signed NDA crap Tongue

I never heard of anyone having success with exploiting even older ATECC608A chips in hardware wallets, but it's always better to upgrade if possible.

Thank you for sharing this. NVK came after us pretty hard about using the 608a while they were shipping with the 608b, even going as far as pulling our investors and employees aside at conferences to tell them that we are shipping insecure "pwned" hardware.

I've always been very consistent in stating that no chip is perfectly secure, and that the 608b will likely be vulnerable to similar laser-based attacks (eg https://stacker.news/items/85239).

I think the most important thing is to not put all your eggs in one basket – don't rely 100% on a single chip for secure key storage and don't blindly trust an MCU or secure element.

Additionally, these laser based attacks require destroying the hardware wallet and the secure element chip itself, and they require higher-end lab equipment to perform. If you're someone who might be targeted because you're storing large amounts (hundreds of thousands or millions of dollars) of Bitcoin, consider using a passphrase and/or multisig.

dkbit98

legendary

Activity: 2212

Merit: 7060

Cashback 15%

Quote from: zherbert on August 05, 2023, 01:55:50 PM

Quick update, all Passport units shipping from two weeks ago (and ongoing) now use the Microchip 608b secure element.

Thanks for keeping us up to date with this change.
I updated this information in my table, but it should be noted that most people still use old ATECC608A version.

Quote from: satscraper on August 09, 2023, 02:24:14 AM

Research published in that paper claims that ATECC608B can still be defeated with the laser beam. What would you say about this?

Oh no, it looks like we are going to see new version ATECC608C version coming out soon (this is just my speculation).
But seriously now, all secure elements have flaws and I think all other secure element chips are more closed and it's much harder to find security flaws in them because of signed NDA crap Tongue

I never heard of anyone having success with exploiting even older ATECC608A chips in hardware wallets, but it's always better to upgrade if possible.

satscraper

hero member

Activity: 644

Merit: 1092

Cashback 15%

Quote from: zherbert on August 05, 2023, 01:55:50 PM

Quick update, all Passport units shipping from two weeks ago (and ongoing) now use the Microchip 608b secure element.

Research published in that paper claims that ATECC608B can still be defeated with the laser beam. What would you say about this?

zherbert

member

Activity: 58

Merit: 104

Quick update, all Passport units shipping from two weeks ago (and ongoing) now use the Microchip 608b secure element.

dkbit98

legendary

Activity: 2212

Merit: 7060

Cashback 15%

New wallet Keystone3 is ready to be released and they have interesting news and changes regarding secure elements.
Unlike in previous version where they didn't want to disclose everything, now they introduced upgraded secure element Microchip ATECC608B.
Same microchip is used in ColdCard Mk4, BitBox and Passport, OneKey, Cypherock X1, Husky are all using older version of this chip ATECC608A that had some security issues.

But this is just first part of the story, as Keystone3 uses additional secure element Maxim DS28S60 that works together with ATECC608B in safeguarding seed phrases.
ATECC608B provides hardware-level security and authorization, and Maxim DS28S60 ensures that trusted platform module is always in place.

Third secure element Maxim MAX32520 is used for securing fingerprint data, so I think this will be used only in Keystone3 Pro version.
Regular Keystone3 wallet will have only two secure elements, and that is perfectly fine if you don't like to use biometrics.

Thanks to this changes Keystone will now be able to store up to three seed phrases with different passwords, so there is no need to reset or have multiple devices anymore.
I think this will push other hardware wallet manufacturers to improve, and they will have hard time competing with Keystone prices.

dkbit98

legendary

Activity: 2212

Merit: 7060

Cashback 15%

We have very important announcement coming from Coolwallet hardware wallet, they decided to release their firmware and secure element chip as open source!
This was decide after recent ledger wallet debacle incident, and Coolwallet wants to have more transparency with their devices.
Secure element Coolwallet use has EAL6+ security and from my research they are using NXP chips in their devices, but we are waiting for official confirmation.
With slick card format, current prices of $99/$149, and being opensource I think Coolwallet will have lot of new customers soon:

Source blog post:
https://www.coolwallet.io/coolwallet-will-open-source-its-hardware-wallets-secure-element-chip-code/

Thank you ledger Wink

Welsh

staff

Activity: 3248

Merit: 4110

Quote from: m2017 on March 03, 2023, 12:13:58 PM

If you want better prices, then need to wait for discount promotions. It is unlikely that they will underestimate the prices of hardware wallets. Perhaps for old devices that will be discontinued and stocks need to be sold from warehouses.

As long as they're still offering support through patches/updates of their older devices, I can see quite a high demand for devices which aren't too complicated, and don't come at a high price point. Although, if they were to reach end of life, and therefore no longer be supported, I can't see them being used as much. Hopefully, they just go the route of patching/updating all devices when severe issues need to be patched. They don't need to enhance the UI/UX or add functionality of it, they can do that with the newer devices.

Quote from: m2017 on March 03, 2023, 12:13:58 PM

Since testing of the chip will last throughout 2023 (which will most likely be used in a new device), there will be no new announcements for the next couple of years.

2024 announced potentially, and then whenever they're ready to actually sell it.

m2017

legendary

Activity: 1792

Merit: 1296

keep walking, Johnnie

Quote from: SFR10 on March 03, 2023, 02:53:00 AM

Quote from: dkbit98 on March 01, 2023, 04:41:11 PM

and it could reduce price for their devices.

Unfortunately, one of their spokespersons stated "considering that it costs almost the same as the previous one", Trezor doesn't expect it to have an impact on prices.
^{- It seems that at best, they could maintain the current prices.}

Well, at least it will improve security, which is never superfluous and expands trezor's ability to create new devices.

If you want better prices, then need to wait for discount promotions. It is unlikely that they will underestimate the prices of hardware wallets. Perhaps for old devices that will be discontinued and stocks need to be sold from warehouses.

Since testing of the chip will last throughout 2023 (which will most likely be used in a new device), there will be no new announcements for the next couple of years.

SFR10

legendary

Activity: 2968

Merit: 3406

Crypto Swap Exchange

Quote from: dkbit98 on March 01, 2023, 04:41:11 PM

and it could reduce price for their devices.

Unfortunately, one of their spokespersons stated "considering that it costs almost the same as the previous one", Trezor doesn't expect it to have an impact on prices.
^{- It seems that at best, they could maintain the current prices.}

dkbit98

legendary

Activity: 2212

Merit: 7060

Cashback 15%

More good news coming from Trezor related with microchips they are using.
They started manufacturing their own key component chip wrapper for Trezor model T, that improves security and shortens times for mass production.
I think this is all very important for their new hardware wallet model, that is going to be something special with Tropic01 secure element, and it could reduce price for their devices.
https://bitcoinmagazine.com/business/trezor-controls-its-silicon-chip-supply-chain

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: dkbit98 on February 10, 2023, 03:24:07 PM

Yeah I know the problem was not directly related with secure element in OneKey but it's connection with microprocessor, but there was clear indications that other hardware wallets have similar issues.

That's because so many of them use the same or similar codebase in their open-source projects. If a vulnerability is found in one brand, all the others that used that code (unless already patched) are vulnerable in the same way. That's the beauty and danger of open-source. This time, the problem was discovered by a party with good intentions. Next time it can be by someone with other motives. The applied fix, though, is software-based. The chip is vulnerable to other attack vectors, but badly written and implemented code was the issue with Onekey.

n0nce

hero member

Activity: 882

Merit: 5811

not your keys, not your coins!

Quote from: zherbert on February 14, 2023, 10:30:54 AM

We had the wallet.fail guys do an audit back in 2021. They told us we were the only HWW company they worked with that actually published the audit. https://foundationdevices.com/security/

I remember; I had read that report actually! Maybe worth getting another one now with all the improvements and fixes in place, on the Batch 2 hardware.

These should definitely comfort @dkbit98 a bit, who is super-paranoid about the 608A.. Wink

Quote from: https://foundationdevices.com/wp-content/uploads/2021/05/Q2-2021-Keylabs-Audit-Original.pdf

1.9. Attacks on ATECC608A
After the review, new attacks on the ATECC608A and its usage in the COLDCARD firmware were published. Foundation Devices confirmed that these issues were fixed in the latest Passport firmware.

Quote from: https://foundationdevices.com/wp-content/uploads/2021/05/Q2-2021-Keylabs-Audit-Response.pdf

1.9. Attacks on ATECC608A
This defect was never in the Passport source code.

zherbert

member

Activity: 58

Merit: 104

Quote from: n0nce on February 10, 2023, 06:22:46 PM

Just an example paper on the topic:
Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks

You're welcome! You may actually want to get your hardware tested (since this is a hardware security product) by professionals like riscure (although I'm not sure if they do hardware pentesting as a service). They will assess the security and tell you how to improve it & show you where your vulnerabilities are, before an attacker does it and sells that information to threat actors. You can even use a positive test result as a big extra selling point for the Passport.

Although I don't know whether you did that already (and you're obviously not required to disclose that Wink

).

In any case, this talk may also be of interest to your team, while they're at it, because these are ways to improve the security of a potentially glitchable secure element, simply through a software update.
Proving the efficacy of software countermeasures for fault injection

We had the wallet.fail guys do an audit back in 2021. They told us we were the only HWW company they worked with that actually published the audit. https://foundationdevices.com/security/

n0nce

hero member

Activity: 882

Merit: 5811

not your keys, not your coins!

Quote from: zherbert on February 13, 2023, 10:54:40 AM

Quote from: n0nce on February 10, 2023, 06:22:46 PM

Just an example paper on the topic:
Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks

Thanks, I've shared the paper with my team!

You're welcome! You may actually want to get your hardware tested (since this is a hardware security product) by professionals like riscure (although I'm not sure if they do hardware pentesting as a service). They will assess the security and tell you how to improve it & show you where your vulnerabilities are, before an attacker does it and sells that information to threat actors. You can even use a positive test result as a big extra selling point for the Passport.

Although I don't know whether you did that already (and you're obviously not required to disclose that Wink

).

In any case, this talk may also be of interest to your team, while they're at it, because these are ways to improve the security of a potentially glitchable secure element, simply through a software update.
Proving the efficacy of software countermeasures for fault injection

zherbert

member

Activity: 58

Merit: 104

Quote from: n0nce on February 10, 2023, 06:22:46 PM

Just an example paper on the topic:
Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks

Thanks, I've shared the paper with my team!

n0nce

hero member

Activity: 882

Merit: 5811

not your keys, not your coins!

Quote from: zherbert on February 10, 2023, 11:15:36 AM

I am unaware of any attack that doesn't involve a lab + lasers that could pull data out of it. We are of course switching to the 608b for next batch of Passports, but not due to any glaring vulnerability.

You may want to look into using multiple randomized timings to drastically reduce the success rate of laser fault injections.

I read a bit more about this topic after dkbit's reminder about the attack on the 608A and it seems like delays can be a pretty cheap, yet effective software countermeasure. The idea is that you make it much more difficult for an attacker to hit the exact right timing every time; if they shoot their lasers before or after the desired instruction, it won't have the desired effect. By computing or checking stuff (e.g. hardware flags or PIN code) multiple times instead of once, with random delays in between, an attacker will need to inject multiple faults and hit the timing perfectly on each of them.

If the chance of hitting an instruction once is 0.1%, the probability of doing it twice in a row already falls to 0.01% and so on.

Just an example paper on the topic:
Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks

dkbit98

legendary

Activity: 2212

Merit: 7060

Cashback 15%

Quote from: zherbert on February 10, 2023, 11:15:36 AM

That's a good idea, I'll see if we can post a blog post summary of the Twitter Space.

Taking transcripts from that audio would be nice.
I listened your conversation today, and I didn't know stuff you guys said about Risc-V chips not being really open source.
I was really surprised that you didn't speak more about upcoming Trezor secure element TROPIC01.

Quote from: zherbert on February 10, 2023, 11:15:36 AM

Regarding OneKey, my understanding is this has nothing to do with the secure element, but instead an issue with their firmware – it seems that they didn't encrypt the traffic between the secure element and processor (lol). The 608a secure element by Microchip is not recommended for new designs, but I am unaware of any attack that doesn't involve a lab + lasers that could pull data out of it. We are of course switching to the 608b for next batch of Passports, but not due to any glaring vulnerability.

Yeah I know the problem was not directly related with secure element in OneKey but it's connection with microprocessor, but there was clear indications that other hardware wallets have similar issues.
As for ATECC608A secure element, it's clear that this is not secure enough chip anymore, their documentation proves that, and it was exploited before.

zherbert

member

Activity: 58

Merit: 104

Quote from: dkbit98 on February 10, 2023, 07:27:52 AM

Quote from: zherbert on February 09, 2023, 07:19:10 PM

Hi all! Wanted to share a Twitter Spaces we at Foundation hosted a few weeks back about secure elements; we dove into some nuances. Check it out: https://twitter.com/FOUNDATIONdvcs/status/1617879545708961792

I will probably listen this talk but since it's one hour long it would be a good idea to have this released as written article somewhere, maybe on your blog page.
Problem I have with Passport hardware wallet is that it is still using outdated secure element ATECC608A, same one that is used in OneKey hardware wallet that was recently hacked by Unciphered.
I don't think chip shortage is such a big issue anymore, so it's probably time to replace it with something better.

That's a good idea, I'll see if we can post a blog post summary of the Twitter Space.

Regarding OneKey, my understanding is this has nothing to do with the secure element, but instead an issue with their firmware – it seems that they didn't encrypt the traffic between the secure element and processor (lol). The 608a secure element by Microchip is not recommended for new designs, but I am unaware of any attack that doesn't involve a lab + lasers that could pull data out of it. We are of course switching to the 608b for next batch of Passports, but not due to any glaring vulnerability.

dkbit98

legendary

Activity: 2212

Merit: 7060

Cashback 15%

Quote from: zherbert on February 09, 2023, 07:19:10 PM

Hi all! Wanted to share a Twitter Spaces we at Foundation hosted a few weeks back about secure elements; we dove into some nuances. Check it out: https://twitter.com/FOUNDATIONdvcs/status/1617879545708961792

I will probably listen this talk but since it's one hour long it would be a good idea to have this released as written article somewhere, maybe on your blog page.
Problem I have with Passport hardware wallet is that it is still using outdated secure element ATECC608A, same one that is used in OneKey hardware wallet that was recently hacked by Unciphered.
I don't think chip shortage is such a big issue anymore, so it's probably time to replace it with something better.

Topic: Secure Element in Hardware Wallets - page 2. (Read 3075 times)