More good news coming from Trezor related with microchips they are using.
They started manufacturing their own key component chip wrapper for Trezor model T, that improves security and shortens times for mass production.
I think this is all very important for their new hardware wallet model, that is going to be something special with Tropic01 secure element, and it could reduce price for their devices.
https://bitcoinmagazine.com/business/trezor-controls-its-silicon-chip-supply-chain
Topic: Secure Element in Hardware Wallets - page 3. (Read 3443 times)
Yeah I know the problem was not directly related with secure element in OneKey but it's connection with microprocessor, but there was clear indications that other hardware wallets have similar issues.
That's because so many of them use the same or similar codebase in their open-source projects. If a vulnerability is found in one brand, all the others that used that code (unless already patched) are vulnerable in the same way. That's the beauty and danger of open-source. This time, the problem was discovered by a party with good intentions. Next time it can be by someone with other motives. The applied fix, though, is software-based. The chip is vulnerable to other attack vectors, but badly written and implemented code was the issue with Onekey. 
We had the wallet.fail guys do an audit back in 2021. They told us we were the only HWW company they worked with that actually published the audit. https://foundationdevices.com/security/
I remember; I had read that report actually! Maybe worth getting another one now with all the improvements and fixes in place, on the Batch 2 hardware.These should definitely comfort @dkbit98 a bit, who is super-paranoid about the 608A..
Quote from: https://foundationdevices.com/wp-content/uploads/2021/05/Q2-2021-Keylabs-Audit-Original.pdf
1.9. Attacks on ATECC608A
After the review, new attacks on the ATECC608A and its usage in the COLDCARD firmware were published. Foundation Devices confirmed that these issues were fixed in the latest Passport firmware.
After the review, new attacks on the ATECC608A and its usage in the COLDCARD firmware were published. Foundation Devices confirmed that these issues were fixed in the latest Passport firmware.
Quote from: https://foundationdevices.com/wp-content/uploads/2021/05/Q2-2021-Keylabs-Audit-Response.pdf
1.9. Attacks on ATECC608A
This defect was never in the Passport source code.
This defect was never in the Passport source code.
Just an example paper on the topic:
Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks
You're welcome! You may actually want to get your hardware tested (since this is a hardware security product) by professionals like riscure (although I'm not sure if they do hardware pentesting as a service). They will assess the security and tell you how to improve it & show you where your vulnerabilities are, before an attacker does it and sells that information to threat actors. You can even use a positive test result as a big extra selling point for the Passport.
Although I don't know whether you did that already (and you're obviously not required to disclose that).
In any case, this talk may also be of interest to your team, while they're at it, because these are ways to improve the security of a potentially glitchable secure element, simply through a software update.
Proving the efficacy of software countermeasures for fault injection
Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks
You're welcome! You may actually want to get your hardware tested (since this is a hardware security product) by professionals like riscure (although I'm not sure if they do hardware pentesting as a service). They will assess the security and tell you how to improve it & show you where your vulnerabilities are, before an attacker does it and sells that information to threat actors. You can even use a positive test result as a big extra selling point for the Passport.
Although I don't know whether you did that already (and you're obviously not required to disclose that
).In any case, this talk may also be of interest to your team, while they're at it, because these are ways to improve the security of a potentially glitchable secure element, simply through a software update.
Proving the efficacy of software countermeasures for fault injection
We had the wallet.fail guys do an audit back in 2021. They told us we were the only HWW company they worked with that actually published the audit. https://foundationdevices.com/security/
Just an example paper on the topic:
Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks
Thanks, I've shared the paper with my team! Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks
Although I don't know whether you did that already (and you're obviously not required to disclose that
).In any case, this talk may also be of interest to your team, while they're at it, because these are ways to improve the security of a potentially glitchable secure element, simply through a software update.
Proving the efficacy of software countermeasures for fault injection
Just an example paper on the topic:
Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks
Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks
Thanks, I've shared the paper with my team!
I am unaware of any attack that doesn't involve a lab + lasers that could pull data out of it. We are of course switching to the 608b for next batch of Passports, but not due to any glaring vulnerability.
You may want to look into using multiple randomized timings to drastically reduce the success rate of laser fault injections.I read a bit more about this topic after dkbit's reminder about the attack on the 608A and it seems like delays can be a pretty cheap, yet effective software countermeasure. The idea is that you make it much more difficult for an attacker to hit the exact right timing every time; if they shoot their lasers before or after the desired instruction, it won't have the desired effect. By computing or checking stuff (e.g. hardware flags or PIN code) multiple times instead of once, with random delays in between, an attacker will need to inject multiple faults and hit the timing perfectly on each of them.
If the chance of hitting an instruction once is 0.1%, the probability of doing it twice in a row already falls to 0.01% and so on.
Just an example paper on the topic:
Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks
That's a good idea, I'll see if we can post a blog post summary of the Twitter Space.
Taking transcripts from that audio would be nice.I listened your conversation today, and I didn't know stuff you guys said about Risc-V chips not being really open source.
I was really surprised that you didn't speak more about upcoming Trezor secure element TROPIC01.
Regarding OneKey, my understanding is this has nothing to do with the secure element, but instead an issue with their firmware – it seems that they didn't encrypt the traffic between the secure element and processor (lol). The 608a secure element by Microchip is not recommended for new designs, but I am unaware of any attack that doesn't involve a lab + lasers that could pull data out of it. We are of course switching to the 608b for next batch of Passports, but not due to any glaring vulnerability.
Yeah I know the problem was not directly related with secure element in OneKey but it's connection with microprocessor, but there was clear indications that other hardware wallets have similar issues.As for ATECC608A secure element, it's clear that this is not secure enough chip anymore, their documentation proves that, and it was exploited before.
Hi all! Wanted to share a Twitter Spaces we at Foundation hosted a few weeks back about secure elements; we dove into some nuances. Check it out: https://twitter.com/FOUNDATIONdvcs/status/1617879545708961792
I will probably listen this talk but since it's one hour long it would be a good idea to have this released as written article somewhere, maybe on your blog page.Problem I have with Passport hardware wallet is that it is still using outdated secure element ATECC608A, same one that is used in OneKey hardware wallet that was recently hacked by Unciphered.
I don't think chip shortage is such a big issue anymore, so it's probably time to replace it with something better.
That's a good idea, I'll see if we can post a blog post summary of the Twitter Space.
Regarding OneKey, my understanding is this has nothing to do with the secure element, but instead an issue with their firmware – it seems that they didn't encrypt the traffic between the secure element and processor (lol). The 608a secure element by Microchip is not recommended for new designs, but I am unaware of any attack that doesn't involve a lab + lasers that could pull data out of it. We are of course switching to the 608b for next batch of Passports, but not due to any glaring vulnerability.
Hi all! Wanted to share a Twitter Spaces we at Foundation hosted a few weeks back about secure elements; we dove into some nuances. Check it out: https://twitter.com/FOUNDATIONdvcs/status/1617879545708961792
I will probably listen this talk but since it's one hour long it would be a good idea to have this released as written article somewhere, maybe on your blog page.Problem I have with Passport hardware wallet is that it is still using outdated secure element ATECC608A, same one that is used in OneKey hardware wallet that was recently hacked by Unciphered.
I don't think chip shortage is such a big issue anymore, so it's probably time to replace it with something better.
Hi all! Wanted to share a Twitter Spaces we at Foundation hosted a few weeks back about secure elements; we dove into some nuances. Check it out: https://twitter.com/FOUNDATIONdvcs/status/1617879545708961792
Update and more information about Trezor SatoshiLabs new TROPIC01 secure element.
According to post from Tropic Square CEO Evzen Englberth, design of chips is functional and I they can move to next phase of development.
TROPIC01 is manufactured by UMC in Taiwan, it will be 55nm chip packaged in Malaysia, and final chip will be 4x4mm with Ibex RISCV core.
RISCV means that the chip will be open source and auditable.
It's interesting that Trezor already started working on TROPIC02, complete SoC (System-on-Chip) that will have integrated TROPIC01 and the application processor cores.
https://www.linkedin.com/posts/evzen-englberth_riscv-riscv-riscv-activity-7027210506398507008-V0-j
According to post from Tropic Square CEO Evzen Englberth, design of chips is functional and I they can move to next phase of development.
TROPIC01 is manufactured by UMC in Taiwan, it will be 55nm chip packaged in Malaysia, and final chip will be 4x4mm with Ibex RISCV core.
RISCV means that the chip will be open source and auditable.
It's interesting that Trezor already started working on TROPIC02, complete SoC (System-on-Chip) that will have integrated TROPIC01 and the application processor cores.
https://www.linkedin.com/posts/evzen-englberth_riscv-riscv-riscv-activity-7027210506398507008-V0-j
I previously talked about security issues with some secure elements like ATECC508A that was used in older versions of ColdCard hardware wallets.
That was later been fixed with updated replacement chip model ATECC608A from the same manufacturer, but that was also reported to have some issues.
Manufacturer came up with new model ATECC608B, but some hardware wallets are still using old version ATECC608A including Passport, OneKey, Husky and Cypherock X1.
I am posting here sources that shows why exactly chip ATECC608A is not safe to be used in hardware wallets.
This was presented by Olivier Heriveaux from ledger team and it's called Defeating a Secure Element with Multiple Laser Fault Injections, and they are also working on breaking ATECC608B:
https://www.blackhat.com/us-21/briefings/schedule/index.html#defeating-a-secure-element-with-multiple-laser-fault-injections-23330
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Defeating-A-Secure-Element-With-Multiple-Laser-Fault-Injections.pdf
Same team worked with Karim Abdellatif on breaking Firmware Encryption of ESP32 devices, and we see this was recently found usage in some DIY bitcoin signing devices and Jade hardware wallet, so it is worth mentioning.
https://www.blackhat.com/us-22/briefings/schedule/#unlimited-results-breaking-firmware-encryption-of-esp-v-26345
https://i.blackhat.com/USA-22/Wednesday/US-22-ABDELLATIF-Unlimited-Results-Breaking-Firmware-Encryption.pdf
Video Breaking Firmware Encryption of ESP32-V3:
https://www.youtube.com/watch?v=wfZHQocTsZo
That was later been fixed with updated replacement chip model ATECC608A from the same manufacturer, but that was also reported to have some issues.
Manufacturer came up with new model ATECC608B, but some hardware wallets are still using old version ATECC608A including Passport, OneKey, Husky and Cypherock X1.
I am posting here sources that shows why exactly chip ATECC608A is not safe to be used in hardware wallets.
This was presented by Olivier Heriveaux from ledger team and it's called Defeating a Secure Element with Multiple Laser Fault Injections, and they are also working on breaking ATECC608B:
https://www.blackhat.com/us-21/briefings/schedule/index.html#defeating-a-secure-element-with-multiple-laser-fault-injections-23330
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Defeating-A-Secure-Element-With-Multiple-Laser-Fault-Injections.pdf
Same team worked with Karim Abdellatif on breaking Firmware Encryption of ESP32 devices, and we see this was recently found usage in some DIY bitcoin signing devices and Jade hardware wallet, so it is worth mentioning.
https://www.blackhat.com/us-22/briefings/schedule/#unlimited-results-breaking-firmware-encryption-of-esp-v-26345
https://i.blackhat.com/USA-22/Wednesday/US-22-ABDELLATIF-Unlimited-Results-Breaking-Firmware-Encryption.pdf
Video Breaking Firmware Encryption of ESP32-V3:
https://www.youtube.com/watch?v=wfZHQocTsZo
First list update for new 2023 year is coming for new hardware wallet called Hito, that is currently available for presale.
Hit wallet is open source and information I have is that they are using one microchip with integrated secure storage, so it's different approach compared to all other hardware wallets.
They are using Nordic Semiconductor model nRF5340 first wireless SoC with two Arm Cortex M33 processor that has built in support for Bluewtooth and NFC.
We don't have confirmation for this because Hito hardware wallet was not officially released in public yet.
https://www.nordicsemi.com/products/nrf5340
https://hito.xyz/
Hit wallet is open source and information I have is that they are using one microchip with integrated secure storage, so it's different approach compared to all other hardware wallets.
They are using Nordic Semiconductor model nRF5340 first wireless SoC with two Arm Cortex M33 processor that has built in support for Bluewtooth and NFC.
We don't have confirmation for this because Hito hardware wallet was not officially released in public yet.
https://www.nordicsemi.com/products/nrf5340
https://hito.xyz/
The device does look amazing, though! 
I'd love to try it, but closed source and multi-coin aren't my thing..
It does look great and I wonder how much money they paid Apple designer Tony Fadell, probably a lot, but let's wait and see actual reviews from customers. I'd love to try it, but closed source and multi-coin aren't my thing.. As well as paying big money to get the device featured in music videos and similar. Oh well; I guess we can discuss on a dedicated thread (if you haven't already created it) in case there's more about this to talk about.
The device does look amazing, though! I'd love to try it, but closed source and multi-coin aren't my thing..
It does look great and I wonder how much money they paid Apple designer Tony Fadell, probably a lot, but let's wait and see actual reviews from customers. I'd love to try it, but closed source and multi-coin aren't my thing..I also said that I like they are the first hardware wallet using e-ink display, but device is to expensive for me, and under the hood it's almost the same thing as ledger nono S plus.
Maybe Trezor will make something similar with their new version R, and there is one similar open source wallet OneKey Touch:
https://onekey.so/products/onekey-touch-hardware-wallet/
New hardware wallet Ledger Stax is added to the list with secure element chip ST33K1M5, and it has EAL5+ certification.
This is newer model of STMicroelectronics chips that ledger is using in all of their devices, it is high speed MCU with 32-bit Arm Cortex-M35P CPU, and ledger is using this exact secure element in their S plus model, so nothing new to see here.
We still don't know what microcontroller model ledger is using in Stax, but I am sure it's something from STM32 family of chips.
It should also be mentioned that this secure element is totally closed source, and ledger have signed NDA with them.
The device does look amazing, though! This is newer model of STMicroelectronics chips that ledger is using in all of their devices, it is high speed MCU with 32-bit Arm Cortex-M35P CPU, and ledger is using this exact secure element in their S plus model, so nothing new to see here.
We still don't know what microcontroller model ledger is using in Stax, but I am sure it's something from STM32 family of chips.
It should also be mentioned that this secure element is totally closed source, and ledger have signed NDA with them.
I'd love to try it, but closed source and multi-coin aren't my thing..Big news coming from Tretor and Tropic Square, they finally received first TROPIC01 chip prototypes and they released first picture of them!
Something big is coming soon, while others (read ledger) are making same old junk in new shiny packaging
https://nitter.weiler.rocks/tropicsquare/status/1600469041432313857#m
Great news! This one might get a n0nce review. Something big is coming soon, while others (read ledger) are making same old junk in new shiny packaging
https://nitter.weiler.rocks/tropicsquare/status/1600469041432313857#m
One good thing after US semiconductor sanctions is that we are facing big push for open source RISC-V chip architecture, that is ironically first conceived in US, Berkeley, in 2010.
Chinese government and private sector (probably other countries under sanctions) are now all working together to avoid US sanctions, and they are indirectly helping production of open source chips.
RISC-V chips could soon be real competition for Intel and AMD chips, and we could see fully open source devices soon, both hardware and software, and this could be used for hardware wallets in future.
Trezor is working on new generation wallet with their new TROPIC01 chip, but they could face competition from China soon.
It'0s not directly related to hardware wallets, but you can read full article below:
https://asiatimes.com/2022/12/open-source-ic-architecture-taking-off-in-china/
Chinese government and private sector (probably other countries under sanctions) are now all working together to avoid US sanctions, and they are indirectly helping production of open source chips.
RISC-V chips could soon be real competition for Intel and AMD chips, and we could see fully open source devices soon, both hardware and software, and this could be used for hardware wallets in future.
Trezor is working on new generation wallet with their new TROPIC01 chip, but they could face competition from China soon.
It'0s not directly related to hardware wallets, but you can read full article below:
https://asiatimes.com/2022/12/open-source-ic-architecture-taking-off-in-china/
New hardware wallet Ledger Stax is added to the list with secure element chip ST33K1M5, and it has EAL5+ certification.
This is newer model of STMicroelectronics chips that ledger is using in all of their devices, it is high speed MCU with 32-bit Arm Cortex-M35P CPU, and ledger is using this exact secure element in their S plus model, so nothing new to see here.
We still don't know what microcontroller model ledger is using in Stax, but I am sure it's something from STM32 family of chips.
It should also be mentioned that this secure element is totally closed source, and ledger have signed NDA with them.
EDIT:
Big news coming from Tretor and Tropic Square, they finally received first TROPIC01 chip prototypes and they released first picture of them!
Something big is coming soon, while others (read ledger) are making same old junk in new shiny packaging
https://nitter.weiler.rocks/tropicsquare/status/1600469041432313857#m
This is newer model of STMicroelectronics chips that ledger is using in all of their devices, it is high speed MCU with 32-bit Arm Cortex-M35P CPU, and ledger is using this exact secure element in their S plus model, so nothing new to see here.
We still don't know what microcontroller model ledger is using in Stax, but I am sure it's something from STM32 family of chips.
It should also be mentioned that this secure element is totally closed source, and ledger have signed NDA with them.
EDIT:
Big news coming from Tretor and Tropic Square, they finally received first TROPIC01 chip prototypes and they released first picture of them!
Something big is coming soon, while others (read ledger) are making same old junk in new shiny packaging
https://nitter.weiler.rocks/tropicsquare/status/1600469041432313857#m
Cypherock X1 hardware wallet is added to the list with full transparent information about secure elements and microntrollers.
This device is certified with EAL5+ certification, and it using one secure element for main device ATECC608A, and second secure element NXP JCOP3 is used in cards you receive in package with device.
Cypherock is using same outdated secure element like some other hardware wallets like ColdCard Mk3, Passport, OneKey Mini and Husky HDW20.
It's currently harder to find new chip version ATECC608B, but they should make replacement as soon as possible.
This device is certified with EAL5+ certification, and it using one secure element for main device ATECC608A, and second secure element NXP JCOP3 is used in cards you receive in package with device.
Cypherock is using same outdated secure element like some other hardware wallets like ColdCard Mk3, Passport, OneKey Mini and Husky HDW20.
It's currently harder to find new chip version ATECC608B, but they should make replacement as soon as possible.
Jump to: