Author

Topic: what risks are there to blockstream jade web portal firmware update? (Read 121 times)

legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
I don't think there's a risk in updating your jade unit from their web portal firmware update unless you are accessing a phishing site but the site you posted above is the right website.

About the web portal, I think it is safe because what it only does is OTA update it is a signed firmware it verifies first if the OTA firmware is signed if not it would likely be rejected.

Quote
NOTE: Blockstream Jade units will only run firmware signed by Blockstream, therefore it is not possible to build and flash the firmware on a 'diy' basis. The signed firmware must be downloaded from Blockstream servers, and can only be updated using the 'OTA' function of the currently installed firmware.

If you are afraid of using the portal since it doesn't show anything on the web portal once you update the unit the 3rd option from the guide is the best option and then do verify its signature to check the authenticity.

And take note jade units don't have a secure element it's not as safe as other hardware wallets.
legendary
Activity: 2212
Merit: 7064
Firmware update can be a weak link for any devices but human mistake is what usually happens with users clicking a link on phishing websites.
You can always verify Jade firmware on their github page, this can't be hijacked easily with malicious code:
https://github.com/Blockstream/Jade
hero member
Activity: 1554
Merit: 880
pxzone.online
Very helpful thank you very much. I'll take these actions in the coming days as soon as I get a chance.
You are very welcome bud. Let us know here (this thread) if it works, or what stuff you are confused with so i can clear with it and provide a solution.

Edit: i saw you already made a reply while i'm replying.

...
Which appears to be successful:
..

Can you please let me know if I've missed anything?
Yes, this is it all to verify that the app came from the legit sources. It will show failed if not.
newbie
Activity: 24
Merit: 1
Can I trouble you to review my work?

Thus far, I have executed the CMD operation and have the following result:

https://ibb.co/DpyFtpX

I believe I've successfully carried out this step:

Quote
- Open Kleopatra (gpgwin), check all the certificates you can see "GreenAddress Team [email protected]". You can see that Key ID is the same on blockstream page[1], right click and "Certify".

And see this result which appears to be a successful verification:

https://ibb.co/9GP5ZnM

I also carried out this step:

Quote
right click and "Certify"

I selected "Certify" and inputted my name and email address, ultimately obtaining this result:

https://ibb.co/LSb86hk

I then selected "Certify" in this modal:

https://ibb.co/9GVHBRP

Which reports to be successful:

https://ibb.co/ZBZMD0d

I had already downloaded Green and the SHA256SUMS.asc file a few days ago as seen here:

https://ibb.co/F8CwDwy

I was able to carry out this operation:

Quote
- Open Kleopatra, "Decrypt/Verify" and choose the " SHA256SUMS.asc" signature, a success message will show about the signature if valid like this

Which appears to be successful:

https://ibb.co/gvR0PMj

Can you please let me know if I've missed anything?
newbie
Activity: 24
Merit: 1
Very helpful thank you very much. I'll take these actions in the coming days as soon as I get a chance.
hero member
Activity: 1554
Merit: 880
pxzone.online
Wondering what possible risks there are aside from those which are internal to blockstream itself when using this tool here:

https://jadefw.blockstream.com/upgrade/fwupgrade.html

For example, is there a way for a bad actor to somehow fake this web address and cause users who are on this page:

https://help.blockstream.com/hc/en-us/articles/4408030503577-Upgrade-Jade-firmware

to be directed to a page that is supposed to be the genuine update page here:

...
Additionally, what are the best practices to determine the authenticity of this page in the first place?
Your crazy thoughts are possible, there are several ways to lure users to prompt in fake web page as well as the malware injected in the hackers URL.

Your only to trust is to verify the file you have downloaded.

To verify your blockstream downloads either ios/android/desktop, follow these steps.
- If you're using windows, go to terminal (CMD) and paste this command below which can be shown in this blockstream page[1]
Code:
gpg --keyserver keyserver.ubuntu.com --recv-keys "04BE BF2E 35A2 AF2F FDF1 FA5D E7F0 54AA 2E76 E792"
- Open Kleopatra (gpgwin), check all the certificates you can see "GreenAddress Team [email protected]". You can see that Key ID is the same on blockstream page[1], right click and "Certify".
- Download the file you want from this page[1] either ios/android/desktop make sure you are in correct repository "https://github.com/Blockstream"
- On there current release say for android app[2], there's .asc file, SHA256SUMS.asc download it together with the app
- Open Kleopatra, "Decrypt/Verify" and choose the " SHA256SUMS.asc" signature, a success message will show about the signature if valid like this

Quote
SHA256SUMS.asc → SHA256SUMS:  Show audit log
Valid signature by [email protected]

Signature created on {datetime}
With certificate:
GreenAddress Team <[email protected]> (E7F0 54AA 2E76 E792)
The signature is valid and the certificate's validity is fully trusted.

and of course a failed message will show if the signature is fake.
 
[1] https://help.blockstream.com/hc/en-us/articles/900002174043-How-do-I-verify-the-Blockstream-Green-binaries
[2] https://github.com/Blockstream/green_android/releases/tag/release_4.0.33

Hope this helps Smiley
newbie
Activity: 24
Merit: 1
Wondering what possible risks there are aside from those which are internal to blockstream itself when using this tool here:

https://jadefw.blockstream.com/upgrade/fwupgrade.html

For example, is there a way for a bad actor to somehow fake this web address and cause users who are on this page:

https://help.blockstream.com/hc/en-us/articles/4408030503577-Upgrade-Jade-firmware

to be directed to a page that is supposed to be the genuine update page here:

https://jadefw.blockstream.com/upgrade/fwupgrade.html

but rather is a malicious page that will inject malicious firmware code into the hardware unit?

Additionally, what are the best practices to determine the authenticity of this page in the first place?

https://help.blockstream.com/hc/en-us/articles/4408030503577-Upgrade-Jade-firmware

Would it be sufficient to contact Jade support and ask for confirmation this is the correct and authentic web address?

I ask all of this because the instructions here on verifying the download for Green here do not provide enough detail for me to carry out a verification operation:

https://help.blockstream.com/hc/en-us/articles/900002174043-How-do-I-verify-the-Blockstream-Green-binaries

I tried downloading gpg4win and following instructions found in a video by BTC Sessions, but there are 2 files in the video that are not included in the release from Blockstream, so I don't know how to proceed.

I've asked blockstream for more detailed instructions, but haven't heard back yet since asking over 48hrs ago.

Any guidance is much appreciated!

Jump to: