they stole your oracle server
what now?
Discussion
I mean, ya, stealing a hardware wallet AND also the oracle server is obviously a SHTF scenario. But that's also not a hurdle (stealing an external server) an attacker would need to go through for hardware wallets using a secure element. There are trade-offs for everything when it comes to security. Finding the balance for your own personal use case and risk tolerance is important.
For a secure element they would need to break the secure element
Agreed, but with the hardware wallet in hand they have all they need to do so.
That doesn’t matter either.
It’s simple: how hard is it to reach the end result. And HWWs are way harder.
It does matter. If the attacker doesn't have access to the blind oracle server (it was taken offline/deleted) then it could be argued that a HWW with a secure element intact would be the easier target than the Jade HWW without a corresponding blind oracle. Since what would be needed to perform an attack is in hand with the secure element HWW versus the now deleted blind oracle with the Jade.
Obviously this would depend upon knowing that your Jade was stolen to begin with to be able to respond in kind with deleting your blind oracle server to begin with.
But my argument wasn't that one is better than the other as often in security it isn't so black and white. I was merely presenting a specific attack path where having a separate blind oracle could present a more difficult challenge than a secure element.
Only the oracle server? (not the Jade too?). Then you just make a new oracle server from your backups.
They stole the Jade as well.
The question is after they get your device, how long does it take to get in
Good question. I would assume that it would be instant if they also have the oracle server.
My thinking is the odds of : stealing the Jade and hacking the oracle server versus the odds of hacking a secure element.
Not to mention (well, I guess I'm mentioning) the risks of a supply chain attack for the secure elements. I pretty much assume that's already been done since we saw what happened in Lebanon with the pagers, radios, etc. Supply chain attacks are not as far fetched as we might want to think.
Secure elements are closed-hardware and require NDAs. Not feeling good about that at all.
And at this point, secure elements are securing crazy amounts of money. So the temptation must be off the scale.
To start, as both disclosure and a background, I have signed a mutual NDA with a large company that makes SEs. This does *not* include a non-disparagement clause, and what is covered by NDA is technical documentation.
> Not to mention (well, I guess I'm mentioning) the risks of a supply chain attack for the secure elements.
This depends on the secure element. The company that I work with, and many other reputable vendors, have strong countermeasures against supply chain attacks:
- Each chip gets a unique key to identify it, that proves it is genuine
- Production of chips is tightly monitored
- Sensitive key material is stored in dedicated hardware only
and so on.
Cheap SEs, like the ATECC series, to my knowledge do not do this.
> And at this point, secure elements are securing crazy amounts of money. So the temptation must be off the scale.
It has always been, even before Bitcoin. Passports, credit cards, other digital signature systems, etc.
And yet, there are few attacks discovered in high-quality SEs. Almost none apply to real-world scenarios.
> Secure elements are closed-hardware
That is true. But the off-the-shelf MCUs are also closed hardware. Everything is closed hardware. Unfortunately, due to how the IC industry works, building a chip requires proprietary IP, and any company that gives it away is shooting themselves in the foot, really.
Economic incentives are very real, while the amount of protection open sourcing a SE is not. (how do you verify the chip you got equals the open source design?)
> Secure elements ... require NDAs
This will change.
My problem with the NDA being necessary to view the technical documentation is that they'll be even less eyes on the design. How many can double-check that there are no bugs.
It's true that for an off-the-shelf MCU, we're trusting the vendor. One of the things that I like about Jade is that since they're using off the shelf MCUs with open source software, we can DIY build one. Granted, probably not too many people do that.
Passports, credit cards, etc, and secure elements : there's no do-over in btc whereas it's not too hard to do a do-over in the fiat and KYC world.
Jade Plus also offer a stateless signer option (if you can trust that the hardware really doesn't keep anything when it shouldn't).
So overall, can I assume that you prefer the odds of a secure element being hacked compared to the odds of both a Jade being stolen and the oracle server being compromised?
> There’ll be less eyes on the design
Same issue with MCUs, really. Anyway, large SE companies conduct their own testing *and* rigorous independent certifications. (semi-formal validation)
Not sure you can reach that level even if you open source, because the majority of the security is in the physical design, and so physical attack tests. And not the logic.
I have also significantly reviewed the design of the SE I am using.
> There’s no do over in BTC but there is in the fiat world
In the end, there is still damage. Fake digital signatures can be as damaging as blindly signing contracts. Credit card fraud can lead to millions lost for banks.
In the end, *someone* is losing something from it being insecure, and so they have a strong incentive to ensure they buy secure products.
> we can DIY build one
But does anyone? Or do we rely on the manufacturer and Espressif to solely deliver a correct product?
What if the boot ROM on the MCU logs your seed to a hidden area on the chip?
Those are all good points.
But that just leads me back to the basics : do we have better odds with a Jade without secure element but where both the Jade and the oracle server have to be compromised, or do we have better odds relying only on a secure element?
But, I must admit that hardware wallets are probably not the best choice for really huge amounts. I remember reading Greg Maxwell saying he preferred an offline computer (probably with a live-dvd, I assume).
For large amount it’s always multisig
Also, I think quality SEs are better. But low quality ones are significantly worse
Multisig : that's debatable. I remember Francis Pouliot writing this a couple years ago, on twitter :
"Having a strong BIP39 passphrase and redundant backups is superior to a multisig for security, accesability and loss prevention. I can't imagine the stress of multisig as a personal solution. No wonder people pay 3rd parties to hold their multisig keys!"
Francis has been in bitcoin for a long while and has been involved in customer-facing businesses (btc businesses) for about as long (the Bitcoin Embassy in MTL and then bullbitcoin.com).
I remember even electrum (older version) messing up the multisig setup so badly that such that electrum couldn't access the funds put in that multisig. And electrum is a very OG project.