Research and responsible disclosures are important and appreciated, but nothing fundamentally novel here -- as with previously demonstrated exfiltration attacks, this requires running a modified version of our software with malicious code inserted. Trade-offs, all the way down. nostr:note1ra4j0uct37w8ntapl90x0jvt0nl3axxxf25h4plr6guzp69zujfqjgk7md
Discussion
How do we manage to achieve what Matt corallo is promoting, what bitbox calls "anti klepto".
This is possible but would require a second round trip of QR codes to check the signatures. There are no wallet coordinators that support this, so there would need to be at least one before it would make any sense to consider implementing. You can view a video here that demonstrates how to verify your signer produces signatures consistent with Sparrow and bitcoin core:
The real question is if there is a way to modify the code with out having physical access to the sd card tho right???
That or forcing you to download malicious firmware.
Phishing attack but with firmware.
Any idea on how possible it is to attack sd cards radio frequencies? I tried to look it up for a couple of hours and didn’t find anything.
What do you think about the mitigation techniques?
I guess the wallet app could require the hw wallet to calculate the nonces from some randomness provided by both the wallet app and the hw wallet.
(If both your computer and your hw wallet were compromised, you’re doomed anyway…).