Avatar
Leo Wandersleb 1y ago

https://hackaday.com/2024/03/29/lora-with-no-radio

This hack is pretty wild and nostr:npub17tyke9lkgxd98ruyeul6wt3pj3s9uxzgp9hxu5tsenjmweue6sqq4y3mgl is affected as far as I can see. Or does it not enable a previously impossible Evil Maid Attack:

Eve only needs access to the device for seconds to binary-patch the firmware on it. The compromised firmware would send out the seed, encrypted for Eve's receiver that she's hiding anywhere inside the house, while functioning normally else.

Now, when Alice loads her wallet on the compromised SS, it blasts out the keys and the receiver catches it.

Prior to this hack, a companion app could detect exfiltration but now, any companion app is side-stepped completely.

As a fan of nostr:npub17tyke9lkgxd98ruyeul6wt3pj3s9uxzgp9hxu5tsenjmweue6sqq4y3mgl's approach, I wish there was a simple mitigation but maybe there is. Maybe incorporating tinfoil in the casing fixes this. Of a full metal casing so the maid can't just remove the tinfoil.

Reply to this note

Please Login to reply.

Discussion

Avatar
DefiantDandelion 1y ago

Couldn’t you put a tamper indicator on the case so if someone opens up the seedsigner to install custom software to do this you would know someone tampered with it by checking the indicator seal?

Avatar
Leo Wandersleb 1y ago

Well, I guess you could. My perspective is always the average user that is not following this discussion. My project is WalletScrutiny and when reviewing SeedSigner, I took the "no radio" aspect at face value. Hacks like this make me paranoid about the firmware shipping with some LoRa IoT global network leaking the keys while in use.

I do not think that SeedSigner would do something like that and suspect there might rather be custom hardware wallets that "accidentally" feature much better antennas that later turn out to be sending seeds since years but "won't be evil" is just not good enough. I try to find "can't be evil" or whatever gets closest to that.

https://walletscrutiny.com/hardware/seedsigner/

Avatar
DefiantDandelion 1y ago

Another solution though not as simple to implement as a tamper seal or tamper bag would be to use an actual LoRa device or anything of your own contraption to transmit on the frequency this uses with a weak signal of random data. Less precisely you could try to just make enough noise across the frequency range. Which would attempt to jam the frequency range this technique would use in the short range proximity of your seed signer or other hardware wallet.

Avatar
Leo Wandersleb 1y ago

I'm pretty sure RF jammers are illegal in many jurisdictions.

Avatar
DefiantDandelion 1y ago

“Honest officer this isn’t jamming it’s just accidental interference. How was I supposed to know my maid had put a device in my house that was using this frequency range.”

If the “interfering emissions” are weak enough to disrupt LoRa inside the house and within your property but not impede anyone else’s use, then I think it’s kind of a non issue even if techno illegal. Alternatively There are all kinds of retail equipment, (LED lightbulbs, battery chargers, electric motors, etc) that create interference and may even not meet the fcc requirements they are supposed to.