There is a easy way to prevent this type of attack. Just remove the sd-card after booting the device.
I wanted to find out how hard it is to manipulate the @SeedSigner
. It was easy as expected. Never give it out of hand! Simple swap to a manipulated sd-card and it logs your seed to it. Later the attacker can collect the sd-card and get your seed words.
Total lines added to the code are six.
Needless to say, it writes the seed also to sd-card if you scan your backup seed.
Discussion
#[3]β #[4]β this looks like a great reason to implement that feature where the option screen wonβt fully boot up until after the SD card is removed.
#[2]β that you for the experimentation. Iβm a big fan of the #[3]β project and am grateful to white hat hackers like yourself that help to harden the device.
Just had a PR for a notification reminder at startup. Some may want to leave the card in to set or adjust persistent settings, but a reminder is a good idea.
At startup is good but in case someone, as you pointed out, wants to adjust persistent settings, having the reminder appear before any create new seed or scan new seed action would be preferable right?
Tricky UI issues because we have a unified scanning mechanism. Perhaps a one-time reminder before any scanning is done, or before any keygen routine is initiated. We'll have to think on the best way, but some kind of reminder mechanism makes sense.