They bothered to implement anti-exfil (provably random nonces). This means that a malicious firmware or even malicious hardware wallet can’t steal your coin! For every other hardware wallet, you’re blindly trusting Amazon/UPS/five factories in China/the webserver you got the firmware from/etc/etc. The idea that none of these parties have anyone working there who might want to go steal people’s coin is absurd, frankly.
Discussion
I think this is also a good time to bring this up. It's possible for Nunchuk and Coinkite to have malicious actors in their supply chain. They could collaborate and compromise someone's Tapsigner.
Anyone in the supply chain with access to the Tapsigner can take a photo of the back of it. Someone with access to Nunchuk's server can get a copy of the encrypted backup.
Gotcha, sounds like that should be common practice.
More on that in their blog:
Anti-Klepto protocol
To solve this, Shift Crypto and Blockstream developed Anti-Klepto. Instead of solely relying on the randomness that the hardware wallet provides for the nonce, additional randomness is provided by the host device. This prevents the hardware wallet firmware from manipulating the nonce in a way so that it contains hidden data.
https://bitbox.swiss/blog/how-almost-all-hardware-wallets-can-steal-your-seed/
will implement this soon.
You're exaggerating. Every competent hww checks firmware signature. Something an average joe can't do kn their laptop.
Unless it was compromised while shipping through Amazon/UPS/five factories in China ...
If that happens you're screwed anyway. A compromised HWW might as well contain a radio transmitter.
We need better tamper-proof seals.
That’s not a scalable attack. In that model the attacker has to be kinda nearby when you use the HWW.
Ever heard of GSM?
I wonder how you would pull that off. How small is the smallest GSM and how would it know when to strike as GSM is quite detectable. If it blares out its presence on every power-up, that hardware would make the news in a week. So ... scaling is a problem with GSM, too.
I don't know how small GSM is today but I know that ten years ago the smallest widely available wifi module was around 100 times larger and 10 times costlier than today. So it migh become feasible in the future. There are other radio communication protocols as well.
You can definitely include a GSM chip for cheap, but now the device board actually looks visually different, which people can identify, even if admittedly relatively few would. Still, if you did this en-masse it’d likely be discovered before too long, whereas a malicious firmware likely would not.
I'm just wondering if something like the AirTag infrastructure could be used for minimal power antennas. By Apple I'm pretty sure the answer is yes. All the phones are spying on us in more ways than we imagine.
In theory, but I’m not sure if you can transmit arbitrary messages over that without being Apple.
The attacker could pretend it's 256 devices and transmit the seed by simply sending or not sending a message. It's not that high number.
My point was I’m not sure you can pretend you’re *any* devices without being an Apple device. In any case nostr:nevent1qqsqac7czr2hk05gkf0l5s59tg3tz8xyspn9ea7aqxrvg9pswev8y8spzfmhxue69uhk7enxvd5xz6tw9ec82cspz3mhxue69uhkummnw3ezummcw3ezuer9wcq3gamnwvaz7tmjv4kxz7fwv3sk6atn9e5k7qglwaehxw309ahx7um5wgkhyetvv9ujucnfw33k76tw9ehxjmn2vy728fpa
They have cheap BLE tags. If those cannot be reverse-engineered maybe you can record their beacons without the reach of any other device and then just replay them. Buying 256 tags may be worth it if the victim stores tens of millions satoshis.
I'd be really surprised if there isn't any way to sneak out 256 bits of data. Or less if the attacker wants to do some brute forcing.
I understand the data to be signed and tied to an Apple ID. It may well also be tied to some per-device factory-sealed key. I mean you can always buy 256 real AirTags but hardware modifications are much more likely to be detected than software ones.
Even without it, there are other similar networks which relay information.
And there are hacks to make other components work as antennas, so there it is again, the dependency on a clean firmware. But the range without a dedicated radio chip is considerably less, reducing the risk in theory for many users.
Yes, that too. You can use Rpis pin to transmit FM radio for instance. Which gives me crazy idea: if you transmitted a fake ad "call
I mean the power available to do that from inside a hardware wallet is probably not gonna make it far enough for much anyone to do much with it, doubly so if you only have a relatively limited time to get it through before you run out of power.
Yep, this specific idea was just funny thought, not a serious attack.
Seems like yes, Coldcard and others should implement this… but you’re seriously recommending hardware without a secure element, or even a general purpose computer over this???
Did you comment already on why you think those tradeoffs are worth it?