Jonas Schnelli (Bitcoin Core Developer and Maintainer and Co Founder Shift Crypto) and Douglas Bakkum (CEO, Shift Cryptosecurity) join me in this episode to talk about the BitBox02 hardware wallet product from Shift Cryptosecurity based in Switzerland. We talk about:
- Why Shift Crypto was started
- Prior product, BitBox01
- BitBox02 and how it works
- PSBT and Air gapping
- Multi Sig
Shift Cryptosecurity Links:
- Shift Cryptosecurity: https://shiftcrypto.ch/
- Jonas Schnelli: https://twitter.com/_jonasschnelli_
- Douglas Bakkum: https://twitter.com/douglasbakkum
- Shift Cryptosecurity Twitter: https://twitter.com/ShiftCryptoHQ
SLP Hardware Wallet Interview Series:
- Kraken: http://www.kraken.com/?utm_source=podcast&utm_medium=stephanlivera
- Unchained Capital: https://www.unchained-capital.com/?utm_source=Stephan%20Livera&utm_medium=Referral&utm_campaign=Affiliate
Stephan Livera links:
- Follow me on twitter: https://twitter.com/stephanlivera
- Show notes and website: https://stephanlivera.com/
- Subscribe to the podcast: https://anchor.fm/stephan-livera/
- Rate and Review the podcast: https://itunes.apple.com/podcast/stephan-livera-podcast/id1415720320?mt=2
- Orange Coin Good and other Merchandise @ Layer One BTC Store: https://layeronebtc.com/collections/stephan-livera-podcast
- Email contact: email@example.com
Podcast Transcript by GiveBitcoin.io:
Stephan Livera: Jonas and Douglas, welcome to the show.
Douglas Bakkum: Thank you very much for having us.
Jonas Schnelli: Yeah. Thanks.
Douglas Bakkum: Excited to be here.
Stephan Livera: Look, obviously, we’re doing this hardware wallet series. I wanted to discuss with you guys, as well, from Shift Cryptosecurity. Let’s just start with a bit of background on yourselves, on you guys, and what your role is with Shift Cryptosecurity.
Stephan Livera: Jonas, let’s start with you.
Jonas Schnelli: Douglas, we met, I think, back in 2014, when Douglas showed me at one of those bitcoin meetups in Zurich his piece of hardware. And I was quite impressed, because it was, back then, 2014, not much hardware wallets were around, I think only Trezor was really… Was quality-wise an acceptable thing and I [crosstalk 00:00:54].
Douglas Bakkum: Yeah I’m not even sure if they were released then.
Jonas Schnelli: Yeah, could be. I mean you started certainly before they had released with your PCB sign and stuff and yeah, I was really impressed, and I knew that… I mean I still [inaudible 00:01:09] that key storage is one of the crucial points in the whole bitcoin space. Its so hard to really store or protect your private keys, and I think… I saw that this is going to be a huge thing and somehow we need multiple vendors on that level otherwise it’s going to be kind of a systemic risk for the whole bitcoin system. And as you are aware I’m in for the long term, for the decades not the years. And I was working on Bitcoin core and still do, most of my time. And I knew this needs kind of support, then I started to collaborate with Douglas and at some point we founded the company together. And here we are.
Stephan Livera: Lets hear a little bit from you Douglas.
Douglas Bakkum: Yeah, I’ll have, I guess, a bit of a different take. Well first of all your question, what are our roles. So Jonas right now, he’s the president of the company. We co-founded the company back in October of 2015. So that’s probably a year after we had actually… More than a year we had first met and started working on the project. When I started working on the project I was in a completely different life than I am now, so I was actually a neuroscientist at the university here, I was a group leader at ETH university. Interestingly enough our company is a spin off of a neuroscience lab at ETH, but it’s quite a stretch to figure out how that connection works but basically it was more on the neuro-engineering side.
Douglas Bakkum: So that lab would make electronic devises including PCB devices A6 and so in order to help study neurons better and help advance neuroscience, and so through that, but also before that I had some mechanical engineering background in robotics and AI and stuff like that. So through that we get the, I guess some of the technical foundations for building PCBs, dealing with data processors, how to write firmware, how to deal with USB communication and things like that and so that really gave a technical foundation and, lets see.
Douglas Bakkum: So yeah, for myself I started working on it in my spare time then. So I guess I was the inventor of the original Bitbox and… What was the story back then I guess. I started learning about Bitcoin around 2013. It took me about two weeks after, I bought my first Bitcoin, until I was actually comfortable holding it. And so given a technical background I kind of understood some of the security implications and things like that and it really took me a long time just to research and actually implement a solution where it actually felt comfortable.
Douglas Bakkum: So there, okay, this is never going to be adopted if it takes me this long or takes anyone this long to get used to it. And so at the time there were no hardware wallets on the market, the idea existed. So Trezor was talking about it. Ledger before they became Ledger was talking about it. But also at the same time if you were around you might remember a lot of scams in hardware, especially with Bitcoin miners, and a lot of people losing money through presales and things like that and so. It was a big question to me if actually something would come out of it and so I just decided okay, what can I do, I will just try to make something myself.
Douglas Bakkum: And so, just in my spare time I started making it coincidentally enough, luckily enough, Jonas and I happened to live in the same city, in Switzerland. And so we met each other at the meetup, we encouraged each other and it became a really nice fit. So I was working on basically everything you can touch, so like the hardware, but also the firmware on it. And Jonas has a long background in entrepreneurship, especially with mobile apps. And so he had a great skill set for actually building the front end and what users would see in interacting with the devise.
Douglas Bakkum: So yeah, we tried to do it ourselves, make a whole system, And got a lot of great feedback, great encouragement from the crypto community in Switzerland, which is despite being a small country, quite strong. And yeah, we ended up founding the company together.
Stephan Livera: Excellent, lets talk a little bit about the Bitbox 01 then. So there’s definitely some people amongst the bitcoin community who are Bitbox fans, right? I see, even I hear on some of the podcasts, people mention the Bitbox as well.
Stephan Livera: So tell us a little bit about what was your experience creating the Bitbox 01.
Douglas Bakkum: Yeah, so I mean, I had some basic, you know, background in PCB design and and things like that. I’ve been an academic my whole life. So this is actually my first experience in, I don’t know if you can call it the real world or not. In a different world, although there is a lot of parallels, which I find interesting.
Douglas Bakkum: And so, being an academic, being a scientist by background, I like to, you know, figure things out on my own. So I do a lot of research and learn, become an expert through that, through trying things. So one of the very first things I did with the Bitbox 01 for example, was I wrote my own ECDSA library and I wrote my own big number library to fit into that.
Douglas Bakkum: And just to learn how, you know, what really it is I’m getting into and what are all the factors involved, like the side channel risks, the need for, you know, good entropy for nonce protection and things like that. And so really dig in deep, that was a great experience. And yeah, kind of going from there.
Douglas Bakkum: And of course if you want to turn something from, you know, just… It was really… In the simplest words you could call it a hobby, right? If I’m doing it in my spare time. To take something from a hobby and to actually make it into a professional production grade device where now all of a sudden you don’t have to worry about yourself but you also have to be responsible for a broader community. You know that’s a big thing and so I took it seriously.
Douglas Bakkum: Before we launched the Bitbox 01 of coarse I made sure to deal with or start communicating with the community, especially the security experts, audit firmware, talk to different companies, talk to different experts in crypto currency in Bitcoin specifically and try to really take responsibility for it.
Stephan Livera: Great, yeah, Jonas did you want to add any comments around your experiences with Bitbox 01?
Jonas Schnelli: My side yeah. I mean as Douglas said it was coming out from a hobby and at some point if you decide to do a product there is a whole new level going up because it’s like you need to deal with limited resources, you need to deal with packaging, with the whole quality insurance. This is huge and coming from open source where you have, some how it feels like, unlimited time to polish stuff it was in a mode where we had to shape at some point.
Jonas Schnelli: So you need to have a great resource management and when it then comes to product quality which includes security and stuff that’s pretty new, it gets complicated. And I think what we learned is how we can turn a hobby into something that can be produced in large masses with good quality. And Bitbox 01 was mainly in my opinion about scaling up, getting ready.
Stephan Livera: Great, I think the listeners will be interested to hear about your experiences with dealing with obviously hardware wallet hacks, right. So there have been many… Basically every wallet has had some kind of hack, or some sort of attack on it. And I know Salem Rashid in November 2018 and its called breaking into Bitbox. And so there is a few different parts there that might be interesting to talk through from your point of view and we can sort of talk about what went wrong with those and potentially what’s the improvement with Bitbox 02. So there were a couple, just from reading through that post, he spoke about one aspect around BIP32. It was around the hidden wallet and understanding the way the chain code and apparently it was flipped and so that enabled an attacker to potentially get the key. And then there was the other component around a potential man in the middle attack that Saleem mentioned. So do you want to just discuss with your thoughts on those attacks and…
Douglas Bakkum: Yeah sure, I can give it a shot first. So yeah, first of all for those who don’t know us, Saleem is a really smart guy, he’s made a name for himself as a white hat hacker of hardware wallets in particular. And he’s responsibly disclosed vulnerabilities to us in the past, but also to the other hardware wallet vendors. And so I personally consider him probably one of the best, if not the best expert in hardware wallet security in the industry. And so in one sense its kind of, I guess, an initiation process for hardware wallet vendors as they mature. So in that sense it can be a bit of a badge of honor.
Douglas Bakkum: But on the other hand it is always quite humbling to be publicly faced with bugs and mistakes made. And so that’s something we try not to shy away from, because in the end it’s all about making security better for the end users. And of corse all sides are aligned with that. And so mistakes happen, one of the difficulties with security in general, especially for Bitcoin and cryptocurrencies, is that yes, like I said before, we did get audits, but Gideon the domain specific knowledge is difficult and so the high level concepts often times in security companies, the security experts just… It’s not in their frame of mind it’s not in their… The tool set they use to look at security vulnerabilities and things like that. And so it really takes special people with a deep level interest, not only deep level interest but also a good grasp of the high level concepts to get security right, Saleem definitely has that.
Douglas Bakkum: And so we want to be very transparent about it, very open about it, really encourage and reward community feedback to help our security, that’s why we have a bug bounty program and so on. These particular vulnerabilities you list, yeah, they’re mistakes that happen, definitely parts that got overlooked through our security process both internally and externally, so we’re very thankful for Saleem pointing it out, very lucky these vulnerabilities weren’t permanant so they could be fixed and they were fixed in time through the responsible disclosure process that individuals didn’t get effected.
Douglas Bakkum: And so we’re conscious to the fact that probably there are going to be more mistakes, not only by us, by everyone else in the future and so we want to try to get the best security experts, Saleem and so on, to also be able to help with us. I want to say one of the things in his blog posts, so of corse making mistakes with security is humbling, they do happen, you have to fix it of corse. But the thing that probably hurt me personally the most was so language later about losing motivation to work with us. And so I just wanted to address this topic given the opportunity. And so I think a lot of that came up out of miscommunication as a lot of issues do, so we sill do have a good relationship with him. We’re trying to continuously improve our bug bounty program, that it is attractive to people. And Saleem he has taken a few of our next generation Bitboxes and so he has a couple of those at home ready to hack on, and so we’re looking forward continuing this relationship with him and others.
Jonas Schnelli: And he certainly has some hard nuts to crack now.
Stephan Livera: Yeah, so as I understand one of the points and potentially this is an improvement from the Bitbox 01 to the Bitbox 02 is having a screen on the device so I think that is a… So if the listeners, if you remember from the earlier episodes with Michael Flaxman, he spoke about his concept of making sure that when you do a transaction you verify in the most secure location. And so I understand that with the Bitbox 02 there is a screen on the device and now that is a security feature that the user should be making full use of such that they’re not trusting what’s on their computer screen, they are trusting what’s on the physical device.
Jonas Schnelli: Yeah, I mean speaking for the Bitbox 01, the concept there was that you pair it with a smart phone in order that you have a second factor that would then verify in a secure channel what you or your wallet is going to sign. And of course it was a different security model, its probably debatable whether with an onscreen its more secure, on the other hand it gives way more opportunity to interact with the stuff you see on the screen.
Jonas Schnelli: So you can open, you can see, you can verify things way more easily. Which then comes down to what is security in general, is it to show stuff or is it to make it accessible that user can actually verify things. And if your address is on a screen where nobody can really read the characters then its again maybe higher security if you can verify them on a second factor smart phone.
Jonas Schnelli: I guess it’s all about options and now with Bitbox 2 we have a screen on the device so people can actually verify directly on the device.
Douglas Bakkum: Oh I was just going to add a little bit to that also. So yeah, the concept with the Bitbox 01, originally called Digital Bitbox, was to use a secure connection to a mobile app and then that basically serves as a secure remote screen for your device. Now that said I think it is possible to have a similar level of security using that setup, but the draw back then is you have another interface that you have to pair, you have another interface between communication has to go, so its opening up the attack factor surface a bit.
Douglas Bakkum: But if you get it right I think the security can be similar, it’s just a lot easier if you have a screen on your device. And so, to avoid a lot of these other things you have to think about.
Stephan Livera: So I think if I were to summarize then and I think part of that is a fair point, is that sometimes you’ve got to make sure, obviously there’s that trade off of security and usability and I guess you can argue that if you’re making use a hardware wallet as opposed to making it difficult for them then there might be more incentive that they use the hardware wallet rather than say leave it on the exchange, which is everyone agrees that’s the worst practice, right? But as you mentioned there is an additional attack factor, and in Saleem’s post he mentions that was literally the man in the middle attack potential at the point of the ECDH the Diffie-Hellman key exchange that there is a potential for an attacker to try to insert themself into that and obviously exploit from that point of view. But yeah, okay so look, lets talk about the new device then. So the new Bitbox 02, Douglas did you want to just give us a bit of an overview.
Douglas Bakkum: Sure so the Bitbox 02, lets see, the current status is it’s… we’re doing pre-sale right now. I know I mentioned earlier all these problems with pre-sales in 2013, but we are doing pre-sales right now. The difference tho is we actually have the product existing, we started a beta program a few months ago so we actually sent devices out to Beta users, to mainly get feedback on the UX testing.
Douglas Bakkum: In the meantime we’ve been going through security audits and we didn’t want to start pre-sales until the security audits were actually finalized and they are now. And so production began and we’ll start to ship in September ideally. So that’s the current status.
Douglas Bakkum: What’s new, we already mentioned the screen, the screen is new. So some other things that are new include a USB-C port so you can plug it into devices directly. Particularly in the EU there has been a lot of legislation talk about reducing cable waste and so mobile phones in particular are supposed to have a single form factor for charging which is going to be USB-C and so the general trend in mobile devises, also laptops is goin towards USB-C so we want to be future ready with that.
Douglas Bakkum: Or desktop app itself currently runs on laptop but we also designed it from the ground up to work with mobile and so that will come out soon so then you can use our devices with mobile, I think that would be a nice feature.
Douglas Bakkum: One of the things we’re very excited about is this touch slider mechanism, what that means is, so the device is small but USB stick size device. We have a screen on top that covers most of the top space and then on the sides of the device we have two areas for touch sliders. And so we think you can do a lot of really interesting UX with this. So having to do with password entry or mnemonic seed entry or just scrolling through your addresses when you need to verify, where you’re sending coins and things like that. And so, we’re quite excited about that, we think it has a few advantages in the sense that you can do things, you can do things easier, we think that it can be a more intuitive UX, of coarse there’s probably still some rough edges around it now but we but we think it has the potential for all these things.
Douglas Bakkum: Also we redesigned the security concept from the ground up so similar to the Bitbox 01 we took what we think is kind of the best of both worlds from Ledger and Trezor in the sense of a unique dual chip approach. We started that in Bitbox 01, I know Coldcard is now doing that with theirs and we tried to further that with the Bitbox 02.
Douglas Bakkum: I can stop there, we can get into the security of that a bit later, but just from a high level that’s what’s new. I’d also like to say, with the Bitbox 01 we learned a lot through in the sense of, we have customers in 100 different countries now and so we’ve been able to get a lot of great feedback from them. And so when designing the Bitbox 02 we tried to take what works with the Bitbox 01 and keep that and add in the extra features that people are asking for, the screen and so on.
Douglas Bakkum: Some of the things that worked with the Bitbox 01 are the form factor, the size, its portable, you an keep it in your pocket. People liked a lot the discrete design, so if you pull it out your not automatically advertising that you have a hardware wallet with bitcoin on it, which some of the other vendors that would be the case.
Douglas Bakkum: And of course one of the biggest distinguishing factors is the SD card slot, which we started in the Bitbox 01. And just to touch on that a little bit. Part of the feedback we get from users really is, you know, usability still remains maybe one of the highest issues with adoption and also just using hardware wallets or any type of thing you interface with cryptocurrencies. A lot of feedback we get from new users in particular in our resellers is this concept of mnemonic anxiety. And so, I guess your listeners are well aware of mnemonic pass phrases and things like that, but new users aren’t and its a foreign concept to them. They don’t really understand why they’re writing words down onto a piece of paper and people say it takes them 20 minutes, 30 minutes to write down very carefully each word and then go through the whole process to verify what they wrote down is correct. Its just really confusing, really stressful. And so, with the micro SD card slot we basically reduced that to something that’s really understandable, so backup is understandable by people and it’s instant.
Douglas Bakkum: So once you created the wallet you automatically save the backup onto the SD card and so its very fast, very easy set up. Also very fast very easy recovery, we’ve gotten a lot of feedback that people really like that.
Douglas Bakkum: Of course with the new device now that we have a screen we also want to make it easy for the more experienced users to be comfortable with their device so we do have an option for writing down mnemonic seeds on paper.
Stephan Livera: Great, you mentioned earlier the dual chip approach, would you mind explaining a little bit further on that?
Douglas Bakkum: Yeah sure, so in your past podcasts there’s also been debate about open source versus closed source, secure elements versus general purpose micro-controllers. And so, by the dual chip approach, what we’re doing is we take a general purpose micro-controller we put open source code onto it so we can get all the benefits of security that come with open source in terms of people being able to verify what you say is true is actually true.
Douglas Bakkum: I think open source is something that doesn’t get talked about a lot, but also something that’s very important is the internal pressure on yourself, so if you’re really opening your coat and showing the world everything, you know it gives you more incentive to actually do the right thing and pay more attention to the security and things like that, and so on and so on.
Douglas Bakkum: With the closed source secure elements, just a high level summary, secure elements become secure elements after a certification process and this is very expensive, very time consuming, it can take a year or more. It can take a million dollars or more and in the end in order to use these devices you need to sign NDA’s with the manufacturer and then that really limits what you can expose to the public and so they want to keep the code closed source to protect their IP and often times these devices have low specs, you can’t put a lot of code onto it, it doesn’t have high… Low specs in terms of memory so you can’t put a lot of code onto it. They have of course very high specs in terms of security, like physical security especially.
Douglas Bakkum: But that said there is an incentive by the manufacturers to hide bugs and hide vulnerabilities and the reason for that is a lot of the cryptography that goes on in there is also at the hardware level and so when bugs are found and have been found it would require redesign of the chip. It would require re-certification, new testing so again another year, another million dollars and so there’s high incentive for covering up bugs and hacks.
Douglas Bakkum: That said I think the physical security mechanisms are great, we really should take advantage of them but this disincentive compared to users versus the manufacturers I think is a big red flag and its something I think we in particular try to avoid. And so, that’s another reason why our code is open source in particular one of the most crucial aspects is the elliptical curve cryptography library and as far as I’m aware as far as I’m aware I think the libsecp library on the Bitcoin core code base is by far the best.
Douglas Bakkum: Most well researched, most studied, really paying attention to side channel attacks, and so on and so on and so on. Even, you know the extensive testing that Pieter has done has lead to bugs being found in openSSL and so on. So I think really when you’re dealing with Bitcoin with one mistake could be catastrophic, where you loose access to your funds.You really should do the best, of course, and in my opinion the best would be using these well vetted, well researched open sourced libraries.
Douglas Bakkum: And so, it’s getting a bit long winded sorry. To go back into the secure element side , so we do have a secure chip on our device and we use that solely for authentication purposes, so unlocking the whole device. And so, with that we think and again we can get into details more. But with that we think we can offer the best of both worlds in the sense of offering the physical protection enabled by secure chips, the authentication capabilities enabled by secure chips to protect your whole set up, yet still have the functional security, again these high level concepts that are hard to get right in Bitcoin, these functional security in a transparent and audible way.
Stephan Livera: I was also keen to ask about backups. As you mentioned there is this process with the Bitbox 02 where you put in an SD card and the backup is created onto that, is that an encrypted backup or an unencrypted backup.
Jonas Schnelli: I can chiime in on that, because I think fist there is still the problem that people don’t understand the hierarchical deterministic wallet creation. When I go to conferences I usually speak to kind of educated, skilled Bitcoin people. But still there’s a high percentage of people not understanding that they can do a backup once at the beginning and it covers their future received coins. This is just a concept that is hard to get if you’re used to traditional time machine wise backups.
Jonas Schnelli: Why can I do a backup in the beginning and receive a coin in a year and its still covered by the backup I’ve done a year ago. This concept is so hard to understand and still people… There is still a big lack of education and then you present them, well now you need to write down 12 or 24 words, this is again hard to understand, why do I have to write down words? What is that? And its really the education layers not made in a way where my mother or people who wanted to get into Bitcoin that are not computer experts can really get it. And I think we tried to defeat with you just have an SD card, we tried to allocate them directly within the app and you pull out the SD card at the back of the stone, it takes maybe a second and then you take out the SD card and store it somewhere else.
Jonas Schnelli: And I think that concept is easier to understand rather than write down the words and then you need to hide them from visual sights and stuff. And at the beginning we encrypted backups, but one of the most dramatic problems in Bitcoin key storage is not hackers and not people stealing your coins, its yourself, its you losing passphrases.
Jonas Schnelli: And I saw much more in the four digits amounts of percentage, people losing coins because of losing pass phrases, losing passwords. And the whole inheritance problem comes again into that phase and I think protecting people from shooting their own foot is way more important at the first place than kind of securing them. So if they manage to lose passphrases quickly and easily, its probably better to store stuff by default unencrypted. The Bitbox 02 stores stuff unencrypted by default but gives an option to encrypt them.
Stephan Livera: Yeah, that’s and interesting one because, yeah, obviously some of the more hard core listeners would be probably perking up and saying, “What no, it should be encrypted…” But I can sort of appreciate here, there is also a user experience component that you are trying to manage as well and that you have to consider both sides there as well.
Jonas Schnelli: If you start to encrypt backups, what people do, I tell you, they start to write down the words and then they think, “Oh well, I’m going to store that in my bank vault right, so when I get under the bus my wife can take my coins” Well what do we do with the pass phrase? “Okay, let me write the pass phrase next to my seed.” So then the question is, what’s the purpose of the pass phrase, if its like always stored, and then think okay well, maybe I write the pass phrase onto another piece of paper and give that to my lawyer or my notary, but then they are making security assumptions that are not correct, because if somebody gets the pass phrase and its not secure enough then.
Jonas Schnelli: So its dangerous territory at all, so I think a solution that could solve that backup encrypted multilayer solution is what Pavol talked about, Shamir’s Secret, but in general I think because we all saw more coins being lost at lost pass phrases and attacks by default not encrypting is probably a good choice but of course we should ask more experienced users, do you want to encrypt, yes, and then they can choose another factor.
Stephan Livera: Yeah, that’s a fair comment I think and lets talk a little bit about the Bitbox app. So as I understand, now I had an opportunity to actually use the beta version of the Bitbox 02 and you download the Bitbox app and you plug in and that’s what you use to initialize the device. Can you tell us a little bit about that process, what’s the Bitbox app, how does that work?
Douglas Bakkum: So the Bitbox app is of course the user interface for using the Bitbox, the Bitbox 01 or the Bitbox 02. That exists on your laptop its the interface to interact with the device. Like all hardware wallet vendors have it. So the app itself, trying to think of which level of depth to get into. I guess one of the things we use the app for with the Bitbox 02, you may have noticed, there’s a pairing that happens during the setup process. And this is designed to… At the moment it’s basically binding the Bitbox to your own computer so we think this adds a bit extra security in the sense that if suddenly someone replace your app with a malicious app or replaced you Bitbox with a counterfeit device then this pairing code will pop up again and it will be an indication that something strange is happening.
Douglas Bakkum: Of course we need to spend a bit more time on the UX to users, that’s one aspect. Another aspect is, prior to, actually every time the Bitbox 02 is plugged in there is an attestation check, and so what this mean is… Well the purpose of this is to try to mitigate against supply chain attacks and counterfeit devices and so the Bitbox itself on the secure element, secure chip, its sorted a secret. And the Bitbox app will send a challenge, the challenge gets signed by this private key and then it gets the response from the chip and then it can use the same bitcoin elliptical curve cryptography to try to verify if the response is correct, if it matches the public key.
Douglas Bakkum: In that sense you can get some protection against counterfeit devices, evil maid attacks and so on.
Jonas Schnelli: You know maybe to add to that is, also from the beginning, from the Bitbox 01 beta we had shipped it always with the native desktop application because we thought the browser environment is not the right set up for doing security crucial stuff. And I think that trend is also now something competitors will follow because it somehow conceptually make way more sense. Also then if it comes to cross-platforming, including smartphones and usually you need to download anyway something on an app layer to kind of bridge it with your USB stack or kind of configure it. And I think the desktop app is just the ideal way how to communicate with the hardware wallet.
Stephan Livera: Right yeah, and I think it’s interesting because there’s different philosophies and thoughts around that right. So for example, Trezor has a web wallet, Ledger has Ledger Live which is a desktop application and I think they’ve also got a mobile version. Coldcard doesn’t even have an application they just use Electrum or Wasabi, right? So everyone’s kind of got slightly different ideas on that. I think the real kind of cypherpunk people out there I think they’ll appreciate that with the Bitbox app, one thing I noticed it’s kind of like, it’s got the simple version of it, but if you want there’s advanced options and there’s an advanced option there to connect it with your own node. Can you tell us a little about that?
Jonas Schnelli: Yeah, I think there’s still the big problem that hardware wallets are… I mean they cover security but they not cover privacy, or most of them not cover privacy by default at least. And what privacy also means is there’s a relationship between privacy and security because if you sacrifice privacy you may reveal that you hold coins which can hurt your security. A simple answer could be the 5 dollar wrench attack, if somebody knows you’re holding a lot of coins. So privacy is highly correlated in security and most of the default settings on all hardware wallet vendors are giving up privacy by sharing the xPub or sharing what they own, in general not sharing their private key but sharing their financial privacy.
Jonas Schnelli: And I think this is a crucial point and we’re working towards having a default option that your privacy is not given up completely. But right now, or since a year or two what the Bitbox app offers is you can use your own back end and we also support Electrum Personal Server. Its still an expertish solution but I think this is the best we can currently give to users that they can connect to their own node and not giving up privacy, not trusting sensual validation.
Stephan Livera: Fantastic, can you tell us a little bit about how the user might do that, is there a specific software that they would use or just literally list the IP and port number or what?
Jonas Schnelli: Yeah, I mean, there’s documentation but at the end what they can do in the Bitbox app. They can change the link of the back end and if they wat to set up their own validation and privacy stack that means they need to install Bitcoin core and the easiest solution is to add Electrum Personal Server, this is a piece of software that’s just a little layer that’s not doing too much and from then on you have your own Electrum server back hand. Just for a single wallet or for a handful of wallets, because some other mechanisms would be that you install your own Electrum server, which is way over the top if you’re only having a handful of wallets because you basically index all the transactions that you can immediately access all addresses which is like 99% of all the addresses you will never use in your personal setting.
Jonas Schnelli: And again I mean, the whole concept with… It’ also a problem when people use BIP39 the mnemonic which I still think has some flawed elements on a conceptual layer, because if you want to restore a BIP39 seed that means you need to either have a full indexed Bitcoin core instance or you need to scan the whole chain, which makes it like needing a day for restoring backup.
Jonas Schnelli: And the BIP39 somehow assumes you need to use central validation which means you need to give up privacy in order to restore backup unless you want to run a 500 gigabyte system constantly indexing the whole chain. Which again I think backup is not solved now and that’s also something we work on to make it easier for users to not give up privacy.
Stephan Livera: Right yeah, and as you were saying, it can be a little bit confusing and still a little bit technically involved to run EPS Electrum Personal Server and then not just that. You would have to do the re scan command and then say okay, when was his wallet started and then it knows how far back in the chain to search so that you don’t have to search back 5 years ago when maybe you only started this wallet two months ago, or whatever.
Stephan Livera: I think another point the listeners would be very interested to discuss and know what your thoughts are is multisig. So what are your thoughts around multi-signature support, do you agree that it’s additive, do you agree… Do you want to try to see that in Bitbox 02, what’s your thoughts there?
Jonas Schnelli: Yeah, I mean multisig is a very strong concept, how to kind of balance security and for sure there is need that users understand it better and users can use it, but its such a long road until it’s doable by non-experts and as I said I think the greatest risk is currently still the user itself.
Jonas Schnelli: And with multisig if you’re not an expert it’s extremely complicated to do a set up even with the best user centric applications, including Electrum and stuff, it’s still very hard to set it up correctly and it’s so easy to lose coins. Which makes me think maybe giving users an option now could be more harmful right now than it actually achieves security, or better security.
Jonas Schnelli: But for sure we’re working on multisig solutions, but its still very immature on the concept level and we want to ship users something that’s really easy to use and foot gun safe and this may take another round until this is ready.
Stephan Livera: Yeah, and I presume also well, I know also that you can probably add some comments there around there are some difficulties with multi-signature if you were to start with one sort of set up and then you might not be able to recover that in some other set up, right. Because its not as standardized around things like what is the derivation path, what is the method, what was script used, can you comment a little bit on that Jonas.
Jonas Schnelli: I mean it starts at the beginning when you create a wallet together with all the participants, so how do you get their xPub, do they send you an email, do they give you a WhatsApp message. So do you basically include Facebook in your trust layer when you marriage a wallet.
Jonas Schnelli: For sure at some point you need to store the participants xPubs or pubkeys on your hardware device but, how could you verify that this is actually the xPub of your participant and then do you need to always be physical present to sign a transaction? Do you need to plug in USB sticks or hardware wallets on the same computer? Can you do it over then network, remotely?
Jonas Schnelli: And these still in my opinion unsolved things or hard to solve issues, which again has a lot of, or a big surface for attacks. And I think in order to keep it to normal, non-expert users, there needs to be done more work on that later, on the conceptual layer.
Stephan Livera: Got it, I think that’s a fair comment. Also any thoughts around multi-signature with devices from other manufacturers as well, so do you have any thoughts on that?
Jonas Schnelli: Yes, yeah, what we currently consider is also adding support for third party hardware wallets into our software stack so of course if you want to store coins in the most secure way you also want to balanced vendors so if you can have… If your security relies on multiple vendors it’s more secure in general so I think that that’s something we should give to users and that’s something users should understand, but again, It needs to work perfectly fine and it needs to be aware of the risks that users screw up, which is still the highest risk.
Stephan Livera: Yeah, agreed. Okay, lets talk about PSBT, partially signed Bitcoin transactions. So can you discuss around your thoughts on do you want to work with PSBT or do you find it difficult to work with PSBT. I’ve heard different opinions on that, so what’s your view?
Jonas Schnelli: Yeah, I mean PSBT is a very technical layer that should not, or users should not be aware of what PSBT is in general, but since we’re experts and we are still on the tip of the iceberg in terms of usability. I think that PSBT is a very great piece of specification and its basically a file format that you can save that includes everything you need to sign a transaction or co-sign a transaction. And what people currently mean with PSBT on the user level is they can plug in an SD card or something and they can sign a transaction completely air gapped offline. That’s something we want to support in, or we considered to support in the Bitbox because we have an SD card, we have the knowledge how to do that. Its just you know, the demand and the layer of complexity for users is just, the demand is low and the complexity is high.
Stephan Livera: Okay and while we’re on that topic as well, I know it’s not exactly PSBT but, around this idea of air gapping. Do you have any thoughts, or what’s your view around being able to initialize the device without touching a computer? So for example, the Coldcard has a function, something like that where you can create it on the device and power it purely from a power bank. Did you have any thoughts on that with the Bitbox 02?
Jonas Schnelli: Yeah, I mean security is as Pavol from SatoshiLabs it’s a complex beast, so air gaping basically is concept that you try to eliminate insecure channels. We consider USB an insecure channel, because whatever comes from USB we don’t trust, we verify that on the device itself. But then people show that you can actually measure power on the USB stack and then figure out what people see on the screen, so every password shown on the screen might be insecure if somebody’s accessing a side channel.
Jonas Schnelli: So in airgapped. Air gapped means you take the device out of USB stack and maybe add a battery to it, but then again the batteyr, they could power analyze what you do and then once you plug it in to charge it up on your computer or WIFI or whatever they could send out secrets.
Jonas Schnelli: Obviously this is a more, harder attach to bootstrap , but again there’s cameras. Cameras are also collecting information, visual information in a large scale, audio signals, power signals can also be captured from a battery source that’s 10 meters away. It’s just different security model you do when you airgap. It’s probably a very good security model as long as it’s again safe for users not screwing up.
Jonas Schnelli: And with the Bitbox 02 we have all the tool sets to do the airgap modes but it’s not currently supported on the software side.
Stephan Livera: Got it, around change address verification, so my understanding here is again, correct me if I’m wrong, you know this better than me. One concept there is that the hardware wallet has to know that it has that private key for that change address. Can you talk to that problem and how does the Bitbox 02 make sure that it’s doing that correctly?
Jonas Schnelli: I think this is a solved issue for all the hardware wallets because it’s a basic concept that you… If I send someone Bitcoins I verify his address or her address I’m sending coins towards. I’m not verifying where the change goes because mostly there’s change involved but the hardware wallet always verifies that the change is so something he has the private key, or as an address he has the private key for. And therefore it’s safe to send the change to myself.
Jonas Schnelli: So this is, I’d say it’s included in all hardware wallets because it’s a basic need. The more complex problem is the fees, because you can verify the change is going back to myself but you cannot verify before segwit that the fee was actually correct or that you can verify the fee on the device. Which an attacker could have misused to pay extraordinarily high fees but they would not go to the hacker they would go to the miners, so it’s maybe not a large attack surface.
Stephan Livera: Great.
Jonas Schnelli: But that has also been solved with Segwit.
Stephan Livera: Okay, so lets talk a little bit around the connection with some other up coming product. So, I understand that you’ve also got the Bitbox base so can you tell us a little bit about that, what’s the way that will all work together?
Jonas Schnelli: Yeah, so the Bitbox base in my opinion is a super great project something I personally work on since years to have this plug and play box, you can plug in and have the full verification pricing stack on your own.
Jonas Schnelli: Because you know if you’re on Bitcoin core on your desktop computer, it works but to be honest it uses a lot of, or at least in initial block download, it uses a lot of resources. If you had shut down your computer for a couple of days it began. It uses all your resources for fetching the new blocks and verifying them. So there’s basically great opportunity to have a box or a little server you can call it, running next to your router that could all do the hard stuff for you and even do more when your computer has been shut down and Bitbox space is basically an appliance of ready to use platform or even hardware device people can plug in and have all the privacy and trust features they could not build their selves because of time or know how resources.
Stephan Livera: Yeah, and then what is the way its foreseen to work together. I presume you would buy a Bitbox base and you would connect it to your laptop or your computer somehow with with the Bitbox app and then that way you’ve got the hardware wallet checking back against its own Bitbox base, correct?
Jonas Schnelli: Yeah, I mean its still… I mean its a highly immature project in terms of goals. There’s a large area where we allow it for experiments for users to defining its usefulness. But in general it is a special computer that optimized for Bitcoin and Lightning stuff and it also has an included hardware wallet so that there’s a hardware wallet built into the Bitbox base. There’s a screen, you can really do the same stuff you can do with traditional hardware wallets, but it also has a kind of full fledged linux computer.
Jonas Schnelli: So basically how the user story would look like, you plug your Bitbox base into your network and it shows up on your app, you can connect to it and you trust your own layer, privacy is not violated and you can do much more fun stuff including Lightning, including push notifications when stuff changes in your environment. There’s a lot of possible features, there’s probably way to many to not lose focus on doing the right things.
Stephan Livera: Great and let’s talk about the mobile app as well. So did you want to just touch on what have you got planned for the mobile and how will that connect up and how does that work with the rest of it?
Douglas Bakkum: Yeah, so the mobile app. We have a prototype working right now. So its all working, what we’re mainly working on is the UX so making sure that things that look okay on the desktop also look okay on the mobile screen. And when we original decided what software stack to use for the desktop app, we specifically designed it to work with desktop and mobile.
Douglas Bakkum: And so, basically using the same exact code base, which is like a go back hand and then a typical web front and HTML CSS Java Script. We can take that and apply it in the different systems. So the goal with the mobile app is for it to be as identical as possible to the desktop app.
Douglas Bakkum: So you get full features on both. And then just, yeah, letting people use it as it would be used on the desktop.
Stephan Livera: Right, so literally they could be out on the fly with their mobile and plug in the Bitbox 02 and off they go, they can do transactions with it.
Douglas Bakkum: Yip, exactly like that.
Jonas Schnelli: You know, maybe additional features that they can watch their funds on mobile. It could also be on desktop so there’s different use cases you could do on mobile.
Stephan Livera: Right yeah, so having like a watching only function, that sort of thing. All right, well I think those were some of the key questions that I had for you. Did you have anything else you wanted to touch on Douglas or Jonas?
Douglas Bakkum: I guess one of the… I was hoping to get into some of the security concepts a little bit deeper of the [crosstalk 00:53:45].
Stephan Livera: Sure lets do that.
Douglas Bakkum: So briefly, but I mentioned earlier that we redesigned the security concepts of the Bitbox 02 still taking the dual chip approach but doing this a little bit differently. As I know in some of the past podcasts they talked about different kinds of hacks against them, in particular General Purpose Micro-controllers read out the secrets from them.
Douglas Bakkum: One example is, in Russia right now it’s legally accepted to be able to reverse engineer software, including firmware and so for a few thousand dollars and five, 10 business days, you can send them a general purpose micro-controller and they can read it off with microscopes and they can tell you all the bits and all the code and all your secrets that are stored on it.
Douglas Bakkum: And so, when we designed our Bitbox 02 we had this in mind, of course a lot of other attacks in mind and we’re trying to figure out ways of prevent all of these things. And so, the concept then was Of course remote attacks, but also protect against someone physically stealing your device.
Douglas Bakkum: And the idea there is that if someone does want to… Does steal your device, they do want to get to your secrets, make them have to reproduce three different bits of information plus some more, but three main bits of information.
Douglas Bakkum: One indeed would be a secret stored on the micro controller, the general purpose micro controller. But also make them need to recover secrets stored on the secure chip itself, which of course is designed specifically to prevent these Russian labs from extracting the secrets. And then the third one is just not have all of the information required to recreate the seed on the Bitbox itself. And so I think this is a bit unique for us in the sense that we also use the user password, user pin when you first enter into the device, And we cryptographically combine all of these and then we use that as an encryption key to decrypt the seed.
Douglas Bakkum: And so if you don’t have the readout of the micro controller, you don’t have the read out of the secure chip and you also don’t have the… I should say it differently.You need the read out of the micro controller, you need a read out from the secure chip and you also need knowledge of what’s not on the device but in the head, in order to recreate the seed.
Douglas Bakkum: And so we think, with this we can… Security in depth I guess is a good thing. And so we try to provide as many different security layers as possible and we have more than that, we’ll try to write it up in a blog post. But try to pride as many security layers as possible to try to make it as hard as possible for an attacker to get the funds.
Jonas Schnelli: I think one great additional point is that the secure chip also allows us to do measurements against brute forcing that you cannot offload it to a different system where you have much more CPU power and brute force it easily. Because that’s always a problem also BIP39 problem, its 248 rounds that it’s made for not very efficient CPUs or in that case MCUs.
Jonas Schnelli: So we needed to add measurements that not can offload the other elements and then brute force it on a system where you have much more power. And I think that’s something we achieved with the Bitbox 02.
Jonas Schnelli: And maybe one thing I’d like to add for the closed source versus open source model. The closed source model is the model of obscurity or we probably can do analogy to obscurity. And I think in the long run there’s always been examples that this model is not the one that survives the long run.
Jonas Schnelli: So to just understand what the risks are, if you do Segwit the secp256K signatures ECDSA signatures on a stack you can’t control there’s always these nuances involved. Either random entropy or you need the RC deterministic nuance model and by looking at the produced signature, you cannot tell whether they have used valid entropy, kind of a cryptographic random number generation or rather they have used the RFC standard to use a deterministic node. So they could use something else and you cannot tell by looking at the signatures.
Jonas Schnelli: So they could actually export the private key or any key secrets the could export through clever uses of nonces and nobody could verify that they exporting secrets and they could just collect secrets by looking at the public block chain. And it could have been done, nobody could verify them so it’s again a systemic risk. They could be malicious nuances or signatures that extracts data on the blockchain and at some point somebody sweeps all the wallets. Its theoretically possible.
Jonas Schnelli: That’s why I think using closed source is not a good concept, because again the systemic risk, there is no security experts that really can dig into those things, and it could be time triggered. It could start to collect or extract information by date XYZ and I think this makes it highly complicated and highly risky.
Stephan Livera: Yeah, I think actually if I recall correctly that is actually a point Michael Flaxman raised as well, the chosen nonce attack as well so, I presume that’s what you’re referring to there as well.
Jonas Schnelli: Yeah, and just to add. When you have open source at least you can look at the code that, does the secp or the ECDSA signature, you can verify if the concept what they’re following in is correct and even the code. While if you have secure elements that do the signature for you, you have no way to verify whether the concept in general is okay. You can verify the signatures and compare it to reconstructed backups offline but then you don’t know if there’s time or user based element that extracts only in certain circumstances.
Stephan Livera: Yeah, I think the listeners might get pretty scared about that idea, but as you said. I think as you said probably there is a risk of theft and so on with hardware wallets but I think it is a point that’s well worth reiterating is that most people are likely to lose their coins by losing their seed or incorrectly doing the pass phrase, those kinds of mistakes, than actually an attacker coming to get them.
Stephan Livera: Now that said it could be that in five or 10 years time the value if Bitcoin has gone up so much, maybe at that point it does become more of an attacker risk than a lose your keys or screw up risk, right?
Jonas Schnelli: Yeah, hopefully. Maybe to add to that I still think hardware wallets are by far the best way for users to securely keep their Bitcoins safe. I mean all these attacks are scenarios we just pointed out way more dangerous on hot stacks or on computers. They’re using python libraries to sign ECDSA which come from NMP or whatever un secure source. So I think by far hardware wallets give non-expert users and including expert users the best security currently.
Stephan Livera: And also actually one thing I noticed is you guys are having a Bitcoin only version. Tell us about that.
Douglas Bakkum: Go for it Jonas.
Jonas Schnelli: Yeah, I advocated for Bitcoin only a long time ago. But yes, politicians say there is Bitcoin and there is shitcoins and I think Pavol also said a good point that you know, without all coins they would not have survived 2017 and 2018 which is probably a true point. And there was also the argument of bringing people on board and transitioning them into Bitcoin at some point.
Jonas Schnelli: I mildly agree with that, not fully. Because for me it always also feels a bit about you know, helping people to getting scammed so I think it’s not an easy line you need to draw at some point because do you want to support coins that obviously look after a scam and then where do you draw the line between what is a scam and what not.
Jonas Schnelli: I personally think there is Bitcoin and there is shitcoins and I think we should not… If users think that way as well we should not hurt them additionally by adding risks of having firmware that its supposed to do stuff on shit coins. [crosstalk 01:02:53].
Stephan Livera: Yeah.
Jonas Schnelli: And that’s why we have a Bitcoin only version, it’s made for users only wanting to use Bitcoin and it has a reduced attack surface and its also signal that they want Bitcoin only, it’s also it helps us to know what to do in the future.
Douglas Bakkum: Yeah, so just to reemphasize the whole point of having Bitcoin only version is to reduce the attack factor, so every new coin you add, every new function you add, U2F for example. It allows different communication protocols to come in and they use different cryptography so there could be issues in the cryptography itself, issues in the API call and things like that.
Douglas Bakkum: And of course the simpler you can make it, the more secure it can be. And so that’s the whole point of that, and so an important note is that our… The edition, the Bitcoin only edition will never be able to allow firmware from the standard edition. So it will never be able to… You cannot switch the firmware between them and that’s also of course a mitigation against increasing the attack factors.
Jonas Schnelli: Yeah, just to add here. It sounds after we are trying to make people buy two devices but actually its not that, it’s for security precaution because you want to eliminate that an attacker can exchange your device or can replace the firmware by the insecure one and once they’ve found the bug in the Bitcoin only version they could replace firmware, so its actually the device can only load Bitcoin only firmware which make it more secure that it cannot be replaced by stuff that has been broken.
Douglas Bakkum: Yeah, and that said. Since we are a for profit company , of course, we want to pay our employees salaries and we want to live up our mission to improving the whole eco-system. Then it is important for us of course, to listen to the market. And in order to set our product goals, the market did tell us they want Bitcoin only wallets, but of course another part says they want to be able to explore other coins. So we’re trying to figure out what the best approach is and listen to our users.
Jonas Schnelli: Yeah, and we never forget that we are a Swiss based company. So Switzerland is kind of the land of neutrality, we also want to give users power and not decide what they should do. When someone wants to use an altcoin, our mentality is more, well we educate them, we inform them but if they want to use it it’s their decision because neutrality is important.
Jonas Schnelli: It should also underline that we’re producing everything in Switzerland, it’s very crypto friendly environment. There’s less risks of being intruded by agencies that we need to follow certain policies, supply chain attack is reduced, it’s produced really in Switzerland and programmed in Switzerland.
Jonas Schnelli: So I think this is also a benefit that will come to the users, yeah.
Stephan Livera: All right that’s great. So I think that’s all the questions I had so lets, just before we let you go, make sure you tell the listeners where they can find you online and where they can go to find Shift Cryptosecurity online.
Douglas Bakkum: Yeah, so the best place to go is our website so Shiftcrypto.ch and at the bottom you’ll find links to our different accounts on twitter and Medium and what not. And of course, Jonas is quite widely followed on Twitter so you can find more about there and I’m getting on twitter myself also, more and more.
Jonas Schnelli: Yeah, I think Twitter is always a good medium if you want to get more information, there’s a ShiftcryptoHQ and myself Jonas Schnelli to contact if you have any questions, of course IRC and all the other channels work as well.
Stephan Livera: Great, well Jonas and Douglas thank you for joining me today.
Douglas Bakkum: Yeah, thank you very much it’s a pleasure.
Stephan Livera: Thanks Stephan for having us.