SLP310 Should We Stop Using Software Wallets? Bitcoin Software Security With Charles Guillemet

Charles Guillemet, CTO of Ledger rejoins me on the show to talk about the risks present with Bitcoin software wallets. Don’t miss this episode for security discussion on why you shouldn’t be keeping large amounts of bitcoin on software wallets and why hardware is becoming more and more necessary to protect bitcoin from theft.

We chat:

Exploits using Pegasus
Key aspects of Bitcoin security
Extracting secrets using malware from desktop wallets and phone wallets
Desktops, phones, hardware security
What to do instead

Links:

Article: On the security model of software wallets – Ledger.com
Twitter: @P3b7_
Site: Ledger.com

Sponsors:

Stephan Livera links:

Podcast Transcript:

Stephan Livera:

Charles, welcome back to the show.

Charles Guillemet:

Hi Stephan, thanks for having me today. It’s a pleasure to participate in the show.

Stephan Livera:

I know you’ve got a lot of cool things you’re working on and doing, and often obviously thinking hard about security. I wanted to chat with you about some of these concepts, because I know you wrote a really cool post recently on Bitcoin software wallets and the security aspects of that compared with hardware wallets. Now, of course, people say, Oh, look, see you work for Ledger. You’re selling hardware wallets—of course. But I still think it’s worth a discussion just to understand the different concepts, understand what’s going on there. So from your perspective when we’re talking about Bitcoin security, what are the main challenges? Is it around protecting that secret or what’s some of the main challenges?

Charles Guillemet:

Yeah, the challenges are huge. Let me zoom out a little bit. Blockchain technology is about to change the world and this revolution can be compared to the Internet revolution. It’s a completely new paradigm in terms of adoption. Bitcoin, and more generally, cryptocurrency adoption we have today can be compared to the Internet in like 1998. We are very early. So this is the first thing I wanted to say. Second, the blockchain revolution is about changing the way humans store and exchange values. It’s about decentralization. It’s about self-sovereignty. It’s about empowering people. This is huge. With Bitcoin, you really own your money and it’s something quite new. As long as you have your keys, you don’t have to ask the permission from anyone to spend your Bitcoin. And it’s clearly a shift in the paradigm of money. When you use your bank account, when you want to make transfer, what you actually do is ask the permission [of] your bank to use your money. Bitcoin is very different from that. And your listeners probably know that already, but a quick recall about Bitcoin: Bitcoin is not an easy concept. At the end of the day, the coins you own are in the blockchain. They never leave the blockchain. So holding Bitcoin actually means being able to spend them. And to do so as a holder, what you need is to hold your private key. And second, the blockchain is immutable. That means that you cannot reverse transactions. So when I say this it seems simple, but there are very huge security implications. That means that if you lose your keys, you lose your coins. And there is nothing you can do to reverse that. If an attacker gets access to your keys, [they] can make a transaction and you lose everything. Your key is a small piece of data. It’s like 256 bits, but those bits can secure 100 USD worth of Bitcoin, or billions. In terms of information, it’s the same thing. So I mean, I [was] working in the security industry for years before working [in Bitcoin], and this challenge is the biggest I know of. There was nothing as big as this one in terms of security.

Stephan Livera:

Yeah. And so for listeners who are new, obviously a lot of people listen to the show to learn. Some are regular listeners and some are new, so just those new listeners: remember when Charles was saying their coins don’t leave the chain, remember it’s a ledger and you can think of it like your Bitcoin wallet holds a secret and it can sign a message that allows the coins to move from one place on the ledger to another, if you will. The coins never leave the ledger. The point then is that you really want to secure that secret because if anybody gets that secret, they will obviously transfer them to themselves and you will not own that. And as we were talking, Bitcoin is immutable. The transactions are not reversible. That’s it. Once it’s out, it’s gone. It’s done. There’s no takebacks. There’s no bailouts. That’s part of the Bitcoin system. And that’s essentially part of what we accept. At the end of the day, we’re trusting that our Bitcoin wallet and/or the device that we’re using to operate that—whether it’s a software device or a hardware wallet device—that it can keep that secret secure. Because essentially it’s like your seed word is really like this big, big number, and then your wallet will generate out the addresses and the keys based on that. So it’s all about keeping that secret secure, isn’t it?

Charles Guillemet:

Yeah definitely. Maybe we can just talk very briefly about the basis of asymmetric cryptography. So asymmetric cryptography is a big branch of cryptography. It involves a private key and a public key. The main application of asymmetric cryptography is a digital signature. With a digital signature, what you do when you sign something, you prove you actually know your private key without revealing any information on your private key. And anyone can verify that you know your private key without revealing it just by knowing your public key. And this is the very important principle of asymmetric cryptography. And this is what we use for Bitcoin. When I send you some Bitcoin, what I do—in a simple way—is to sign a message which proves I know my private key, and anyone can verify that I know it because my public key is public. And in terms of Bitcoin, anyone [can be] the node verifying the protocol running Bitcoin Core. And my public key is what we call addresses in the language of Bitcoin. So this is basically how it works. I can send you Bitcoin to your public key, to your address. Just because I know my private key and I can prove to anyone that I know my private key. And this mechanism is called a digital signature. And maybe if I can do a very small parenthesis, we will go through a Bitcoin upgrade in a few weeks now. This Bitcoin upgrade Is called Taproot, and Taproot comes with new features. One of them is [that] we will change the way we sign transactions. Before we were using an algorithm which is called ECDSA on a curve which is called secp256k1. We check the same curve, but we will use also a new signature algorithm and this signature algorithm is called Schnorr signature. It has a lot of interesting benefits, like it’s possible to implement threshold signatures in a very simple manner. Also the signatures are smaller. Those are the main benefits that you get with Schnorr signature. So just to get back to the theme: owning Bitcoin means you are able to spend them and spending them means that you can produce a digital signature and to produce the digital signature you have to own your private key and never reveal it, because if you reveal it, that means that anyone else who knows your private key can do the same. They can spend your Bitcoin. So that’s why it’s paramount to secure your private key.

Stephan Livera:

Yeah. What we’re saying here, we’re focusing very much on protecting that seed, but I mean, I can think of other ideas related to Bitcoin security. Examples would be: making sure that you truly control that receiving address, right? That somebody hasn’t replaced the address with their address, and you think you’re sending Bitcoin to yourself but actually it’s somebody else. So you’re withdrawing. Another example would be making sure that when you create that private key or that seed, that you had sufficient entropy and that that process wasn’t being tampered with in some way, or there wasn’t some kind of malware or spyware going on. But I think just broadly speaking, the main security considerations are protecting that secret and making sure that it doesn’t get easily exfiltrated, or stolen. And so in your article as well, you talked about very interesting spyware and malware: the Pegasus software by NSO Group. Could you tell us a little bit about this? Because I think most people think, Oh, my phone is secure. It’s Google and Apple, they make it secure so I don’t have to worry about these things.

Charles Guillemet:

Yeah. You have to worry about that. The very short summary is it’s a very bad idea to use software, to use mobile phones or to use your desktop to secure your Bitcoin. Frankly it’s a very bad idea. But let’s go into NSO. NSO is a security company. Let me give you a small story about the security vulnerability business, because this is what they do in a way. When I was young, security research was mostly a game. Security researchers were looking for vulnerabilities and those vulnerabilities were simply shared for free on forums, [and] also in security conferences. This was on what we call at this time the dark web, but at this time the dark web was mostly a website with dark backgrounds. This is what we called the dark web at this time. And yeah, when you found vulnerabilities at this time, we just published them on those forums or going to a conference explaining them. And this is what we call today full disclosure because you don’t care, you just publish your vulnerability and companies were quite unhappy with that because that means that they were aware at the same time as everyone that there was some vulnerability on their product. So they started to incentivize security researchers to stop doing that and instead to be contacted beforehand. This is what we call responsible disclosure. So this is a gentleman’s agreement where companies reward security researchers when they find vulnerabilities on their product. It protects users and it gives some time to this company to patch the vulnerabilities before bad guys actually exploit those vulnerabilities. And at first the rewards were very small. Youcould get 100 USD or so. This was the beginning of this market. But the stakes started to be higher and different actors started to get very interested in such vulnerabilities. I’ll be very explicit: those actors are mostly criminal organizations and also national state services. Let’s be quite objective: these are the main people interested in those vulnerabilities. Criminal organizations research and exploit those vulnerabilities for profit directly. They can do ransomware, they can access your bank account, get your password to dump the database and research the database on the dark web. If you don’t intend to respect the law, there are many ways to get rich with security vulnerabilities. National state services is a bit different. Of course, they are also interested in those vulnerabilities, but they mostly use them to spy on whoever they want quite easily and very closely. So if we go back to NSO. NSO is a company specialized in buying and finding such vulnerabilities, and they use them to build automated tools such as Pegasus. From a user perspective—because this is a very simple software—it’s a software, you launch it, you put the phone number of your victim. You click on Hack. I don’t know if this is what’s written on the button—something like that. And then you simply have full access to the phone of your victim. I mean, there is nothing else to do. There was just in the software many vulnerability exploitations which can break any kind of iOS or Android phone remotely without any user action. And then you have full access to the mobile phone. Full access means you can dump all the data inside the phone, you can use the credentials of your victim to access his favorite services, to his email, to his Coinbase account, all the credentials. You can also spy on the screen and keyboard and every single input. You can switch on his camera remotely, his microphone remotely whenever you want. This is a feature which is used a lot by nation states when they use Pegasus. There has been a couple of scandals where NSO has been caught using this to listen to the microphone of the French president, for instance. There has been a scandal around that. So basically you can do anything on the smartphone that you break. And from a user perspective, it’s just: click on the button. So if you have a software wallet on your phone, that means that an attacker with Pegasus, I can [steal] that just clicking and then [peeking at] your data. If you log in to your Coinbase account or any exchange, I can simply use your credentials to enter your account. So this is what Pegasus is about, because this is about buying and finding a large number of vulnerabilities and to package them into a software which is very simple from a user perspective, which allows the user to hack any kind of mobile phone remotely without any user action. So this is what Pegasus is about.

Stephan Livera:

Yeah. You mentioned as well—this is remotely. This doesn’t even require—because I’ve heard of those things where say police or law enforcement have a machine and they plug in the phone and you need physical access. In this case, how’s the remote hacking working? Does it happen over the phone network or is it using a data connection or how does it actually achieve that?

Charles Guillemet:

Most of the time it has leveraged some messaging vulnerabilities. Like your messaging application is always listening on the network. And instead of sending you a well-formed message, the application will send you an [ill-formed] message, which will exploit a vulnerability in the iMessage software, for instance, that can be a buffer overflow or something. When the message is received by your phone the messaging app will pass this message and then it’s enters into the iMessage software. And if there is a vulnerability, then you can implement a specific message which will be at the end a virus, some kind of malware, and you can gain remote code execution. So this is the first thing. And when you have a remote code execution in an iMessage environment, it’s not finished yet. You have to find another exploit. It’ll bring you to some privileged escalation in order to become root on the device. So all the time, in order to have zero-click, zero-action, this is something like using a messaging app—so this is the main threat vector. And then you have to change several different vulnerabilities in order to go out of this iMessage environment and to escape the different countermeasures—because now there are plenty of countermeasures—to get out of the sandbox and so on and finish root on the device. This is not simple. And this kind of virology today is quite expensive because there is a market for vulnerabilities and such a vulnerability—a new one, like zero-day, not known by Apple or by Android—I didn’t verify, but today it’s between $1,000,000-$2,000,000. But you have one vulnerability and you can break all the phones in the world at once. So it’s a question of market in the end. There is a cost opportunity here.

Stephan Livera:

Yeah. That’s very interesting and very scary for many people because I’m sure a lot of listeners are not familiar with this idea. Let me just walk through some of that just to make sure everyone’s following along. The point here is that there are companies out there who for them it is very profitable to find and purchase these exploits and construct software that allows somebody to basically hack someone else’s phone. And as you were saying, the way these might typically operate is they might have a bit of a foot in the door with the messaging service, and then once they’re in, as you mentioned, there’s this idea of chaining together multiple exploits. So at the start you’re getting in via the messaging application somehow, you’re getting remote code execution on that person’s phone, and now—because phones are generally sandboxed or each application is protected in a certain way—you mentioned this idea of privilege escalation. This idea that instead of only just getting in and being stuck in the sandbox, you need a way to get in that sandbox and escalate out of there and get what we call root access, meaning you have God-mode. You can see everything on the phone. And then at that point, if you’re able to read someone’s Bitcoin private key, boom, your coins are going to get stolen. And so I wonder then why haven’t we seen more of these attacks in the wild, because I’m sure there are lots of people who are using Bitcoin phone wallets today with keys hot on the device. Do you think it’s just that let’s call it the Eye of Sauron has not been pointed on this yet? Or is it just not profitable or feasible for them to do that kind of attack yet?

Charles Guillemet:

First of all, it already exists. There are plenty of examples where people get [their funds] stolen on their software wallet. Most of the time it’s mostly used in a targeted mode. I know that you have on your phone like $1,000,000, so it can be interesting to break your phone. It’s not always zero-click. Maybe I can just send you a link and then there was vulnerability in your Chrome, and then I can do a sandbox escape and so on. So this is the first thing. It already exists. It’s not large-scale yet. The second thing is there is an opportunity-cost. The thing is: there’s vulnerabilities, the software is not free, and you have to make sure that the investment that you do in either finding vulnerabilities or buying them will cost lower than what you gain at the end. Because as soon as you just start to use this kind of exploit they get detected and then there are some teams in Apple or Android who inspect what’s going on, find the vulnerabilities, and patch their software. This is called a “burning” analogy—you actually burn it. So there is this opportunity-cost and today criminal organizations can get really more money with easier means. Like, you do phishing attacks—it costs nothing. It does not need any kind of knowledge. And for now it works very well. So as long as it’s easier to do a phishing attack rather than doing that, attackers will prefer to use phishing attacks. But my fear is Bitcoin and cryptocurrency will grow like crazy. This is not not a question, this is what’s going on. History will tell but this is what’s ongoing. So the adoption will grow like crazy and at some point I fear that if the adoption goes too much through software wallets, the opportunity cost will be very, very profitable and spending like $1 million, $2 million, $10 million, will be nothing compared to what you can earn using this threat. And from my perspective it’s a systemic risk. I mean, if an attacker can put $50 million on the table and is able to wipe every single software wallet in the world in a few minutes, it will get like 1,000—maybe more—Bitcoin. And that means that it’s a systemic risk, because if an attacker can get a large proportion of the Bitcoin supply it’s not good for Bitcoin at all. So that’s why I’m a bit frightened by that. On the other hand, I think that hardware wallets and secure solutions will prevail at the end because it’s not a good idea to use software wallets. So we have to continue the education and to explain what’s going on, what are the stakes, and to explain this kind of threat, because this is not only a threat, it will happen. As soon as the opportunity-cost is positive, these kinds of attacks will happen in the field.

Stephan Livera:

Right. For all we know it could even be profitable today but just hasn’t been done yet. We don’t know. I’m sure there would probably be a lot of users out there using some of the well-known wallets even if it was just blockchain.com or blockchain.info’s wallet, or wallets where it’s known that the keys are hot, whether it’s a Lightning wallet or it’s a CoinJoin wallet that requires keys to be hot—there would obviously be a lot of money sitting on all of those devices. And so if the attacker is able to find out who has those devices and obviously pay the money to get that information, this would be a very, very profitable attack. And so obviously it’s something to be concerned about. And as you were saying, though, for now, that’s not the lowest-hanging fruit and they won’t go after that. They might go try and buy a list and [go] email phishing because there’s enough—unfortunately—gullible people who will respond to the phishing attacks. And in some cases they are quite good so it’s not even that you’re gullible, they could have just been really good. The other question I wanted to ask—while we’re on this idea of smartphone wallets and smartphone security—as you were saying, the idea is they don’t want to burn the vulnerability and only use it to spend $2 million to buy a vulnerability and only make $50,000 out of the hack, because now they’ve burned that vulnerability, and then that means in the next version of Apple iOS and in the next version of Android smartphone they will patch that. And so how much of it is a defense that there’s patching going on, or is there use of certain more hardened operating systems you might’ve heard of on Android—for example there’s Graphene OS and some people use Calyx OS and things like that—how much does patching and the use of these alternatives help?

Charles Guillemet:

First of all, there is the zero-day vulnerability market and this is what we were talking about, but frankly, most of the smartphones are not up-to-date. This is the first thing: they are vulnerable right now. This is not tomorrow. This is right now. So I’m going to be very fast on this one—to everyone who listens to us: no one should use software wallets. I think this is as simple as that. If you do that, this is exactly as if you put a bank note in the street. This is what it is about: the software wallets are fundamentally insecure. Everyday, there are vulnerabilities on your browser, on your operating system, on the software running on your computer. It’s clearly too simple to hack a computer. I mean this is not something complex. This is something for students. So don’t put valuable information on it and especially not cryptocurrency. And also to those who use offline computers: first of all, it’s clearly something not convenient at all. If you have some time, I encourage you also to read the story of Stuxnet. You probably know Stuxnet? Very short: Stuxnet is worm designed by the NSA—they are everywhere—to ruin the nuclear program of Iran. They simply infected the air-gapped computer located in bunkers which were controlling the nuclear plant and more specifically the nuclear centrifuge to make uranium concentrated. It allowed to them to physically break all the centrifuges. So the story is fascinating. You should have a look. But what I want to highlight is that even an air-gapped computer can be broken remotely without physical access and so on. This is something you have to have in mind. And using a software wallet is definitely not a good idea for security reasons. I understand what you say about Lightning, and Lightning cannot be used offline. You cannot add a hardware wallet for Lightning. But I think it’s a different usecase. You can see it exactly as [you see] your bank notes. Okay, it’s not that secure. You can use it, but you have to have this in mind. There is also a difference because with software, you can do attacks at scale. I mean if I want to steal your physical words, I have to go near to you and to steal it [from] you. If I want to steal all the physical wallets at scale, it’s complex. But when it comes to software it’s not that complex. Frankly I don’t know what to say because I would love that Lightning grows and so on, but I fear that at some point the whole system would be vulnerable to attacks. And I’m sorry to say that, but today there [are] no real relevant countermeasures to counteract these kind of attacks.

Stephan Livera:

Yeah that’s unfortunate. And yeah that’s sad to say. We should also talk a little bit about some of the different elements of security because in the post, you talked through a few different ideas. So for example, you’ve got evil maid attacks, this concept of protection at rest and protection during secret use. So it’d be great if we could talk through some of those. Maybe if we could just start with this idea of an evil maid attack. So what is that?

Charles Guillemet:

Yeah, maybe I can list the different types of requirements. So I think everything starts with the key generation. Generating good-quality secrets is not that easy but it’s paramount. If your secret is not well generated, an attacker could leverage the bias to guess your secret. In our case, we are using a secure element to do so. They embed a dedicated piece of hardware to generate high-quality random [numbers]. And this random number generator complies with the highest standards and certification. Yes, there are standards for randomness—this is something which exists. So I think this is the first thing which is important in the chain of security. The second is protection at rest. This is also very important. The question is the following: you just HODL your Bitcoin, you just don’t spend on anything, and an attacker breaks into your house and hacks your computer or smartphone remotely—are your keys still safe? So this is what it is about. And what we know is that all wallets are not equal. For instance, [with] what I said before with software wallets, if an attacker gets access to your smartphone, your keys are secure only if you are using a very long password, but long like crazy. And this is only for protection at first. When you start to input your password, things are changing. And even for hardware wallets, all the hardware wallets are not equal. The famous Trezor and KeepKeys, these kinds of hardware wallets, it’s possible to extract the content of this kind of hardware wallet quite easily. But in this case you need physical access to the device and so on. So at the end hardware wallets are always better than software. I’m not saying the [contrary?]. And Trezor also. In our case, we are using secure elements to avoid this kind of attack. This kind of circuit is designed especially for security and especially to resist an attacker with physical access to the device and with a high potential. And when it comes to a smartphone or desktop computer, if you have physical access it’s just finished except if everything is encrypted with a high-quality password. If you have physical access it’s simply finished. Then there is a protection at use. So HODLing is one thing, but you also need to receive and to send your Bitcoin. And this type of protection is also paramount. I’m about to send a transaction to you, to send Bitcoin to you. So that means I’m about to sign a transaction with my private key, remember? So the question is: How can I be sure that I actually sign the transaction that I intend to? This is something important. And to ensure that you need some trusted display. That trusted display is in the equation, because otherwise if you consent to sign a transaction and the actual transaction which is signed is not the one you wanted, you have an issue. So a hardware wallet has a dedicated screen especially for this to verify what you sign. With a hardware wallet, when you want to sign a transaction, the transaction is prepared on your favorite software companion wallets, let’s say. It prepares the transactions, sends it to your hardware wallet, and then, Okay, I’m about to send 0.1 Bitcoin to your address. I can verify everything. I consent, and then the hardware wallet will sign the transaction. This is what we call the WYSIWYS: what you see is what you sign. So this is something very important. And this is something you cannot achieve with a mobile phone nor a desktop computer because you have many different programs which run at the same time and which could intercept what you are doing and change the display. You cannot be sure on anything about the software wallet. Then we have a supply chain attack. This is also something important. As a user, you received your device. How can you be sure it’s a genuine one? In our case, what we did is to implement an attestation mechanism within the device. So it’s what we call a certificate, exactly like on HTTPS when you have the lock on your browser, that means that there is a certificate which has been signed. So this is what we put inside each single hardware wallet that we ship and this certificate can be used to prove that the device is genuine. So it’s a cryptographic proof. It cannot be faked, but in practice, unfortunately it’s not sufficient. The main issue we have today with new customers is that they don’t know what to expect when they receive the package. And it’s a big issue, because for instance, we saw this a couple of times in the past: we sell some hardware wallet, we sell it like a new device, what [the attacker] did is initialize it with a seed and they even bought some scratching recovery sheets. And when the user received the device—[because] he doesn’t know what to expect—he has the device already initialized, he has scratching sheet, he scratched the sheet which reveals his 24 words. And he thinks this is the normal way to operate a hardware wallet [but it’s compromised]. And this is a very big issue and this is not easy to tackle because there was nothing technical which will solve this issue. This is not the technical [side]. So this is about education, explaining how the things work, and also explaining those things before the users start their journey in Bitcoin and cryptocurrency. So this is not something easy and we have seen a couple of those attacks in the past. And the last one is an evil maid attack. So this is a very famous kind of attack where an attacker gets a physical access to your device, like your maid gets your device and he can modify it and replace it and at the end he can put it back where it was without the victim noticing the difference. In practice, it’s quite difficult to be bulletproof against this kind of scenario, because you can always imagine a scenario where, for instance, a fake device which is very similar to yours which will only wait for you to input your pin and transmit your pin to the attacker and the attacker has your device, he has your pin, and it’s finished. So against this kind of attack, it’s very, very difficult to be bulletproof. There are a few things that we can do, but at the end this is very difficult to tackle this kind of scenario. And generally speaking, fortunately, those scenarios are very unlikely. Those are the five different requirements to be secure. And the security is not easy as you can see.

Stephan Livera:

Yeah. Some of the stuff is very scary as well in terms of being able to take the secret while in use. Going back to those two points that you were mentioning. One is protection at rest. So just HODLing, you just have the keys—how easy is it for somebody to take that secret? And in the case of software wallets, it might be that somebody is trying to brute-force to access your coins. And so then at that point, it’s about how long and how secure is your password, and most people aren’t able to remember very long passwords and that’s why we talk about using password managers, do not reuse your passwords across different services, things like that. But then the most scary one is protection during use. So in the post, you actually show some video examples, very short examples where basically you were able to demonstrate picking out that secret while it was in memory and in use. So I guess then, is it true to say that protection while in use is actually more difficult than protection at rest?

Charles Guillemet:

Yeah, because protection at rest—let’s say in the software wallet on your smartphone—you have a strong protection for your seed at rest, like either a crazy long password, or you are using StrongBox Android or something. At rest, we can say it’s secure. But as soon as you want to make a transaction or to generate a receiving address, the software will need to decrypt your seed. And that means that at some point, your seed will be in play in your memory. And if you are in the situation where there is a malware on your mobile phone, like a regular situation, the malware can have a look to what’s going on in the memory and then can access to the seed when it’s in plain[text]. And as soon as it does, the seed can just [be sent] over the Internet. And there’s other videos we demonstrated in the past.

Stephan Livera:

Yeah. And so in that post, for listeners who haven’t seen it, there are some examples both on smartphone wallets and on desktop wallets. I think the desktop example was Electrum which is obviously a very well known wallet. And then some of the smartphone ones, I think it was a Coinbase wallet and also maybe blockchain.info or blockchain.com.

Charles Guillemet:

And also MetaMask. The thing is, this is not a question of, Those wallets which would be insecure. This is the fact that software wallets running on desktop or mobile phones are insecure. This is not about MetaMask or Coinbase or this one, this is just about the model. The model is not secure. And you have to keep this in mind.

Stephan Livera:

Yeah. Very, very scary stuff. And I think it’s challenging because many people in the space who are new, they won’t necessarily be committed to go and buy a hardware wallet at the start. And so often the typical recommendation for people is to start on a phone wallet, or maybe a software wallet on the desktop. But I guess the mitigating factor would be, don’t put too much on that and just use it while you’re learning. And then once you’re ready, that’s when you need to start upgrading to using hardware devices and maybe for larger amounts you should be thinking about multisignature as well. But yeah certainly very scary. And there’s this idea that whenever you open your wallet and it needs to sign a message—Boom! All of a sudden it can just be taken from you in the memory of your phone. And because it’s there in plaintext. Now, I guess the other factor that people might bring up is the example of having a trusted execution environment or some kind of secure element in the phone. How much does that help, or does that not help at all?

Charles Guillemet:

Yeah. Smartphones are a little better than desktop for security, I have to be honest that this is the case. They offer a couple of interesting security mechanisms like app installation—like KeyStore or KeyChain, according to your platform. And also the [inaudible]. [It] is an interesting mechanism. Nevertheless, there are many issues with those. First of all, most of the software wallets on smartphone we studied don’t use the security features, so they exist on your mobile but the software wallets don’t use them. I will tell you why. The thing is that if you have a Samsung Galaxy S21 or if you have a very old phone, the blockchain.com wallets must run on your phone and must be compatible with your phone. And with old, low entry-level phone there was no [inaudible], there was no StrongBox. So only for this reason, it’s not possible to be compatible with any kind of phone and leverage the security mechanism. This is the first thing. The second thing is even if you say, Okay, my software wallet is only compatible with the last version of iPhone and the last version of the Samsung Galaxy S21, the thing is that this mechanism as of today, doesn’t implement the Bitcoin cryptography natively. So that means that you cannot use them out of the box. You cannot say, Okay I will implement all the security parts with cryptography inside the security enclave and I’m fine. The problem is, as it does not implement this cryptography, your software wallet will need to do something. Okay, I need to sign a bitcoin transaction. I will ask to StrongBox, let’s say, or KeyChain to release the key. And then you have the key in plain[text], and then you sign the transaction. So you lose the security at use, [which is] what we mentioned before. And also, even if you lost your keys, we are safe in the KeyChain or the KeyStore. The smartphone doesn’t offer the secure display mechanism. So when you consent a transaction, what you consent is to unlock your KeyChain or your KeyStore, but you do not consent securely to to sign the transaction of 0.1 Bitcoin to this address. So the consent is quite different. And as you don’t have the secure display, on your mobile you can see, Okay, I’m sending 0.1 Bitcoin to you. But in fact, I’m sending my real wallet to the attacker and when it consents, this is what it is about. So this is also an issue. You don’t have the secure display, so you cannot add this property. Finally, the thing is that most of those mechanisms, not all, they are often broken because security is something which evolved and you need to be up to date all the time and so on. So this is quite often [the case] that there’s a mechanism broken. The thing is it’s difficult to stay up to date on every single platform, every single security mechanism across the world, so this is the difficult part. From a technology perspective it might be possible to design such a device dedicated to that with an Android or something with some trusted display and secure execution for your Bitcoin cryptography, but doing it out of the box on any kind of mobile phone, it’s just simply impossible today.

Stephan Livera:

Yeah, interesting. So essentially it would be possible to design a phone that might be more secure, but by that point, it’s almost like maybe you’re just better getting a hardware wallet because now you’re doing it that way. But maybe in the future, there would be more work done to make it accessible for people who are just getting started and to have it as a smartphone wallet, like a small amount of coins or something like that.

Charles Guillemet:

The problem is to be a very open platform like Android is and iOS is where there are millions of applications. And when you can do anything you want on the Internet and so on, it’s great. But when it comes to security you want to have something small that you master everything. And yeah, I think this is the big difficulty we have today for this kind of product.

Stephan Livera:

Yeah, I see. So in your view then it’s unlikely that there’s much progress in that direction of people trying to make smartphones more secure, or maybe to make smartphones have a trusted element or trusted secure environment that can handle Bitcoin’s cryptography. You would say that’s probably a bit less likely than more of a specialized pathway. Let’s say the world goes down this pathway of, Okay, we’re just going to have to do hardware wallet security better and better and better.

Charles Guillemet:

As I said before, the smartphones are getting more secure [as] time goes [on]. But the thing is, attackers get better as well. And for now there was no time where the security was greater than the attackers. It didn’t happen. So today when you see the last version exploiting iOS and something, it’s quite complex. They implement very complex things to chain different vulnerabilities and to go out of the sandbox escape, then privilege escalation then—and so on and so on. It’s quite complex, but all the time they succeed. So I think the security will increase, but as the stakes are getting higher it’s difficult to stay secure. And as I mentioned just before, if you want to have something secure you have to keep it simple and stupid. This is some Unix motto, KISS: keep it simple and stupid. And it’s very correct for security as well.

Stephan Livera:

Yeah. And so then bringing it back to hardware wallets and how they compare, how hard is it or difficult is it to have malware on a hardware wallet? Or maybe that’s not the right model? Maybe it’s more about introducing a different type of risk, right? It’s like supply chain risk, or as an example with software, there’s this idea that you can verify signatures so you can have reproducible builds. And that’s one technique that people can use in software to make sure that they’re running the right software. But I guess that kind of technique is not possible with hardware, right? You can’t run a PGP verify on a hardware device. So we’re choosing our poison a little bit in terms of which risks are we having to accept, right?

Charles Guillemet:

Yeah, definitely. And I think the hardware wallets are more secure than any other solution, mostly because they are very simple and they do only one thing: they implement cryptography for Bitcoin, they implement [the] Bitcoin application and that’s it. You cannot load your favorite Bitcoin ticker, you cannot load Angry Birds. There is only one thing. You can do only this. There is a very simple way to input things, a very simple way to output things, and that’s it. So this is the main reason why hardware wallets are more secure. Also there are plenty of different hardware wallet projects and I think it’s very good for many reasons. First of all, having several choices is good for Bitcoin. It’s good for the ecosystem in general, it’s good for decentralization, and also hardware wallets remain the best option when it comes to security so I think several choices is good. There are different legitimate options. In the past, we had a look through a couple of them so I can give you some insight on what we [looked at]. And again, for the large majority of hardware wallets, there is no real software threat because it’s not possible to run malware or something. There are some enclaves and they are separated from your phone or your desktop. We had a look [at] Shift Crypto, for instance, and I liked a lot this project. They worked hard on innovation and so on. So this is a project I like. I’m not sure if if they are continuing to contribute, it’s a long time I didn’t hear about them but this is the product that I liked at this time when I had a look. Also, I’d like to mention my friend Rodolfo from ColdCard. I liked the no compromise with anything. This is something I like with him. And the good part with this kind of hardware wallet is that at the end, when you use your ColdCard, you understand Bitcoin. This is not something for a newbie. This is not newbie friendly at all, but I think it’s an interesting option because it forces you to understand. You have to do your own research, you have to understand all the tricks, otherwise you can not use this kind of hardware wallet. So that’s why I liked this this project. It won’t ever be a large-scale project because of this. For mass adoption you need to do some trade-offs, and a very smooth and simple UX is something important that you don’t have on a ColdCard. I often discuss with Rodolfo and all the time I request him to support Ethereum, which he is not motivated [to do so]. Maybe next time you discuss with him you should suggest this to him.

Stephan Livera:

Definitely not! But yeah ColdCard is a sponsor of my show so I’m always talking about ColdCard. It’s my favorite of the hardware wallets. Yeah there’s a lot to think about. And I think at the end of the day, the take-home message is that software wallets—there’s a lot of things to be less desiring about their security. And just because we were mentioning it earlier, just so listeners are aware, the examples with the exploits that you ran through in this post—which obviously I’ll include in the show notes there—it was an example where the user was downloading a Bitcoin ticker widget application. And this ticker widget application was the one that was able to basically sniff the key out in memory and then display on the screen: Here is the 12-word seed words, or here’s the seed words and the PIN for this wallet on the phone. And so it’s very scary for people out there who are thinking about their security and especially if you are securing large amounts of coin on your phone, you’ve got to really be careful about that. And I think that’s where you want to think carefully, and maybe only keep a small amount on your phone just for if you’re using say a small amount for Lightning, day-to-day use, little amounts, a couple hundred bucks. Basically an amount of money that you won’t cry about if you lose it. And then for the real stuff, that’s where hardware wallets and multisignature and all those more advanced techniques are becoming more and more necessary. So I guess, Charles, do you have any final thoughts for the listeners? Anything for them to keep in mind as they’re learning about Bitcoin or security? And of course, where can people find you online and Ledger online?

Charles Guillemet:

Yeah. Maybe a couple of recommendations about security. So the first one is something I repeat all the time, but I need to repeat it again. Never ever share your 24 words. I say it again and again, because we hear very often customers or people in the ecosystem would get phished by people who do clever phishing attacks and they’re finished to give their 24 words and when it’s gone, it’s gone. So this would be my main recommendation. The second one is to do your own research. I know this is something you say often in the show and I think it’s important. Bitcoin technology, blockchain technology is something very new. In 10 years let’s say it will be straightforward for anyone, but now it’s not straightforward because this is not something we are used to having in our day-to-day life, except both of us, but regular people who are newcomers who go into this ecosystem, they don’t know what it’s about and it’s a new paradigm. So you have to do your own research and understand what’s going on. And maybe the final one is when you use your wallet, always verify what you are doing on the device because otherwise, if you just randomly sign [transactions], you don’t know what you’re doing, so a trusted display is something important. So you have to use it. And to finish with I would say let’s continue to enjoy the bull-run. This is a quite refreshing.

Stephan Livera:

Excellent. Well, thank you very much, Charles. It was very educational to talk with you today.

Charles Guillemet:

Good. Thank you Stephan

Leave a Reply Cancel reply