Author Topic: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown  (Read 33305 times)

0 Members and 1 Guest are viewing this topic.

Offline stick

  • Newbie
  • Posts: 8
  • Country: cz
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #25 on: July 14, 2017, 10:51:35 am »
Maybe send it to Micah Elizabeth Scott? She's really good at reverse engineering embedded systems.

Already sent her a package today! :-)
SatoshiLabs CTO / Co-Author of TREZOR Hardware Wallet
 

Offline tszaboo

  • Super Contributor
  • ***
  • Posts: 7314
  • Country: nl
  • Current job: ATEX product design
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #26 on: July 14, 2017, 01:44:35 pm »

The idea behind the (paper) word backup is that people are generally good in protecting their physical assets but quite bad when it comes to protecting their digital assets. Surely you can find a safe place for your backup (grandma's attic, deposit box in the bank, etc.). Also there is a passphrase I describe in my Q&A post above which renders this backup basically useless if attacker does not know the correct passphrase.

I guess that is reasonable.

Not true, the power is not wasted but used to make the whole "thing work". You use power to verify the transactions and provide so called proof-of-work. Your claim is no different from claiming "VISA/Mastercard waste power in their datacenters for no good reason".
Right now, bitcoin is using more energy than Lithuana. Estimates say, that it will use more than Denmark by 2020. And Denmark actually provides cookies and slightly overrated beers, and Lego. Bitcoin is pretty much just a bunch of useless bits (in the grand scheme of things). That energy can be put into use, instead of providing a untraceable platform to pay for drugs and sex slaves.
And there is the side effects. It is impossible to buy mid-tier graphic cards, because they are just bought for etherium mining. ROI is like a few months, and people buy dozens a time just to make money with it. Because they have access to cheap electricity, I need to pay twice as much for a RX480 for example.

There are second layer solutions coming ... so the energy used to perform a transaction will go down.
Than is much needed, because right now, its not economical, nor sustainable.

I understand, that you have a product, and you want to earn money with it. Its fine, good luck. I mean it.
I am not happy about the grand scheme of things that are happening with cryptocurrencies. It was never supposed to work like that.
 

Offline wintermute101

  • Newbie
  • Posts: 2
  • Country: pl
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #27 on: July 14, 2017, 03:06:24 pm »
There is great talk by Christopher Tarnovsky about Semiconductor Security
It's a little bit off topic but I think many interested in Trezor will find this very interesting.
 

Offline wintermute101

  • Newbie
  • Posts: 2
  • Country: pl
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #28 on: July 14, 2017, 03:18:03 pm »

Q: Why didn't you use Secure Element or Secure Chip?

A: We want to keep TREZOR as open as possible (both firmware and hardware are completely open source and available at our GitHub). If we used Secure Element we would limit hobbyist and hackers in creating their own clones, because you cannot use Secure Element in your design unless you sign a non-disclosure agreement with the vendor. By using standard off the shelf components, we make that really easy. I am aware of Secure Element advantages, but we are trying to fix most disadvantages of generic MCU in the software (see below). Also there is a blog post of a community member gbg describing how he built such clone: http://www.stellaw.info/blog/2015/12/22/i-built-my-own-trezor-clone-dinosaur-hiphop-zero

I used to do a lot of hacking using IMX.6 processor (Former Freescale now NXP). It have decent security but does not require any NDA (to my best knowledge). I'm aware that it's expensive and powerful processor so not suitable for such design.
 

Offline NiHaoMike

  • Super Contributor
  • ***
  • Posts: 8973
  • Country: us
  • "Don't turn it on - Take it apart!"
    • Facebook Page
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #29 on: July 15, 2017, 02:51:43 pm »
Bitcoin inherently has a mechanism to keep mining just barely profitable on average. Unprofitable miners leave, causing the difficulty to drop. The price rising or advances in mining technology add more miners to the network, causing the difficulty to rise to keep things balanced.

For now, most of the energy used is for generating new coins. As time goes on, the mining profits will go more and more towards transaction fees as opposed to new Bitcoins.

There are altcoins that are far more energy efficient to mine as compared to Bitcoin, but they suffer from the "ratchet effect". The reason being that if mining still returns more than the cost of energy used, the miners will keep running. That's particularly true of coins that are mined using hard drives or smartphones, where the cost of electricity isn't even factored into the profit calculation.
Cryptocurrency has taught me to love math and at the same time be baffled by it.

Cryptocurrency lesson 0: Altcoins and Bitcoin are not the same thing.
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37664
  • Country: au
    • EEVblog
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #30 on: August 17, 2017, 11:52:04 am »
Hello Everyone!
I am a big fan of Dave and EEVblog and I was very pleased today when I saw the newest video. I did not know that Dave is a Bitcoin user, nor that he knows about TREZOR. Really really nice surprise!  :)
Now for some clarification points.
Q: Why didn't you use Secure Element or Secure Chip?

A: We want to keep TREZOR as open as possible (both firmware and hardware are completely open source and available at our GitHub). If we used Secure Element we would limit hobbyist and hackers in creating their own clones, because you cannot use Secure Element in your design unless you sign a non-disclosure agreement with the vendor. By using standard off the shelf components, we make that really easy. I am aware of Secure Element advantages, but we are trying to fix most disadvantages of generic MCU in the software (see below). Also there is a blog post of a community member gbg describing how he built such clone: http://www.stellaw.info/blog/2015/12/22/i-built-my-own-trezor-clone-dinosaur-hiphop-zero

Oops!
https://medium.com/@Zero404Cool/trezor-security-glitches-reveal-your-private-keys-761eeab03ff8


Quote
Q: Why didn't you use epoxy like it was suggested in the video?

A: I see three reasons why use epoxy.
   First is to increase the durability of the device. We feel that TREZOR is durable enough even without the epoxy.
   Second, to obfuscate components you are using in your design. This is not needed as the design is open source.
   Thirdly, to make access to the MCU harder. If you are highly motivated, epoxy will just slow you down, not stop you. Also MCU has disabled JTAG, so there is no need to block access to MCU pins.

Double oops!

Quote
TL;DR: We try to combine hardware and software effots to create a really open security device. We are not big fans of security through obscurity and we rather introduce smart logical concepts which are unbreakable by design, rather than relying on chance that hardware vendor did the good job obfuscating the design.

Seems that wasn't such a good idea  :palm:
 
The following users thanked this post: thm_w

Offline firewalker

  • Super Contributor
  • ***
  • Posts: 2450
  • Country: gr
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #31 on: August 17, 2017, 12:17:25 pm »
Trezor says version 1.5.2 is safe?

Also, the hack is being sold?

Alexander.
Become a realist, stay a dreamer.

 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37664
  • Country: au
    • EEVblog
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #32 on: August 17, 2017, 12:28:52 pm »
Trezor says version 1.5.2 is safe?

They have not clarified if it's both the physical attack and the USB attack, or just one.

Quote
Also, the hack is being sold?

Yep, for 0.5 BTC (> AUD$2500)
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37664
  • Country: au
    • EEVblog
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #33 on: August 17, 2017, 12:31:50 pm »
Their main point about not using a secure processor is valid, you need an NDA so it makes 3rd part auditing not easy.
But I'm thinking they could have maybe used a two chip solution for decoupling the USB interface from the micro using a (secure?) USB chip and the ST ARM micro as they currently have it, and then added physical security by potting the whole thing?
That should prevent any direct USB attack on the ST micro, surely?
 

Offline RGB255_0_0

  • Frequent Contributor
  • **
  • Posts: 772
  • Country: gb
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #34 on: August 17, 2017, 12:34:19 pm »
You should make a follow-up showing this hack Dave.
Your toaster just set fire to an African child over TCP.
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37664
  • Country: au
    • EEVblog
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #35 on: August 17, 2017, 12:37:22 pm »
You should make a follow-up showing this hack Dave.

Looks like I have to pay 0.5 BTC to get the hack though?
 

Offline Marvin

  • Contributor
  • Posts: 45
  • Country: ee
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #36 on: August 17, 2017, 12:43:08 pm »
To RGB255_0_0 and all other sensationalist guys.

The FUD on the "exploit" page is CRAZY. Like literally fake news worthy. I am not in any ways involved with the company that produces the Trezor but this kind of a page would be laughed at if they would have anlogous text about a remote root exploit for Linux. And it seems that everyone is falling to this sensationalist hype.

They are not providing ANY information that is not available, the whole talk about "exploit" is based on the DEFCON presentation that was fixed with this commit:
https://github.com/trezor/trezor-mcu/commit/c8ddd904099d4b082220a684980806108a2eae47

Where they saw what was presented at DEFCON and fixed it.

Yesterdays 1.5.2 release has not been discussed in depth by the company but from github one can see that this is the major change:
https://github.com/trezor/trezor-mcu/commit/98e617d8740b85ae01d7d6e0dd3f49e66057a210

Where they implement a custom reset handler in this file:
https://github.com/trezor/trezor-mcu/blob/98e617d8740b85ae01d7d6e0dd3f49e66057a210/startup.s

And last - they were asking for !!! 20BTC !!!! before taking the 1.5.2 "exploit" link down.

This all thing stinks.
 

Offline Marvin

  • Contributor
  • Posts: 45
  • Country: ee
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #37 on: August 17, 2017, 12:48:01 pm »
Here is the DEFCON talk about voltage glitching, bad quality until official steams are but up in a month or so:

Slides:
https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Datko-and-Quartier-Breaking-Bitcoin-Hardware-Wallets.pdf
 

Offline firewalker

  • Super Contributor
  • ***
  • Posts: 2450
  • Country: gr
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #38 on: August 17, 2017, 01:08:15 pm »
From the comments of the article page:

Quote
FUD, this doesn’t work with the recently released 1.5.2, since it wipes the seed when an unsigned firmware is loaded.

The fact that the hack is being sold is really fishy.

Alexander.
Become a realist, stay a dreamer.

 

Offline Marvin

  • Contributor
  • Posts: 45
  • Country: ee
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #39 on: August 17, 2017, 01:15:33 pm »
Don't want to edit posts so clarifying my last posts.

What I meant with "They are not providing ANY information that is not available" - they are providing NO new information, zero, there is literally 0 information abou the supposed exploit. The description of the "exploit" is something that I would come up if someone asked me "read this code change, describe what was fixed as a breake in vector". And the code change is free for anyone to read on the official trezor github page.

And the screenshot about the supposed output? That shows ABSOLUTELY NOTHING. Literally a text file. They don't show the trezor booting. One can download the the whole trezor source code and compile their own firmware. Upon flashing that on the device the device instantly zeros internal storage and displays this screen every time it boots:
https://pbs.twimg.com/media/B_CRZYqW0AAhSmh.jpg

This check is done by the bootloader that can NOT be updated. If the firmware is not signed by the trezor company it will display that message and erase internal storage. This is the only real weakness - if someone somehow gets their hands on the signing key. But this weakness exist for ALL hardware device that have signature checking for firmware.

Without showing a trezor being disconnected and connected to a USB cable and the "exploit" at work this is most probably a firmware that was checked out and just writing the internal storage content out. And this is unencrypted by design as it brings nothing in security wise having it for example encrypted by the PIN code (has been suggested on reddit etc today).
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37664
  • Country: au
    • EEVblog
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #40 on: August 17, 2017, 01:48:37 pm »
To RGB255_0_0 and all other sensationalist guys.

The FUD on the "exploit" page is CRAZY. Like literally fake news worthy.

Their response to me when I asked on twitter was "The article is not 100% accurate".
When asked what was wrong, they responded:
Quote
15s is awfully short. SW fix is possible and was released. Weakness fixed in FW 1.5.2. No information about the "advanced" method.

So their main complaint is that they think the time to crack it was was exaggerated, so what?
Fact remains it was hacked and the seed words were removed from the SRAM in plain text! Sure they might have fixed it now, but what a ridiculously embarrassing oversight!

They seem to have no knowledge of the "advanced" software only hack, so if that turns out to be real then that's a third hack (the current one being the 2nd they have had to patch)
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37664
  • Country: au
    • EEVblog
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #41 on: August 17, 2017, 01:51:08 pm »
And the screenshot about the supposed output? That shows ABSOLUTELY NOTHING. Literally a text file.

Umm, it shows the entire seed key in plain text and the pin number. How is that nothing? If true, it's EVERYTHING!
 

Offline Marvin

  • Contributor
  • Posts: 45
  • Country: ee
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #42 on: August 17, 2017, 01:54:26 pm »
And the screenshot about the supposed output? That shows ABSOLUTELY NOTHING. Literally a text file.

Umm, it shows the entire seed key in plain text and the pin number. How is that nothing? If true, it's EVERYTHING!

It shows the internal storage. But there is no way to verify how this was read out. You can flash your trezor with a custom firmware and add a function to print out the internal storage. The internal storage is NOT crypted. It's protected by the bootloader that erases it first time it detects a new unsigned firmware. After that you can set your trezor up again, have it generate new wallet and boom - print out the internal storage. But every time you now boot your trezor it will complain that you are running unofficial firmware. There is NO proof on the exploit site that this was NOT done.
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37664
  • Country: au
    • EEVblog
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #43 on: August 17, 2017, 02:08:35 pm »
And the screenshot about the supposed output? That shows ABSOLUTELY NOTHING. Literally a text file.

Umm, it shows the entire seed key in plain text and the pin number. How is that nothing? If true, it's EVERYTHING!

It shows the internal storage. But there is no way to verify how this was read out. You can flash your trezor with a custom firmware and add a function to print out the internal storage. The internal storage is NOT crypted. It's protected by the bootloader that erases it first time it detects a new unsigned firmware. After that you can set your trezor up again, have it generate new wallet and boom - print out the internal storage. But every time you now boot your trezor it will complain that you are running unofficial firmware. There is NO proof on the exploit site that this was NOT done.

Err, then why have Trezor said they have fixed it if it wasn't possible?
They don't seem to be jumping up and down creaming that this is complete and utter BS. They have admitted a flaw was found and have implemented a fix.
 

Offline Marvin

  • Contributor
  • Posts: 45
  • Country: ee
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #44 on: August 17, 2017, 02:11:53 pm »
What makes this whole situation sad - I have mad respect for you Dave. But you had literally 0 verification of the source when you started to push about this on twitter. This is literally batteriser level stuff. Some guy (it's not a known group of hacker or even a known hacker) literally wrote a blog page having sketchy images and NO information. Only his word - "batteriser will extend the lifetime of your battery by 95%" vs "“Absolutely, yes!”?—?that’s the answer we got at DEFCON 25. So, the ST32F05 chip is really doomed." Even that is totally wrong. His first stance is already wrong. And he goes on with providing absolutely NO proof, no real exploit description, no proof of concept. ZERO.

You did no source analysis before claiming - I called it! And you are a know figure. This is basically like putting your name on the exploit - approved by Dave Jones:"I called it, this is 100% true!" Like the supposed scientists validating that batteriser works.
 

Offline Marvin

  • Contributor
  • Posts: 45
  • Country: ee
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #45 on: August 17, 2017, 02:26:43 pm »
Err, then why have Trezor said they have fixed it if it wasn't possible?
They don't seem to be jumping up and down creaming that this is complete and utter BS. They have admitted a flaw was found and have implemented a fix.

They fixed a firmware injection bug with 1.5.2. The supposed exploit page is EXTREMELY vague about anything. But from what I've read from their comments on twitter/reddit - a 3rd party came forward with a real existing proof of concept about something related to firmware injection. And they fixed that with 1.5.2. They are waiting for other manufactures of trezor clones before disclosing the full details (they now said they will move forward with the process and not wait for other manufacturers to patch their code trees).

So this is all they have to base their response on - they are responding to a blog post that is unbelieveably vague and as they just fixed a new bug in 1.5.2 and the code is up on github, the code itself speaks about an attack vector thru reset nonmasking interrupts. So this is the closest thing what described in the blog post resembles. And they fixed that in 1.5.2.

 

Offline funkyant

  • Supporter
  • ****
  • Posts: 125
  • Country: au
    • YouTube Channel
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #46 on: August 17, 2017, 05:18:15 pm »
Ok, we get it. You're in damage control mode.

None of this changes the fact that the points Dave raised about the hardware design, the comparisons of the Trezor to other similar security devices he's looked at, all those things... Dave was spot on with his calls.

Fact: a patch was released for a found exploit.

The blog post Dave tweeted had some interesting things to say about a topic directly related to content he made, and a discussion on his forum. Nobody ever said it was anything more than that. Dave also asked @Trezor specifically what was incorrect in the blog post. Their answer was the time needed to perform the hack. Nothing else.

Until you have some other evidence to present, you aren't adding anything useful to the discussion.
 

Offline Marvin

  • Contributor
  • Posts: 45
  • Country: ee
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #47 on: August 17, 2017, 06:07:12 pm »
I am a sysadmin. I spend most of my days at work reading security advisories and looking at new exploits and what needs to be patched to countermeasure them. Watching CCC (Chaos Computer Club) or DEFCON presentations is part of my work, mandatory.

This so called exploit blog post has NOTHING that would make it legitimate. Everything about it is off.

If the exploit is real the guy went really really wrong way disclosing it. First time I've seen someone ask money for a proof of concept code outside of 0-day darknet forums where they sell exploits.
« Last Edit: August 24, 2017, 09:58:38 pm by Marvin »
 

Offline Marvin

  • Contributor
  • Posts: 45
  • Country: ee
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #48 on: August 17, 2017, 06:12:01 pm »
Full disclosure: I own a single Trezor device and have been looking their github commits from the time when the side channel attack came out. The same German guy who found that out has been making the most important patches since that (Trezor hired him).
 

Offline Marvin

  • Contributor
  • Posts: 45
  • Country: ee
Re: EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
« Reply #49 on: August 17, 2017, 06:20:23 pm »
Trezor has now published an official response:
https://blog.trezor.io/addressing-concerns-about-trezor-firmware-1-5-2-4c1f766034c7

Quote
Debunking general claims:
* It is misleading to say that a generic chip is “doomed”. A generic chip, alongside with open-source code, is auditable and allows the community to participate. Anyone can read the code, analyze it, search for mistakes, criticize, and contribute. We do not believe in security by obscurity.
* Arguably, it would take more than 15 seconds to hack into a TREZOR. Flashing a malicious firmware would already take some time. Also, TREZOR’s case is difficult to open, as described below, so the required time is grossly underestimated.
* TREZOR’s plastic case is ultrasonically welded, making it difficult to open. It would be evident if it was replaced by a new case. In case of doubt, you can always scratch the case in a unique way, so that it is more difficult and time-consuming to replace the case.
* It is false to state that there is a combination of vulnerabilities in both hardware and software of the device which cannot be fixed without replacing the device. We fixed the issue in 1.5.2 and there are no other outstanding issues that need fixing.

Analyzing the described attack vector:
* We cannot verify if the author discovered the hack a long time ago, as they did not disclose it responsibly. Therefore, there is no proof that the hack existed at that time. We were notified via Responsible Disclosure earlier this month by different reporter and released a fix on August 16th.
* Moreover, while the article mentions the DEFCON talk, its findings are unrelated to this issue. DEFCON suggestions were already implemented in firmware version 1.5.1.
* We confirm that the steps in the blog post describe an attack which used the fixed vulnerability. This issue was patched in 1.5.2.
* The blog post skips several steps. Also, it mentions an advanced version of the hack, but there is no proof that it exists. There is no description how it works, there are no photos or videos showing it in action.
* There is no way to dump RAM/storage just by connecting two pins. An attacker would need to have a custom firmware. Firmware 1.5.2 fixes the vulnerability that allowed this attack vector.
* While we fixed the issue and released the firmware, we did not disclose the details about the issue to give users time to update and other vendors to apply our fixes.

Other notable points:
* TREZOR’s JTAG is completely disabled, you cannot extract any information from the flash memory or RAM or attach a debugger through this way.
* If you use passphrase protection, you enjoy an additional safety measure against physical attacks. Also, you can hide your wallets.
 
The following users thanked this post: thm_w


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf