Earlier this year, cryptocurrencies valued at $530m were stolen in a hack on a Japanese cryptocurrency exchange. Reportedly, slack security practices made the exchange vulnerable because the money was stored in a poorly-secured digital wallet. If the exchange had been using a hardware security device, the hack probably wouldn't have succeeded.
Guest blog written by Mark Patrick, Mouser Electronics.
Other exchanges have lost sums now valued in billions. It is not only exchanges that are under threat - many individuals have lost amounts of cryptocurrencies totalling hundreds of millions of dollars in attacks ranging from the simple (weak passwords and hacked PCs) through to the highly complex (such as social engineering attacks in which an individual is impersonated to take over their mobile phone account and defeat widely-used two factor security measures based on codes sent by text message).
No matter what your opinion on cryptocurrencies, such as Bitcoin and Ethereum, there is no question that their seemingly ever-increasing value (the price of one Bitcoin, for example, has soared from $10 in early 2013 to over $10,000 in the first quarter of 2018) attracts clever and patient attackers. Therefore, there is growing demand for dedicated hardware security devices, also known as hardware wallets, to protect digital assets from hacking and accidental loss, and users will pay handsomely for such security.
The key function
The primary function required from these security devices is secure private key storage and signing. The essential principal is that the cryptographic private keys never leave the device. Although the mathematics behind asymmetric public key cryptography is relatively complex, it is an easy task for versatile modern computing hardware. These security devices are based around full-featured CPUs, typically ARM devices, so they could offer dozens of attractive features, and they could be based on open platforms, such as Android, that offer easy and cheap access to a huge range of capabilities - but in fact they take advantage of none of these potential selling points. Many hardware security devices are so limited in features that they don’t even contain a battery - they only work when connected to a host PC or mobile device via a USB cable. This miserly restriction of features is a deliberate choice made by their designers, and it is not an attempt to cut costs. So why are they designing such limited products?
Reducing the feature set to increase security
These key storage and signing devices place unusual and exacting demands on developers, since a mistake could devastate brand value and expose the company to litigation. Therefore, a feature set that is restricted to the bare minimum required is itself an attractive feature of these products - for both users and manufacturers.
A single hardware wallet could store millions of dollars in cryptocurrencies, so they are very attractive targets for thieves, and an almost unprecedented challenge for designers. Many of the same challenges apply to other hardware security products, such as the personal security devices issued by banks and other organizations for one-time password generation - and to general issues of secure platform design.
The challenges designers face include implementing strong encryption and a fool-proof user interface in a pocket-sized, low power device. The code must be free from major bugs. The firmware must be updatable, but the device must remain safe even when connected to a compromised host. Ideally, assets should be recoverable even if the device is lost or destroyed. The vendor must balance user demands for more features and ease-of-use with the risk that additional features will increase the potential attack surface.
Practical security steps
Give the above challenges, most hardware wallets are designed to safely handle being plugged into a compromised host device. For example, to protect a user sending a cryptocurrency from a hacked PC that invisibly alters the recipient address before sending it to the hardware wallet to be signed, the hardware wallet displays the receiving address on its own small screen so the user can verify it. The device then uses the private keys to create a signed transaction that it returns to the host PC, which then broadcasts it to the Internet. The mathematics of public key cryptography make it impossible for a hacked PC to alter this signed transaction, because it doesn’t have access to the private keys.
The device must be tamper-resistant - so manufacturers are using techniques, such as ultrasonic-welded plastic case seams and sealing chips with epoxy or potting compound, to make illicit access difficult and detectable. Testing and debugging features like JTAG are disabled on the core chip, despite the obvious inconvenience that comes with this.
The manufacturing and delivery chain must be as secure as possible. Vendors are using strongly-glued packaging, reinforced with tamper-resistant holographic-printed security seals, to create a package that is very difficult to open without leaving obvious traces.
Finally, it is critical for the vendor to win the trust of customers and to be able to have complete faith their own development staff. Somewhat paradoxically these and other goals can be made easier by open sourcing software, firmware and even hardware design - so that anyone can inspect the software. The developers of the Trezor hardware wallet took this approach, despite the fact that it enabled at least one competitor to clone their product.
As any experienced developer will tell you, designing secure systems is hard, and the vast rewards available to a cryptocurrency thief means that hardware security device developers face skilled and determined adversaries. There is much to be learnt from the innovative and sometimes counter-intuitive security techniques being tried by developers in this market.