Evaluating the security and trustability of hardware wallets
As Bitcoin appreciates in value, it is more important than ever that we encourage users to withdraw their coins from exchanges and store them securely. For the average user, storing sizable quantities of Bitcoin requires a hardware wallet.
But how do we evaluate the security and trustability of the numerous hardware wallets available on the market today?
Foundation is concerned with new entrants making false claims with regard to open source security models and trustability. We believe it is imperative that our industry self-regulates and follows a clear set of disclosure criteria – so that hardware wallet buyers can make well-informed purchasing decisions.
In this post, we propose a set of criteria with which to evaluate hardware wallets. To avoid bias, this post does not attempt to rank the security or trustability of any specific hardware wallet, and all company and product names have been redacted in quotations.
- Open or Closed Security Model
- Trustable Components
- Trustable Supply Chain
- Present vs. Future Capabilities
- Honest Claims
- Security Certifications
- Bitcoin PSBT Support
Read on for more details!
Open or Closed Security Model
Hardware wallet producers must disclose whether their security model is open or closed source. There is no middle ground. If parts of the design are secret – such as undisclosed portions of the circuit schematics, redacted component information, or closed source code – then the hardware wallet is closed source.
Foundation has recently observed bizzare open source claims from hardware wallet producers. For example, one claimed to have “pioneered the hardware wallet industry’s first open source secure element firmware” – while not disclosing that the device’s operating system is closed source!
This same producer claims that their “hardware wallet application layer, device schematic (circuit diagram), and bill of materials (BOM) are also open source” – but does not mention that their schematics are omitting certain information and that their BOM does not include details of the secure element chip.
Another popular producer rightfully states that the apps running on its hardware wallets are open source, but fails to mention that the device firmware itself is closed source.
This is important because most consumers take open source claims at face value. If they are told that a hardware wallet is open source, they expect that experts in the Bitcoin community are able to research and verify the hardware and software running on the wallet. We must provide consumers with accurate information and empower them to make informed purchasing decisions.
Furthermore, it takes a great deal of time and effort to open source hardware products. Producers must provide proper documentation, comments, and build instructions for firmware. Circuit schematics must be legible, self-explanatory, and properly formatted. Electrical designs must be exported to the correct file formats. Bills of materials must detail every component. Datasheets for each component must be provided when possible.
If our industry becomes comfortable with a degraded definition of open source hardware, then we reduce the incentive for producers to be honest and forthcoming. We risk “open source” becoming a buzzword that every hardware wallet producer slaps onto their marketing material in order to sell more units.
For more detailed guidance, we strongly encourage open source hardware wallet producers to comply with OSHWA criteria and open source all hardware under CERN’s Open Hardware License (OHL). This covers many edge cases, such as components on the BOM requiring manufacturer NDAs for datasheet access.
Foundation is currently unaware of any hardware wallet that meets OSHWA criteria and is open sourced under CERN OHL or a similar open hardware license.
A hardware wallet must be ultra-secure. Therefore, hardware wallet producers must carefully select components that can be trusted. Since hardware today can not be fully trustless, as we must rely on third party components and global supply chains, Foundation refers to trustworthy components as “trustable.”
Below are common hardware wallet components and potential concerns.
Does the screen include an integrated processor running closed source firmware? Most modern high resolution displays are running black-blox silicon. Is the supply chain opaque? Most AMOLED and E-Ink displays have highly proprietary supply chains. What company manufactures the screen – is it an OEM off Alibaba or a more reputable company like Sharp?
- Touch Panel
If using a touch panel instead of a physical keypad or buttons, does it contain an integrated processor running closed source firmware? Most high-quality multitouch surfaces include an embedded CPU.
- Processor (also referred to as MCU)
What company manufactures the processor? Is it a small China-based producer or a more reputable company like NXP, STM, or Microchip?
- Secure Element
Is the secure element a “dumb” device that cannot execute code, or is it running firmware and an operating system? Does the hardware wallet producer know what firmware is running on the secure element, and do they open source that firmware? Is the secure element a black box? What company manufactures the secure element – a small China-based producer or a more reputable company like NXP, STM, or Microchip?
Does the camera include an integrated processor running closed source firmware? Most cameras do. If so, does the hardware wallet sanitize the input from the camera, and can the hardware wallet producer demonstrate this by open sourcing the code?
- Lithium Ion Battery
Does the battery contain an integrated processor running closed source firmware? Some hardware wallet attack vectors include monitoring the power consumption during usage. What company manufactures the battery?
Trustable Supply Chain
Hardware supply chains are complex, and it is rare to see vertically integrated hardware producers. Most hardware companies rely on contract manufacturers, and all hardware companies rely on component supply chains that originate in China. So that buyers can make an informed purchasing decision, Foundation believes that hardware wallet producers must disclose the following:
- Suppliers of key components such as the screen, touch panel, secure element, camera, and battery. This should be done even if the hardware wallet is closed source, as it is trivial to identify this information with a tear-down.
- Name and location of third party engineering firms that contributed to hardware wallet design. For example, buyers need to know if a US-based wallet producer outsourced electrical engineering work to a firm in China.
- Location of contract manufacturer(s). While it is prudent to keep manufacturer names confidential for security reasons, it is important to know the general location of manufacturing. For example, buyers need to know if a European wallet producer outsourced manufacturing to China.
Present vs. Future Capabilities
Hardware wallet producers will improve their products over time, both by adding new features and responding to bug reports and vulnerabilities. We know that it is tempting to rush a hardware wallet to market in order to generate revenue as soon as possible, but producers must understand that they are selling important security devices. The industry must judge hardware wallet producers on the capabilities of their devices today – not based on future roadmaps.
We’ve recently observed new hardware wallet entrants promise to open source components of their designs in the future, or add critical features like PSBT support in a future release.
In a Twitter DM with one hardware wallet producer, I asked in regard to a mobile companion app:
So you’re comfortable letting your customers use the app, but won’t release the code?
We are comfortable letting users use the app. We just think doing code audit before open source it is a responsible way compared to directly open source it.
This is mind-boggling to me, as the company admitted that it feels comfortable having users download a closed-source, unaudited companion app and use it to secure their cryptocurrency. Our industry must judge hardware wallet producers by the present capabilities of their devices, and push back hard on any company that states “we will do X in the future.”
Foundation has observed numerous false claims by hardware wallet producers with regard to device security and capabilities. Most consumers do not have the expertise to determine whether claims are truth or fiction. Therefore, the community must hold hardware wallet producers accountable and call out any false or exagerated claims.
Below are some claims we’ve recently observed:
Hackers simply cannot even attempt to steal your crypto
The first Bitcoin wallet to secure against physical attacks
The combination of multi-layer and multi-sig protections creates the most physically secure storage wallet every created
Thanks to its innovative key generation and recovery system, you will always be safe from any attack
The WORLD’S FIRST Multicurrency, Non-electronic Hardware Wallet
[Wallet] adopts an industry-first 2-Factor Key Generation (2FKG) process for the production and private key generation for our physical wallets. The 2FKG process ensures the highest safety standards for your cryptocurrency assets.
Anti-Tamper: Theft are not an issue as [Wallet] is protected from physical attacks.
The Cold Wallet, not just a hardware wallet. Air-Gapped. Anti-Tamper. Trustless Trust
The [Wallet] is built around the most secure type of chip on the market, ensuring optimal security for your crypto.
The Best Security…[Wallet] offers the best level of protection: your key remains protected in a certified secure chip.
Many of these claims are complete lunacy (“Hackers simply cannot even attempt to steal your crypto”), but many buyers of hardware wallets will take these claims at face value. Others are more nuanced (“built around the most secure type of chip on the market”), but are attempting to state opinion as fact.
Hardware wallet producers must understand that they are not selling toaster ovens or calculators – they are selling important security devices that are designed to safeguard large amounts of cryptocurrency. Hardware wallets are imperfect. Hardware security is imperfect. There will always be vulnerabilities. Producers must make honest claims.
Some hardware wallets producers advertise security certifications like EAL5. There is nothing inherently wrong with security certifications, but we must recognize their shortcomings.
- Component producers pay certification organizations to certify their products. It’s important to understand this incentive structure.
- Certification processes do not cover every attack vector; components are placed through a predefined process with predefined scenarios.
- Certifications are not a replacement for independent reviews.
We as an industry cannot allow hardware wallet producers to hide behind security certifications. For example, a recently launched hardware wallet producer described its product as follows:
A 100% offline, anti-tampered cryptocurrency hardware wallet and the only one in the world with the highest security certification for its secure firmware (EAL7)
I emailed the company asking for further clarification on whether the firmware was open, and was told:
We’ll make a lot of the code available on github etc, but our secure firmware which has earned the highest security certification in the world (EAL7, as per press release tomorrow), will be closed sourced (as well as the secure element). We hope to go more towards the open source end gradually.
This is massively misleading for average consumers who do not understand how security certifications work. We cannot allow new hardware wallet producers to hide behind certifications as an alternative to making their devices open source and auditable.
Bitcoin PSBT Support
As a bonus, Foundation believes that hardware wallets that support Bitcoin should clearly disclose whether or not they support partially signed Bitcoin transactions (PSBT). PSBT is a standard format for Bitcoin transactions which, among other things, makes it easy to create multisig setups across different hardware and software wallets.
Hardware wallets producers that do not support PSBTs are perpetuating walled-garden ecosystems, discouraging Bitcoin innovation, and drastically increasing the difficulty for software wallet developers to integrate with new hardware wallets.
Foundation hopes that this post is a starting point in a larger conversation around hardware wallet requirements in the Bitcoin and cryptocurrency industry. We must self-regulate in order to provide consumers with the most secure possible products in order to safeguard their assets.