Hardcore Hardware Security Requires a Step Back In Time
Foundation strives to build ultra-secure hardware with an open source security model. This is especially important for hardware wallets, which are used to store sizable amounts of Bitcoin and cryptocurrencies.
Today’s devices are largely designed for a pre-Bitcoin world. They are proprietary, opaque, and closed source. They are not designed to protect Bitcoin’s immutable transactions.
Take an iPhone, for example. An iPhone’s software is closed source – it runs firmware and an operating system made by Apple. There is no public code on Github. Security researchers or savvy individuals cannot audit any of the code running on the device.
Likewise, an iPhone’s hardware is closed source – its circuit board designs, list of components (commonly called the “BOM” or bill of materials), and details of component functionality are proprietary and confidential. Sure, it’s possible to conduct a tear-down and attempt to determine how an iPhone works, how the circuitry is designed, and what components it uses. But the information gleaned from such an effort is limited at best.
Does Apple encrypt your iMessages? Does it safely upload your data to iCloud? Are apps sufficiently isolated to protect you from viruses and exploits? With closed source hardware like an iPhone running a closed source operating system, it is impossible to answer these questions. Instead, we are forced to trust Apple completely with our digital lives.
In a pre-Bitcoin world, this did not matter. The worst-case scenario was that an attacker stole your personal data, bought a few items with your credit card, and Venmo’d away a few thousand dollars. You then reset your passwords, called your credit card company, submitted a support ticket with Venmo – and resumed life as usual.
In a Bitcoin world, if your money is stolen then it is gone. There is no recourse.
Today’s devices are built on a closed-source security model that is not transferable to a Bitcoin world. At Foundation Devices, we are dedicated to building ultra-secure hardware with an open source security model.
Unlike most hardware companies today, Foundation Devices:
- Minimizes the use of black-box silicon – chips whose functions are unknown and are often bundled with common components like screens and touch panels.
- Purchases chips and components only from reputable suppliers and distributors.
- Reduces attack surfaces as much as possible.
- Assembles our devices under close supervision in the USA.
- Releases our hardware and software as open source.
In order to build secure hardware for a Bitcoin world, we sometimes need to take a step back in time. Many common components today are not designed for hardcore security, transparency, auditability, and openness. When designing Passport, our Bitcoin hardware wallet, we made the conscious decision to avoid the following:
- High resolution displays which contain black-box silicon that could collect data or display false information.
- Capacitive touch panels which contain black-box silicon that could record user inputs or hijack the device.
- Lithium ion batteries which contain black-box silicon that could help attackers exploit power-related vulnerabilities.
- Bluetooth which increases attack surface and has consistent vulnerabilities.
- USB which increases attack surface, such as this Ledger vulnerability.
This means that Passport uses a physical keypad, monochrome display, AAA batteries, and QR codes for communication. It somewhat resembles a Nokia phone! But it provides an excellent user experience, great design, and – most important – strong, open source security.
If you are looking to purchase a hardware wallet, be wary of devices that use touch screens and contain Bluetooth. Be especially wary of closed source hardware. Ask the manufacturer – who makes the touch screen and where is it produced? Is the hardware and firmware open source? Does the wallet include Bluetooth or other forms of wireless communications?
Foundation Devices believes it is important that hardware wallet makers, above all, prioritize security. Here’s how we think about security for Passport:
- If it can be visually inspected, it’s the best. This is why we use a Memory Display over a high resolution OLED or TFT display, and why we use a physical keypad over a touch panel.
- Minimize the use of black-box silicon and purchase all chips from reputable suppliers. Our suppliers include ST Microelectronics, Microchip, Omnivision, Analog Devices, and ON Semiconductor. Passport does not contain components from sketchy Chinese OEMs.
- Crucial components should be made ourselves. Rather than relying on a proprietary true random number generator (TRNG), we implemented an open source TRNG called an Avalanche Noise Source that uses commodity components (thanks bunnie!).
Over time, as Bitcoin grows and we sell more devices, we will design open source touch screens, more secure wireless communication protocols, and open and auditable chips. We look forward to making this a reality as we build Foundation Devices!
Preorder the Passport Founder’s Edition today, limited to 1000 units!