There’s no such thing as a self-hosted wallet

They’re not content with just controlling our fiat money and your Bitcoin on centralized exchanges, so they’re coming for our self-custodied Bitcoin as well.

In a proposal to the European Union, the General Secretariat laid out an updated set of restrictions on cryptocurrency usage within the EU. While much of the proposal should be familiar, the updated language and recommendations around so-called “self-hosted wallets” are a frightening step towards tighter control over how we use Bitcoin. This new regulation proposes not only an implementation of the “Travel Rule” (requiring personal identification attached to each transfer between centralized, regulated entities) but also a limit of €1,000 to transfers from and to regulated exchanges and a recommendation to “mitigate the risks posed by transfers from and to self-hosted addresses” with forthcoming recommended restrictions.

One of the most onerous aspects of this new regulation is the introduction of a new phrase to imply that money that you own and control can and should be regulated by introducing the term “self-hosted,” when no such term exists for physical cash or fiat. When you choose to control your Bitcoin, you don’t have to “self-host” anything, you simply have the key to certain Bitcoin outputs and can transfer ownership of Bitcoin outputs (or coins) to other entities by signing over control to them. This key is a randomly generated 64-character string of letters and numbers (i.e. E987…3262), and regulating knowledge of a string of characters is an unbelievable overstep of power. The ability to transfer monetary value in a peer-to-peer manner is one that has existed since the early days of civilization and has historically been private, without requiring disclosure or surveillance.

The implication that the only way the State can prevent crime is by surveilling and collecting personal information from every financial transaction is an unprecedented shift towards centralized control. This control has not been necessary in the past for a safe, effective, and high-functioning society to prosper. When compared to fiat, cryptocurrencies like Bitcoin present an infinitesimally small amount of illicit activity. In their 2022 “Crypto Crime Report”, Chainalysis estimated that only 0.15% of all cryptocurrency volume involved illicit activity, compared to an estimated 2-5% of all GDP ($1.6-4 *trillion*) for fiat. The EU wishes to wield irrational fear and literary propaganda to justify centralizing and expanding their control over our lives.

With these numbers in mind, why are regulators like the EU attempting to tighten the noose on cryptocurrency usage by sovereign individuals? It certainly is not to prevent rampant crime, as cryptocurrencies are barely utilized for that and the low-hanging fruit is fiat use in crime. Is it for our own benefit? It certainly isn’t for our monetary safety, as users’ funds are far safer when self-custodied than when left to centralized exchanges and regulated custodians. Maybe, just maybe, they want to limit the ways in which each one of us can take back some control of our money from the state.

When they can’t control or surveil our finances or our actions, the power returns to the sovereign individual.

Bitcoin and Asimov’s Foundation

In Asimov’s renowned Foundation trilogy, the Galactic Empire is crumbling. Civil war and nuclear holocaust are imminent. An inevitable dark age of 30,000 years awaits humanity.

All of humanity’s knowledge will be lost.

Hari Seldon, leader of a fringe scientific movement called Psychohistory, becomes aware of this impending doom and devises a plan. Mankind will establish a colony on the edge of the galaxy – a Foundation – and catalog all of humanity’s knowledge in an Encyclopedia Galactica. This will reduce the dark age to only 1000 years and allow humanity to rebuild.

---

Today, we live at the intersection of three major societal shifts.

1. The global economy abandoned a gold standard in 1971, which has since caused the destruction of our middle class and plunged us all into drowning debt and inescapable inflation. The solution from our elected (and appointed) leaders? Print more money!
   
2. We are in the midst of a “Great Reset.” The US dollar (cough, petrodollar) is on the decline and competing powers are vying to replace it. China, specifically, aims to displace the United States as the dominant global superpower by 2049. The CCP is already exporting its tried-and-tested, authoritarian, mass surveillance system to the rest of the world.
   
3. With the invention and global adoption of the Internet, our world is entering its Fourth Stage as an Informational society. As noted in The Sovereign Individual, an eerily prescient publication, this societal shift will force the Nation State into decline. 

While our world is not at risk of 30,000 years of darkness (we hope), we are experiencing hard times – and they will only continue to grow harder throughout this decade.

One potential outcome is that China becomes the new global superpower and succeeds at exporting its authoritarianism to us all. The CCP uses its digital yuan as a tool of population control and mass surveillance, creating a permanent ruling class of elites that control how money is printed and distributed. Society experiences a twisted combination of 1984 and Fahrenheit 451.

Bitcoin offers us salvation. Rather than transitioning to yet another centralized currency, fabricated by a central bank, backed by nothing – Bitcoin reaches mass adoption as the decentralized global reserve currency. We experience a separation of money and state. Permanent inflation ends. Individuals can save and invest in their future. Governments’ ability to wage endless wars, via money printing and taxation, is no more. A new peaceful, prosperous era of the sovereign individual emerges. 

Bitcoin is our Foundation. Mass embrace of Bitcoin will enable humanity to minimize the duration of chaos and emerge in utopia.

A transition to a Bitcoin Standard will not be easy. In this decade we will face seemingly insurmountable resistance from a dying fiat system that is gasping for breath as it drowns. Much of this resistance will be political – governments will attempt to ban, curtail, and cripple Bitcoin as its user base grows. But Bitcoin, and its forces of decentralization, will also threaten the incumbent technology gatekeepers that control how the world accesses the Internet.

The vast majority of the world’s population accesses the Internet via devices and services made by Apple and Google. The vast majority of the world’s population uses closed source devices made by small numbers of large manufacturers. So if we want to opt out of the Fiat Standard, and opt into a Bitcoin Standard, how can we do so as the incumbents resist?

The answer is simple. We must rebuild and catalog humanity’s knowledge, just like Hari Seldon did in Asimov’s Foundation. But unlike Seldon, we don’t need to build our Encyclopedia on a remote planet on the edge of the galaxy. Instead, we can build it in the open – through the power of Free and Open Source hardware and software. 

This is why we started Foundation Devices – to accelerate the adoption of Bitcoin by rebuilding and cataloging humanity’s knowledge as open source. To create a permissionless hardware and software foundation on which others can build. To help guide humanity through our transition to the Fourth Stage.

The Foundations of Freedom in Bitcoin

In the decentralized, peer-to-peer Bitcoin network, there are no central institutions that protect individuals from fraud or loss. Sovereign Bitcoin users must look after their own security, which makes it critically important that they are able to identify which products and services are trustworthy and safe to use. 

The first step Bitcoin organizations should take in order to be considered credible is to be fully open source under the proper licensing. Open source projects are more likely to be secure because, given an active development community, a greater number of individuals are involved in inspecting and contributing to their code.

Bitcoin is an ecosystem built on a foundation of free and open source software and ideas. Progress in Bitcoin is made as we build on each other’s work. Bitcoin users must have full freedom over the hardware and software infrastructure they use – freedom to fork, freedom to change, freedom to run the programs they want without any intermediaries.

This article will explain why open source development is both more efficient from a security perspective and the only viable way forward for Bitcoin.

Civil Liberties in Hardware and Software

To understand why open source is critical for Bitcoin users, it helps to have some historical context about how the movement’s ideals emerged. Before the Copyright Act of 1976 ruled that computer programs could be considered intellectual property, software programs had often been bundled and sold together with hardware. This created a development environment in which programmers worked primarily out of passion for their field and cooperated with one another in a free-flowing, non-restrictive way. 

However, after the 1976 changes to IP law, companies began working on proprietary software that could be sold on its own. This marked the beginning of a trend that gained full momentum by the early 1980s and which eventually resulted in the walled garden ecosystems we see today.

The irony for many of the originators of the technology that had enabled the personal computing era was that they believed foremost in the civic duty of sharing information for public benefit. A staunch advocate for freedom of access and development in software among this generation of creators was Richard Stallman. His writings voiced the idea that it was not enough to protect the practical aims of open information sharing – philosophical aims conducive to a virtuous society also had to be respected in software. 

To reflect the importance of individual freedoms, Stallman wrote the GNU General Public License (GPL) series of copyleft licenses that protect the rights of software users, rather than owners.

In addition to all the practical benefits of open source development, the terms “Free and Open Source Software (FOSS)” and “Free and Open Source Hardware (FOSH)” imply that a product upholds basic individual freedoms and civic duty. Here, “free” refers to freedom, rather than whether or not the product is free to use. 

In his writings on “nonfree” software, Stallman describes how privatization and black-boxing of code erodes our spirit of self-reliance and consequently runs contrary to the principles upon which democracies like the United States are founded. Without the ability to analyze, modify, or redistribute the software we use, we are ultimately passengers in the digital world, unable to take agency for ourselves or on behalf of our fellow citizens and neighbors.

Without the ability to analyze, modify, or redistribute the software we use, we are ultimately passengers in the digital world, unable to take agency for ourselves or on behalf of our fellow citizens and neighbors.

Bitcoin was not built to resemble the walled garden digital economy, but instead to provide a path for restoring our sense of self-sufficiency and sovereignty. In today’s world of sweeping centralization, over-organization, and lack of transparency, it is more important than ever to protect the ideals that Bitcoin stands for. The only way to work towards a future for Bitcoin in which freedom and autonomy are preserved is to support projects that are free and open source under FOSS and FOSH licenses.

Not Compromising on Open Source

In the same way that we trust the Bitcoin protocol because it is free and open source software, we can more confidently trust products that are free and open source. FOSS and FOSH licenses can help the Bitcoin community identify and give recognition to projects that uphold the full standards of transparency as well as reflect the spirit of free software and hardware.

As new waves of users enter the Bitcoin market, bringing us ever closer to mass adoption, there will also be unprecedented interest from malicious actors. In order to avoid thefts or loss of funds, a majority of new Bitcoiners may continue to consign key ownership to large exchanges or engage with Bitcoin through trusted third parties. 

The custodial decisions made by new Bitcoiners will have a tremendous effect on the future of financial sovereignty in Bitcoin – and whether centralized institutions and players that have no concern for the foundational principles of Bitcoin may come to dominate the space. It is our hope that the strength of free and open source projects in the industry will incentivize and inspire new users to opt to take control of their sovereignty.

Transparency is Better than Obscurity

The way forward for the Bitcoin community—if it wants to stay true to its ideals—is the same model of open source development adopted by the original Bitcoin protocol and software. Bitcoin is a paradigm that clearly thrives on communal development, cooperation, and progressively building on shared work. 

As Richard Stallman writes, “In any intellectual field, one can reach greater heights by standing on the shoulders of others. But that is no longer generally allowed in the software field—you can only stand on the shoulders of the other people in your own company.” A notable advantage of a decentralized system is in coalescing the work created by a diverse community of developers and entrepreneurs and enabling anyone to expand or improve upon that work.

A world in which we are not able to build on the intellectual progress of others is a world that would be less innovative and less secure. The hardware wallet industry is a quintessential example of how building on top of each other, rather than building from scratch, enables rapid innovation. We at Foundation are deeply appreciative of the open source projects – like MicroPython, Coldcard, and Trezor – that helped us bring Passport to market.  

A world in which we are not able to build on the intellectual progress of others is a world that would be less innovative and less secure.

It is much more efficient to build in concert with developers across an active community than to draw only from the development resources of one’s own company. When a product’s open source code attracts a larger and more diverse group of contributors to verify that it functions as intended and is not susceptible to critical flaws, consumers can have more confidence that it can be trusted. The cross-referencing of the opinions of experts is a much more credible source of information to depend on than the reputation of a centralized institution.

Recent notable hacks of proprietary hardware and software illustrate how detrimental black box development can be to the security of users. Just last year, Apple’s T2 co-processor, which handles encrypted storage and secure boot capabilities, was cracked by a team of researchers who found it was vulnerable to the same “checkm8” exploit that had been used to jailbreak Apple’s A10 processor. The fact that this vulnerability originated from T2 being based on the A10 is a telling example of how developers limited to the resources of their company are less likely to understand and recognize flaws in their product. Researchers found that attackers can gain access to the T2 chip of MacBooks produced from 2018 to 2020 if they have physical possession of the device or are able to swap out one of the owner’s cables for a modified lookalike specifically engineered for the attack. The failure of these generations of MacBooks is not a good look for Apple, a company that has long projected an image of itself as more secure due to its walled garden approach.

Also last year, Intel’s Software Guard eXtensions (SGX), a security system marketed as a highly isolated enclave for safeguarding private keys, fell victim to yet another security vulnerability. The latest crack involved two separate side channel attacks capable of stealing sensitive information, and came just after Intel sought to mitigate previous vulnerabilities by modifying app-layer code. The fact that large hardware manufacturers like Apple and Intel can struggle to provide consumers with secure black box private key storage solutions is further indication that open, auditable code can be a stronger security model.

The fact that large hardware manufacturers like Apple and Intel can struggle to provide consumers with secure black box private key storage solutions is further indication that open, auditable code can be a stronger security model.

Implications for Hardware

Hardware is a delivery mechanism for software, and free and open source hardware is absolutely fundamental to creating a decentralized digital economy in which users can find trustable products – and in which rapid innovation can occur. This is why we believe meeting the criteria for free and open source software and hardware is not only beneficial for security and product improvement, but necessary for the future of Bitcoin. 

To understand the specifics of the CERN OHL v2 hardware licenses and GPLv3 firmware licenses that classify Passport as FOSH, look out for our next article!

Leading an Open Hardware Renaissance

In April we set off to build a new type of hardware company. Instead of building closed source, proprietary hardware, we’d open source all of our work – from the firmware to the circuit designs. We’d fight back against today’s norm of security via opaqueness and instead embrace security via transparency.

Instead of releasing open source hardware catering only to developers and hardcore security enthusiasts, we’d design beautiful devices with bold, unique industrial designs and intuitive user interfaces. We’d aim to build the best products, period, and bring them to the largest number of people.

Only 8 months after launching Foundation Devices, we have finished prototyping Passport and are beginning mass production. In several weeks we will be shipping our first devices to customers across the world.

We are excited to announce that we’ve released Passport’s circuit designs as fully open source under CERN OHL S v2, and Passport’s alpha firmware under GPLv3 (and other compatible licenses). These viral, copyleft licenses ensure that others can use our work for any purpose – as long as they open source their work as well.

Open source is core to our mission and values at Foundation Devices, and we encourage other hardware companies to join the open hardware movement.

The Importance of Open Hardware

Security via openness and transparency. In a Bitcoin powered world, with immutable transactions and no recourse for thefts or loss, it is more important than ever that hardware and software are open. Security experts can easily review designs and report vulnerabilities, and advanced users can verify that the hardware and software have not been modified or tampered with.

Open hardware is likely to have fewer vulnerabilities than closed hardware. Read more in our previous post.

Building on each other’s work to innovate faster and progress society. In the hardware world today, progress is slow and siloed because each new hardware company either starts from scratch or buys proprietary IP from a small handful of companies (like Qualcomm or ARM). We think this is one of the main reasons why progress in the physical world is slower than in the digital world. In software, by contrast, developers can find tens of thousands of high quality open source libraries on Github and quickly integrate them into their projects.

Imagine if a young software startup was forced to pay Google for some proprietary IP to make a useful product and was required to sign an NDA – this is what the hardware world is like today.

Passport’s Open Source Foundation

Passport is built upon and inspired by numerous open source elements. For our hardware, we researched the architecture of popular devices like Coldcard, Bitbox02, and Trezor – all of whom post their electrical schematics on Github. We also implemented an open source true random number generator from the Betrusted project (called an Avalanche Noise Source).

For our firmware, we relied on the open source MicroPython project and used Coldcard’s open source firmware as a template. We started a new MicroPython project, did low-level bringup work for our hardware components (such as the camera), created a new user interface, and ported + modified pieces of Coldcard’s code.

We also implemented Trezor’s open source crypto library, ported Blockchain Commons’ open source UR Library to Python, and integrated two open source QR libraries.

It would not have been possible to design Passport in less than a year without building on great open source work.

Other Hardware Wallets

Currently only Passport and Trezor meet the definition of Open Source Hardware. Foundation Devices believes it is our responsibility to encourage other hardware producers to fully open source their work.

• We applaud Trezor for their full embrace of open source hardware, but we suggest they license their hardware designs under CERN OHL v2.
• We implore Ledger to change their approach and open source their hardware designs and proprietary firmware.
• We suggest that Bitbox02 and Coldcard release their circuit design files, rather than just their schematics, so that the hardware can be fully open source.

Our beliefs about the importance of open source were inspired by both Coldcard and Trezor. When Coldcard launched in 2018, they used Trezor’s open source crypto library – and welcomed others to use their open source, GPLv3 code!

We are grateful for Coldcard’s open source firmware, of which we’ve used numerous components to more quickly bring Passport to market. However, we are disappointed that they’ve recently chosen to relicense their firmware as non-open source. The Commons Clause license condition is not open source and is and incompatible with GPL. The Free Software Foundation urges rejection of software under this license condition, and the license condition is widely criticized and on the decline.

In Summary

Passport’s circuit designs are now released as fully open source under CERN OHL S v2, and Passport’s alpha firmware is now released under GPLv3 (and other compatible licenses).

We believe open hardware improves cooperation and security and accelerates industry progress. We’re excited to bring open hardware products to the world and hope to see others do the same!

Bitcoin and a revolution in American manufacturing

Foundation Devices is proudly headquartered in Boston, the birthplace of the American Revolution. The USA was established 244 years ago on the belief that all individuals deserve life, liberty, and the pursuit of happiness. Bitcoin captures these same ideals, providing sound money that lowers our time preference, allowing us to accumulate savings and invest in our future. 

At Foundation, our mission echoes these values:

Foundation Devices strives to empower humankind – to make Bitcoin and decentralized tech accessible to each and every individual in order to build a new era of sovereignty, ownership, and privacy. Our products are the foundation of a better, sovereign Internet.

Foundation will push for a new American Revolution – a revolution in American manufacturing. 

Before Bitcoin, American manufacturing of electronic devices added cost without adding proportional value. For example, a phone manufactured in the USA is not necessarily more useful or higher quality than a phone manufactured in China. Buyers in the USA might be excited to pay more for the phone because it’s “Made in the USA,” but there is no functional benefit to making the phone locally.

Bitcoin changes this. With immutable transactions on the Bitcoin blockchain, there is no recourse if funds are stolen. There’s no bank to reverse the transaction, no credit card company to issue a refund, no FDIC insurance to protect institutions against loss. Bitcoin devices must securely store private keys and safeguard against numerous attack vectors. This turns traditional hardware security models upside down.

Currently most electronic devices originate from China. You may be comfortable with the risks of having your phone made in China. But what about your Bitcoin hardware wallet?

We are at the beginning of a slow transition to sovereignty and privacy. Bitcoin wallets will replace bank accounts. Private keys will replace passwords. Money, identity, and data will be controlled by individuals instead of institutions.

In this new paradigm, we need more trustable hardware. We need components from reputable suppliers and tight control over supply chains. We need to be physically present on the factory floor and ideally own our own manufacturing facilities. We need open source, auditable designs. And we need to build our hardware in jurisdictions which stand for basic human rights and freedoms.

Yes, in America our unalienable rights are regularly being put to the test, recently with a Coronavirus-fueled government push for greater surveillance capabilities and a ban on end-to-end encryption. But Foundation is optimistic that Americans will prevail. Groups like the EFF are vigorously fighting for our freedoms – and countless individuals and organizations will continue to speak out. 

Foundation will assemble our devices in the USA. We say “Assembled in the USA” rather than “Made in the USA” because most components originate from Asia. This is sadly the state of the hardware industry; almost nothing is made in America anymore. To mitigate this, Foundation is purchasing key components – such as the processor, secure element, and screen – from reputable suppliers that are headquartered outside of China (specifically STMicroelectronics, Microchip, and Sharp). And we are buying all our components through American distributors like Arrow who have high quality standards and strong supply chain oversight.

So what exactly are we doing in America?

1. We are headquarted in America and pay American taxes.
2. We design our products in America.
3. We prototype our products in America, using equipment from American companies like Formlabs and American quick-turn prototyping facilities.
4. We purchase components exclusively from American distributors or suppliers.
5. We assemble our circuit boards in America.
6. We assemble and test our devices in America.
7. We package and ship our devices in America.
8. We conduct regulatory testing at American facilities.
9. We work with an American industrial design firm.

Foundation will strive to continuously onshore our supply chain. This will increase our costs, as American labor is more expensive, but the benefits are significant and it will enable us to build more trustable devices. We believe our customers will be willing to pay a modest premium for sovereign hardware made in the USA.

We have a lot of work to do. It’s not enough for key components to originate from outside of China. We need to bring semiconductor production back to the USA so that critical chips can be produced domestically. We need more efficient processes for plastic and metal production so that we can build enclosures locally. And we need to competitively produce common circuit board components, such as resistors and capacitors, in America. Tariffs will help us, as well as other government incentive programs. Foundation will be leading the charge!

Our first product, a Bitcoin hardware wallet called Passport, will be assembled in the USA. We’ll be publishing more info about Passport over the coming weeks. Pre-orders will open later this summer for shipping later this year.

Evaluating the security and trustability of hardware wallets

As Bitcoin appreciates in value, it is more important than ever that we encourage users to withdraw their coins from exchanges and store them securely. For the average user, storing sizable quantities of Bitcoin requires a hardware wallet.

But how do we evaluate the security and trustability of the numerous hardware wallets available on the market today?

Foundation is concerned with new entrants making false claims with regard to open source security models and trustability. We believe it is imperative that our industry self-regulates and follows a clear set of disclosure criteria – so that hardware wallet buyers can make well-informed purchasing decisions.

In this post, we propose a set of criteria with which to evaluate hardware wallets. To avoid bias, this post does not attempt to rank the security or trustability of any specific hardware wallet, and all company and product names have been redacted in quotations.

Proposed Criteria:

1. Open or Closed Security Model
2. Trustable Components
3. Trustable Supply Chain
4. Present vs. Future Capabilities
5. Honest Claims
6. Security Certifications
7. Bitcoin PSBT Support

Read on for more details!

Open or Closed Security Model

Hardware wallet producers must disclose whether their security model is open or closed source. There is no middle ground. If parts of the design are secret – such as undisclosed portions of the circuit schematics, redacted component information, or closed source code – then the hardware wallet is closed source.

Foundation has recently observed bizzare open source claims from hardware wallet producers. For example, one claimed to have “pioneered the hardware wallet industry’s first open source secure element firmware” – while not disclosing that the device’s operating system is closed source!

This same producer claims that their “hardware wallet application layer, device schematic (circuit diagram), and bill of materials (BOM) are also open source” – but does not mention that their schematics are omitting certain information and that their BOM does not include details of the secure element chip.

Another popular producer rightfully states that the apps running on its hardware wallets are open source, but fails to mention that the device firmware itself is closed source.

This is important because most consumers take open source claims at face value. If they are told that a hardware wallet is open source, they expect that experts in the Bitcoin community are able to research and verify the hardware and software running on the wallet. We must provide consumers with accurate information and empower them to make informed purchasing decisions.

Furthermore, it takes a great deal of time and effort to open source hardware products. Producers must provide proper documentation, comments, and build instructions for firmware. Circuit schematics must be legible, self-explanatory, and properly formatted. Electrical designs must be exported to the correct file formats. Bills of materials must detail every component. Datasheets for each component must be provided when possible.

If our industry becomes comfortable with a degraded definition of open source hardware, then we reduce the incentive for producers to be honest and forthcoming. We risk “open source” becoming a buzzword that every hardware wallet producer slaps onto their marketing material in order to sell more units.

For more detailed guidance, we strongly encourage open source hardware wallet producers to comply with OSHWA criteria and open source all hardware under CERN’s Open Hardware License (OHL). This covers many edge cases, such as components on the BOM requiring manufacturer NDAs for datasheet access.

Foundation is currently unaware of any hardware wallet that meets OSHWA criteria and is open sourced under CERN OHL or a similar open hardware license.

Trustable Components

A hardware wallet must be ultra-secure. Therefore, hardware wallet producers must carefully select components that can be trusted. Since hardware today can not be fully trustless, as we must rely on third party components and global supply chains, Foundation refers to trustworthy components as “trustable.”

Below are common hardware wallet components and potential concerns.

• Screen
  Does the screen include an integrated processor running closed source firmware? Most modern high resolution displays are running black-blox silicon. Is the supply chain opaque? Most AMOLED and E-Ink displays have highly proprietary supply chains. What company manufactures the screen – is it an OEM off Alibaba or a more reputable company like Sharp?
• Touch Panel
  If using a touch panel instead of a physical keypad or buttons, does it contain an integrated processor running closed source firmware? Most high-quality multitouch surfaces include an embedded CPU.
• Processor (also referred to as MCU)
  What company manufactures the processor? Is it a small China-based producer or a more reputable company like NXP, STM, or Microchip?
• Secure Element
  Is the secure element a “dumb” device that cannot execute code, or is it running firmware and an operating system? Does the hardware wallet producer know what firmware is running on the secure element, and do they open source that firmware? Is the secure element a black box? What company manufactures the secure element – a small China-based producer or a more reputable company like NXP, STM, or Microchip?
• Camera
  Does the camera include an integrated processor running closed source firmware? Most cameras do. If so, does the hardware wallet sanitize the input from the camera, and can the hardware wallet producer demonstrate this by open sourcing the code?
• Lithium Ion Battery
  Does the battery contain an integrated processor running closed source firmware? Some hardware wallet attack vectors include monitoring the power consumption during usage. What company manufactures the battery?

Foundation is heavily inspired by the work of bunnie, a well known open source hardware expert. Read more about trustable hardware on his blog.

Trustable Supply Chain

Hardware supply chains are complex, and it is rare to see vertically integrated hardware producers. Most hardware companies rely on contract manufacturers, and all hardware companies rely on component supply chains that originate in China. So that buyers can make an informed purchasing decision, Foundation believes that hardware wallet producers must disclose the following:

1. Suppliers of key components such as the screen, touch panel, secure element, camera, and battery. This should be done even if the hardware wallet is closed source, as it is trivial to identify this information with a tear-down.
2. Name and location of third party engineering firms that contributed to hardware wallet design. For example, buyers need to know if a US-based wallet producer outsourced electrical engineering work to a firm in China.
3. Location of contract manufacturer(s). While it is prudent to keep manufacturer names confidential for security reasons, it is important to know the general location of manufacturing. For example, buyers need to know if a European wallet producer outsourced manufacturing to China.

Present vs. Future Capabilities

Hardware wallet producers will improve their products over time, both by adding new features and responding to bug reports and vulnerabilities. We know that it is tempting to rush a hardware wallet to market in order to generate revenue as soon as possible, but producers must understand that they are selling important security devices. The industry must judge hardware wallet producers on the capabilities of their devices today – not based on future roadmaps.

We’ve recently observed new hardware wallet entrants promise to open source components of their designs in the future, or add critical features like PSBT support in a future release.

In a Twitter DM with one hardware wallet producer, I asked in regard to a mobile companion app:

So you’re comfortable letting your customers use the app, but won’t release the code?

They replied:

We are comfortable letting users use the app. We just think doing code audit before open source it is a responsible way compared to directly open source it.

This is mind-boggling to me, as the company admitted that it feels comfortable having users download a closed-source, unaudited companion app and use it to secure their cryptocurrency. Our industry must judge hardware wallet producers by the present capabilities of their devices, and push back hard on any company that states “we will do X in the future.”

Honest Claims

Foundation has observed numerous false claims by hardware wallet producers with regard to device security and capabilities. Most consumers do not have the expertise to determine whether claims are truth or fiction. Therefore, the community must hold hardware wallet producers accountable and call out any false or exagerated claims.

Below are some claims we’ve recently observed:

Hackers simply cannot even attempt to steal your crypto

The first Bitcoin wallet to secure against physical attacks

The combination of multi-layer and multi-sig protections creates the most physically secure storage wallet every created

Thanks to its innovative key generation and recovery system, you will always be safe from any attack

The WORLD’S FIRST Multicurrency, Non-electronic Hardware Wallet

[Wallet] adopts an industry-first 2-Factor Key Generation (2FKG) process for the production and private key generation for our physical wallets. The 2FKG process ensures the highest safety standards for your cryptocurrency assets.

Anti-Tamper: Theft are not an issue as [Wallet] is protected from physical attacks.

The Cold Wallet, not just a hardware wallet. Air-Gapped. Anti-Tamper. Trustless Trust

The [Wallet] is built around the most secure type of chip on the market, ensuring optimal security for your crypto.

The Best Security…[Wallet] offers the best level of protection: your key remains protected in a certified secure chip.

Many of these claims are complete lunacy (“Hackers simply cannot even attempt to steal your crypto”), but many buyers of hardware wallets will take these claims at face value. Others are more nuanced (“built around the most secure type of chip on the market”), but are attempting to state opinion as fact.

Hardware wallet producers must understand that they are not selling toaster ovens or calculators – they are selling important security devices that are designed to safeguard large amounts of cryptocurrency. Hardware wallets are imperfect. Hardware security is imperfect. There will always be vulnerabilities. Producers must make honest claims.

Security Certifications

Some hardware wallets producers advertise security certifications like EAL5. There is nothing inherently wrong with security certifications, but we must recognize their shortcomings.

1. Component producers pay certification organizations to certify their products. It’s important to understand this incentive structure.
2. Certification processes do not cover every attack vector; components are placed through a predefined process with predefined scenarios.
3. Certifications are not a replacement for independent reviews.

We as an industry cannot allow hardware wallet producers to hide behind security certifications. For example, a recently launched hardware wallet producer described its product as follows:

A 100% offline, anti-tampered cryptocurrency hardware wallet and the only one in the world with the highest security certification for its secure firmware (EAL7)

I emailed the company asking for further clarification on whether the firmware was open, and was told:

We’ll make a lot of the code available on github etc, but our secure firmware which has earned the highest security certification in the world (EAL7, as per press release tomorrow), will be closed sourced (as well as the secure element). We hope to go more towards the open source end gradually.

This is massively misleading for average consumers who do not understand how security certifications work. We cannot allow new hardware wallet producers to hide behind certifications as an alternative to making their devices open source and auditable.

Bitcoin PSBT Support

As a bonus, Foundation believes that hardware wallets that support Bitcoin should clearly disclose whether or not they support partially signed Bitcoin transactions (PSBT). PSBT is a standard format for Bitcoin transactions which, among other things, makes it easy to create multisig setups across different hardware and software wallets.

Hardware wallets producers that do not support PSBTs are perpetuating walled-garden ecosystems, discouraging Bitcoin innovation, and drastically increasing the difficulty for software wallet developers to integrate with new hardware wallets.

Conclusion

Foundation hopes that this post is a starting point in a larger conversation around hardware wallet requirements in the Bitcoin and cryptocurrency industry. We must self-regulate in order to provide consumers with the most secure possible products in order to safeguard their assets.

Bitcoin and the Sovereign Internet need open hardware

Our entire world is based on trust. We trust that our banks will safeguard our deposits; we trust that companies will keep our personal data private; we trust that governments will keep us safe. 

But is this sustainable? Over the past decades our trust in critical institutions has slowly eroded. Irresponsible banking practices plunged us into repeated economic crises. Facebook and Google collect our personal data at an unprecedented scale, while repeatedly failing to implement sufficient safeguards against data breaches and leaks. And now, as the COVID-19 crisis progresses, our governments are working with tech companies to expand mass-surveillance capabilities. 

The solution is clearly a sovereign Internet and financial system built on Bitcoin and other sovereign technologies. Bitcoin allows us to opt out of the existing system, transacting peer-to-peer without trusted third parties. 

Open source makes Bitcoin possible. Without open source, there would be no way to independently verify that Bitcoin has a maximum supply of 21 million coins; there would be no way to understand how it functions. Without Bitcoin’s open source code, we would be forced to trust third parties. Open source is the bedrock of our emerging sovereign Internet.

At Foundation Devices, we strongly believe that open source software alone is insufficient – open software must run on open hardware. And while we’ve seen immense progress in the FOSS movement and Bitcoin, we’ve seen little progress in open hardware. 

Hardware today is a web of proprietary intellectual property, non-disclosure agreements, and security-via-opaqueness. Want to know more about how that hardware wallet keeping your Bitcoin safe? Sign that NDA and learn about that EAL5+ security certification and proprietary operating system! 

This opaque hardware security model may be fine for your passport or credit card. But with the rise of Bitcoin and cryptocurriencies, for the first time ever real money can be stolen without any recourse. No bank or credit card company can reverse a Bitcoin transaction. No government will provide your Bitcoin wallet with FDIC insurance.

If an employee at Ledger adds a vulnerability to the proprietary, closed source firmware running on the STMicroelectronics (STM) security chip, your funds could be stolen. If a security researcher discovers a vulnerability in the STM security chip, you will not be notified without signing an NDA. If a government works with STM to insert a backdoor into their security chip, you will never know. 

With Bitcoin’s market cap at around $160B, there are minimal incentives for our institutions to misbehave. But what about at a $1T market cap? $10T? The incentives continue to grow, and it is inevitable that companies and governments will attempt to compromise Bitcoin hardware in this decade.

And what about when every device is transacting with Bitcoin, sending machine-to-machine micropayments? What happens when our entire economy is built on Bitcoin? Every device – from cellphones to laundry machines – becomes a hardware wallet. 

Closed, trusted hardware security models no longer work in a Bitcoin world!

So what do we do? We build open source hardware. We start by designing products with more trustable components, assembled in a more trustable USA-based facility. We produce open source, legible circuit schematics using a respected license like CERN’s Open Hardware License. We publish all firmware as open source under MIT or GPL3 licenses. We clearly identify the components that require trust, such as the processor and secure element, and we work to source or build our own components that are more open and trustable.

In addition to emphasizing open source, we deliver great design and UX. We make open hardware with mass-consumer appeal. We prove that open hardware can be beautiful, intuitive, approachable. We demonstrate that open hardware can sell! 

We start with a hardware wallet and move to other critical products. We build the open hardware foundation for Bitcoin and the sovereign Internet.