HWallet The simplest Bitcoin hardware wallet Nemanja Nikodijević <nemanja@hacke.rs> FOSDEM '19
Vulnerabilities in hardware wallets https://blog.trezor.io/details- https://wallet.fail/wallets/nanos https://blog.trezor.io/fixing- https://saleemrashid.com/2018/ about-the-security-updates-in- /firmware-f00dbabe/ physical-memory-access-issue-in- 03/20/breaking-ledger-security- trezor-one-firmware-1-6-2- An attacker with physical access trezor-2b9b46bb4522 model/ a3b25b668e98 to the device can execute ...an attacker with physical access While the software on the SE can ...the buffer overflows, allowing arbitrary code on the STM32 to a TREZOR device could have be attested to, the MCU is a non- the attacker to write up to 60 MCU. created a custom firmware which secure chip and its firmware can bytes of data into a protected part extracts the seed from the RAM of be replaced by an attacker of the memory... the device. OLED OLED USB USB MCU MCU Secure MCU nemanja@hacke.rs
Hardware wallets Hardware Acceleration Open TRNG SHA256 secp256k1 Source OLED ✗ ✗ ✗ ✓ USB STM32F205 Secure OLED ✓ ✓ ✗ MCU ? USB STM32F042 ST31H320 Secure OLED ✗ ✗ ✓ ✓ Element USB STM32L475 ATECC508A OLED ✓ ✓ ✓ ✓ HWallet NXP K20 USB NXP K(L)82 nemanja@hacke.rs
Library dependencies Emulator Bootloader & QR encoder Firmware ST31 Cryptography BOLOS libopencm3 Bootloader & nanopb App 0 (USB, SPI, I2C, UART…) SEPROXYHAL … Trezor Crypto STM32 HAL App n SHA1/2/3 AES BLAKE2 (USB, SPI, I2C, UART…) Bootloader & Base58 RIPEMD160 Ed25519 micropython uECC Firmware Curve25519 Chacha20 Poly1305 Bootloader & Firmware open source closed source third party libs nemanja@hacke.rs
Don't roll your own crypto! nemanja@hacke.rs
Code size comparison git clone https://github.com/{PRODUCT}/{FIRMWARE} --recurse-submodules cd {FIRMWARE} wc – l `find ./ -name "*.c" -o – name "*.h"` OLED font License headers HWallet 2.5M+ 346k+ 162k+ 122k+ ~4k nemanja@hacke.rs
Code layers LTC 256-bit operations A = A mod N Bitcoin B = (1/A) mod N TX A = (A+B) mod N A = (A*B) mod N y 2 = x 3 + A[3] * x + B[0] SHA256D (B[1], B[2]) = E * (A[0], A[1]) To Communication NXP K82 OLED MCU ECDSA: nonce secp256k1 Tx/Rx speed fixed SPI bus clocked at to 115200 bps 1 MHz TX Signature UART CRC SPI GPIO LTC MMCAU TRNG https://gitlab.com/nemanjan/hwallet nemanja@hacke.rs
Code layers CRYPTO_Random(); CRYPTO_SHA256(); CRYPTO_ECDSA_Sign(); typedef struct { SPIx* spi; CRYPTO_ECDSA_GetPublicKey(); typedef struct { GPIOx* dcGpio; typedef struct { uint16_t type; GPIOx* rstGpio; uint8_t num[32]; B' = (1/B) mod N uint8_t dcPin; uint16_t length; uint8_t len; A' = A – A mod B uint8_t rstPin; } Bignum; uint8_t data[32]; (A/B) mod N = (A'B') mod N uint32_t crc; uint8_t buffer[ ]; CRYPTO_Bignum_Init(); CRYPTO_Bignum_Mod(); } Packet; } OLED; N - a large prime, larger CRYPTO_Bignum_Div(); OLED_WriteRow(); PACKET_Send(); CRYPTO_Bignum_Sub(); than any A or B, e.g. p from OLED_Clear(); PACKET_Receive(); CRYPTO_Bignum_IsNull(); secp256k1 Packet OLED Crypto UART CRC SPI GPIO LTC MMCAU TRNG https://gitlab.com/nemanjan/hwallet nemanja@hacke.rs
Code layers while(1) { Packet msg; PACKET_Receive(&msg); Packet type switch(PACKET_MODULE(msg.type)) { case PACKET_BITCOIN: Module Function Bitcoin_Process(&msg); ... 15 8 7 0 }; } Main Loop Packet OLED Crypto UART CRC SPI GPIO LTC MMCAU TRNG https://gitlab.com/nemanjan/hwallet nemanja@hacke.rs
Code layers void Bitcoin_Process(Packet* msg) { switch(PACKET_FUNC(msg->type)) { case BITCOIN_FUNC_INIT_TX: Bitcoin_Tx_Init(); ... }; } Bitcoin ??? ??? ??? Main Loop Packet OLED Crypto UART CRC SPI GPIO LTC MMCAU TRNG https://gitlab.com/nemanjan/hwallet nemanja@hacke.rs
What's next? FIDO U2F NXP K(L)81 Comm MCU challenge Anti-Tamper nRF52840 response NXP K(L)82 WebAuthn CTAP Recovery seed More cryptocurrencies m/0 BIP-32 ... Entropy ... 128-512 m m/44’ m/44’/0’ bit 0’ – BTC … witch collapse BIP-44 60’ – ETH practice feed shame … BIP-39 144’ – XRP nemanja@hacke.rs
Questions?
Recommend
More recommend
