EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

I addressed some points mentioned in the video here: https://www.eevblog.com/forum/blog/eevblog-1006-trezor-bitcoin-hardware-wallet-teardown/msg1255268/#msg1255268

👍︎︎ 3 👤︎︎ u/stickac 📅︎︎ Jul 13 2017 🗫︎ replies

What's the verdict?

👍︎︎ 3 👤︎︎ u/love_eggs_and_bacon 📅︎︎ Jul 13 2017 🗫︎ replies

Captions

hi we're going to do a teardown of this site rez or hardware Bitcoin wallet and thanks to the viewer who set this into the mailbag they specifically wanted me to do a tad out of this puppy to see like how physically secure and everything else it is so that should be very interesting let's take a look but first of all what is a hardware what well I won't get into what crypto currencies are and everything like that it you've no doubt heard of Bitcoin if you're watching this video well this is a way to store your bitcoins or other two handles aetherium and litecoin and various others it's a hardware wallet physically stored on this little device which are plug in to micro USB here and the advantages of a hardware wallet over like your traditional software while other keeping on a USB stick or everything else is that they're encrypted on here they're physically secure you can't get hacked by key loggers malware you can use them on any computer anywhere you know nobody can actually recover these unless they have the pin number on the actual device to do it so yeah these are like really offer quite a lot of advantages over a software wallet or just stir it on your hard drive a USB stick or one of those online now wallets for example so even if this Hardware wallet gets stolen they're not going to be able to steal your coins in there because it's pretty pin number protected so unless they coerced you into handing over your pin number and getting them that way they should be physically secure ik and accept up to a nine digit PIN and every time you incorrectly try the pin number at the the time the wait time period goes up by a factor of two so it's practically impossible to guess the pin number on this thing but hey can you extract the pin number from it can you you know get something out can you physically hardware hacker well that's what we might try and have a little look at in the teardown anyway and if it does get stolen you can actually I recover them another way using a recovery are see the recovery process so it's really about the security number anything is what people need to physically extract the your coins from your hardware wallet so long as you keep your pen secure should be and I'm pretty physically impossible to actually I crack these things that's the plan anyway now this is manufactured by us Satoshi Labs it's at one of the most if not the most popular Hardware our wallet on the market I believe it was one of the first on the market and it's had a few security issues in the past like somebody was able to do a side channel analysis power analysis attack on this thing and actually recover the private key out of the thing but yeah that's been fixed in firmware a couple of years back so apparently it has not been hacked since and the other good thing about this is that all software and here is open source so you can actually see go in there at the community can go in there and analyze exactly what's going on inside this thing and the private keys are kept secure by us Satoshi Labs so as long as they're physically secure everything should be fine and this supports our remote firmware upgrade over the USB but you can't just like flash new firmware in their hat firmware or whatever because the process of doing that actually will actually wipe the your coins so you can do a firmware upgrade like a proper firmware upgrade without losing your coins but putting in hacked firmware that's not a sign that doesn't meet the private key at Satoshi Labs then it's a it will wipe all your coins in there so you can't hack the thing by just doing some sort of firmware hack or firmware upgrade so what I'm interested in and what the viewer who sent it in is interested in is actually what's physically inside this thing is there any extra hardware security protection and stuff like that I would like there's a few things that I would like to see inside this I like if I was designing a hardware wallet like this that could be designed to store an unlimited number of bitcoins that with this Hardware while it can store billions of dollars worth of bitcoins it can physically do that so you know people trust these things to hazard you know to store their bitcoins we couldn't could be worth a phenomenal amount these days especially if your boredom years or something like that when they are worth a pittance and now they're you know a couple of thousand bucks a Bitcoin significant value tied up inside the hardware security inside these things so if I was designing this thing just to be sure there's some like measures that I would take in these and you see these in like pin pads and things like that were done tear downs of pin pads before and some other channels have done pin pad tear downs if you don't know what a pin pad is one of those RF post electronic point-of-sale transaction terminals that you get in shops and banks and things like that where you put your credit card in they have lots of hardware security measures in there you might put the products like a hard potting compound in there I'd be doing that for physical security and then you'd have our ante you might have some anti tamper stuff inside these things so if you try and crack the thing open then you know it might just do it raise the keys if you physically do that or you can actually get physically secure main processes you buy them where they have like a physical mesh over the top of the dye and other physical security measures so even if you dissolve the chip in like sulfuric acid and try to get like an electron microscope or other device to try and actually read the individual data directly off the dye and stuff like that that can actually physically be prevented with the use of these physically secure chips that you can buy so I'm just curious if it uses one of those is I put it there any tamper protection if you open the thing it looks to be ultrasonic Li you know heat welded or something like that so it looks like we're going to have to Dremel this thing open but anyway let's just take a look at doing a side channel power analysis attack if someone actually actually has done this in the past but I think I mentioned before they have actually fixed that in a firmware update they may have the hardware may have changed in the couple of years since that hardware side channel attack was revealed but that's all fixed now apparently but let's just have a quick squeeze okay so let's just do some basic side channel power line analysis what I've got is my road what scope here 10-bit ADC I've got high res Average mode on 20 Meg sample memory depth maximum and I'm breaking into the ground line of the USB here I'm just breaking this out into a 10 ohm current sense resistor here got that on the scope be careful where you put your ground on this don't put on the positive I've done a whole video on how not to blow up your oscilloscope when probing USB stuff like this so just be very careful with that if you try and do something like this and we've got it connected and the good thing is is we can get a decent voltage drop across this thing and it still works so this is actually fairly tolerant of you know inserting resistors in the power line like this to actually get a quite a decent voltage in this case 100 millivolts per division so we can see that we're about our 40 milliamps or so so we're actually getting a quite a decent signal level there so we've got one second per division triggered at this point over here and at the same time that I triggered it roughly I connected to the wallet on the website so as yeah it's basically we're sitting there doing nothing and then I connected and sure enough five seconds later which matched up with where the information popped up on the screen took about five seconds to connect and do its business we see some anomalies here apart from the usual noise so let me zoom in so go into the centre here where all this regular stuff is and as you can see it's very periodic but we can get some really good detail on there and that stuff in there's about 5.3 kilohertz is very Pirie everything is very periodic you know you can like scroll all the way through this and it is identical so this is your regular processor operations I can't find any anomalies in there really it's just your regular periodic stuff it's updating the display and doing your regular processor loops I can't find anything that is out of the ordinary there so I think they actually have fixed that in the firmware so the first thing we actually get to is this over here and we can actually because this is actually lower you can see it's a lower current here we can actually it's probably like turned off the display or blinking doing something like that and if it look there's just not enough time in there for it to you know if for us to extract any useable data so I think they've hidden that quite well I mean this was a problem this has been attacked before and then the information was given to Tresor and sure enough like in the next firmware update they fixed it and then might have even been hardware changes since this was a couple of years back so who knows they might have tweaked the hardware a little bit as well since then but this brand-new one that I've got there's just not enough information in there based on the previous power line analysis attack where they got the private key out of it it's just that there's not enough room so I think they fixed it it's just yeah we can actually measure stuff in there so it would be but it looks like they've hidden it really well so I can't see us extracting anything from that and we can actually use an e field probe as well I tried a small hate-filled probe and I'm not getting any magnetic coupling over that but if we put this into a certain places over the back we can actually get a a coupling not via the ground but just via the PCB inside there which haven't taken apart so don't know the layout yet but yeah we are able to pick something up let me show you well hang on I was just capturing a summary field probe stuff and look I got some major packets here I was not connecting via the hardware wallet but I was doing some 200 millisecond per division stuff and look we've got some a much light like we've really got some periodic got stuff in there and you see it matches our the e field probe here you might have a look at in a minute but you can actually see some huge variability in there so is that but once again that is very periodic I don't see any information was that like updating the display or something like that but I don't see any actual data in there and I was not connecting to the wallet at the time and and I've tried some afield and H field probe stuff with the e field probe I've been able to kinda get some correlation on here but no real extra information on there so yet like there's nothing doing with the MC analysis at all so whilst I would like to see a you know elimination of any possible side channel attack via the powerline like this I mean you can do that in the hardware they obviously haven't bothered or they've made some Bart weeks since I since the hack was originally discovered and it looks like they fixed a bit still you can see some processes stuff you can see some periodic interrupts and you know stuff like that happening but I can't see any data doesn't mean it's not in there but yeah it looks like they've hidden it really well and what I've got here is that actually starting up from the sleep state so I click the trigger and click the website over here and then we can see it actually power on and yeah we do have some stuff down there but once again it's like really not enough information to decode so there's yeah there's nothing doing there at all one a really nice secure feature I love about the tresor is that when you do a transaction it pops up with a pin that you have to enter and it's not the same every time you have to actually have a look down on the device itself to actually see it randomizes that pin location so it's not the same that is really quite neat so even if somebody had a key logger on your computer for example yeah they could get where you clicked on that keypad of course and they would get of course the number of digits but they don't know because it's a randomized order like this so they can they can't even steal your pin number with a keylogger fantastic and then when you're confirming a transaction actually pops up with the actual Bitcoin address on the device itself so you've got to make sure that matches what's on the screen terrific security I love it it's thought of everything [Music] and we're in well there you go I'm very surprised just to find the bare PCB nothing look spotted at all we should be I'm looks I wouldn't even get the chip number off that we'll have a good look at the PCB shortly and they've got some gunk behind the micro USB connector there is that for some extra just for some extra physical strength not entirely sure anyway I'm very surprised that nothing's potted in this thing that would have been my first port of call if I was designing this if anything just just to make it a bit more physically robust I mean this thing they say it's a well actually that could be for water ingress maybe is that harder is that soft yeah it's a softer it's a soft compound so yeah that that looks like it's a might be a physical water things I don't think it's waterproof but it's water resistant or something like that so yeah but they could have done that better to make it entirely waterproof but I would have potted the thing that would have been just as a matter of course physically encapsulated into a hard epoxy potting compound over the whole thing just to make it physically difficult to access and anyway let's see if it still works shall we it still works look at that right and I can confirm that that does hook up to my our wallet on the computer like the the web wallet up there I can see all my information I can see that it still has my noir point double-o for bitcoins in there I've got like nine currently nine dollars eighty nine were the Bitcoin still stuck inside that thing but that's the thing I'm very surprised at that for something that's designed to protect your you know your valuable bitcoins which could be worth it you know potentially millions of dollars oh he wouldn't trust it maybe to one and device but still right I would have potted this thing because anyone can just hack that open like I did and get physical access to the pins of the chip and then you can start hacking away whether or not it's possible to actually you know recover the pin from this thing I you know I don't know it will require you know a huge amount of effort probably to try and do that but the first line of defense is physical security and it does not have any so and it still works off you open it so there's no ambient light sensor or micro switch or anything else that any other sort of like anti physical protection tamper in there that prevents you from accessing chips but the problem with that unlike say these are pin pads that I mentioned earlier the eff pasta terminals they will actually have a the keys inside will be battery backed up SRAM static Ram so once you get in and it's actually they'll have a separate little micro in there that's actually detecting whether or not it's open and as soon as say an ambient light sensor trips or a micro switch like a contact physical contact breaks or something like that to know someone's gone in there then it'll just wipe the memory whereas this doesn't have any battery or anything like that that's why okay if it doesn't have you know as some sort of tamper detection that automatically are wipes it or whatever then that's fine but at least physically prevent the access you know I I would have done that just as a matter of course really so what I thought I'd do is just thermally cycle this just to see how it physically survives and of course proper thermal cycle long-term thermal cycle testing is a you know very time-consuming and complicated process but I'm just going to do it the time poor engineers we use the electronic freezer spray and the heat gun and just cycle it through I won't do it to the OLED display because that's not what then is important because you could actually a good thing about it not being pod as they could actually replace the only display if that failed but then of course you'd just buy it you could buy a new wallet as well and re see the thing in and use your recovery that way but we want to do the chip and um yeah just for kicks why not let's go and I'm doing that at about a hundred degrees so you know not not hot enough to melt the solder so most like about a couple of times and I rechecked by connecting to it and my bitcoins are still there so yeah like we could go to town I might do it a few more times just the kicks but I don't expect any issues it's just a bog-standard micro you could of course get the industrial temperature rated one of course just for extra you know I would pay extra to get the higher rated more qualified device but alright let's have a look at this under the Takano microscope the first thing you notice is the shine on there that's a conformal coating that is to help the water water protection moisture protection stuff like that so they tried to make it a bit more reliable you can see where they've mastered off around the tactile switches there so you know that's a reasonable moisture protection so that's a nice little measure it's not a security measure at all it's just purely for water ingress and it's basically just one arm chip on a board with the USB that's um that's basically it this would be the JTAG interface we could follow the traces down to there but it's one on there won't be anything under the LCD there that physical v LCD is physics re the OLED display there is physically down on the boards there's nothing else there's just that one arm cheaper so it's basically just a software solution which is fine which is you know basically all that's all that's required and we can actually get in there and it looks like is that an ST part 32 F 205 re t6 let's go to the datasheet but I'm pretty sure this is not a physically secure processor so that's a bit it's just a regular joe bloggs processor I'm a little bit disappointed in that peel off our gunk there there we go got access to our our pins and of course those test pads on the bottom they're for our production bed of nails our so we can like this thing is easily probable but it's all a matter of the the software security side as I said so that's where all the magic happened so I didn't guess it doesn't need to be any fancier than this but I I just maybe would have used just a secured processor as a matter of course because if you get in there and dissolve or away or the the epoxy our case with a sulfuric acid then you can get access to the dye and technically if you didn't damage it during that process which is possible you could get in there with an electron microscope or other means and physically see and physically extract the presumably the pin number out of it but that'd be you know real advanced pretty advanced skills but maybe it's possible but the interesting thing about this is even if you could dissolve the chip in sulfuric acid get access in there recover the pin the security you can reflash the programming fusing their load some firmware on which you know some hacked firmware which could extract it or whatnot you know spoof it into extracting the pin code out of the thing and getting to work in that way um all that takes significant time whereas if you are once you realize your traceur Hardware wallet has been stolen you can simply change the recovery seed key for the thing which would effectively should present and prevent them actually are doing that you know it rebase achill ear Enders the thing physically useless once you've changed that recovery seed so um yeah you know it's probably adequate I guess my main concerns they like adequate from a hacker security point of view my main concerns would be I'm just just a physical reliability of the wallet I would have okay they've done some conformal coating him here which is okay to prevent moisture ingress and stuff like that is there er as a you know a little bit there which is exposed and moist you can get in under the like what not I just physically would have potted the whole thing like that's not a huge extra cost I would have would have done that as a matter of course really and there's not a huge amount of our capacitance or diode protection in here to prevent that power line attack but as we saw you know there's not real there doesn't seem to be anything to see there because they've smooth that fixed it in our first software which is you know entirely possible so the fact that you know stuff does get back out like you know you can see the processor cycles the interrupts cycles inside this thing and other stuff is leaking back out through the power line it's not a big deal as long as you know about that fact and you can compensate for that in software so you can this software is open source so you can go see the changes they made since this was originally had that power line hacking you can see what you know anti-spoofing stuff they've done there it's all it all be documented in this source code surely so there you have it that's the Tresor Hardware wallet from Satoshi Labs and it's just a microcontroller with lots of software magic and that's all there is to it there's no extra hardware our security jump a little bit surprised at but it you know and it's not a real issue because it's all about the software security I really have thought about this thing and apart from the power line attack which lay house fix that I don't believe please correct me in the comments down below if you know of another successful hack attempt on these things to get the pin and recover the bitcoins out of it is a hardware or a software please let us know yes we could hook up the programmer on there to get in there but we're not they've thought about this okay they're right it's all about the firmware in there is signed via the secret key it's a private key at Satoshi Labs and if you try and do anything to the firmware it's just going to erase those keys so yeah there's pretty much going to be no attack there I'm not going to say it's impossible but I haven't heard of anyone doing it and I'm not going to try and do it because that's not my expertise like a software hack in an ST micro for example or any sort of our cryptographic hacking and stuff like that I'll leave it up to those more experienced and I'm sure a lot of people have tried and there's only been the one successful powerline attempt as far as I know so it seems pretty solid although it just occurred to me what if you actually hooked up the STR programmer to the programming port on this thing I've got one here it cost like you know tens of dollars they're dirt cheap and what if you could actually are getting there and modify the e squared prime content where it actually stores that pin enable things I can get like the pin in correct for example it will store it in the e squared prom they got it wrong and then the next time you power it up you could like it reads that and then it determines right you've got to wait a longer period and then a exponentially longer period as you do more attempts but if you can somehow automate the power cycle process and also I reset find and reset that R squared from contents where it actually stalls that maybe you can have an infinite that what a very fast process but actually systematically attacking the PNM running through all the pin number contents although maybe you know you can only write to an e squared problem so many times so it might die before you get to the pin number especially if it's 9 digits long for example but you never know I you know I thought that maybe there might be something there but yeah I'd have to set up this and find that where it's actually stored in there and actually try it and it's a lot of effort maybe for a second video or maybe someone else out there can give it a try or maybe they already have and it's not an issue anyway that just came to mind but I think like this thing should have a version or you know maybe you can pay more for you know a premium version that is just like instead of having the plastic case on the thing actually encase the entire thing in epoxy caught in putting compound and it becomes the case it becomes one big solid monolithic block with just the cut out window for the LCD and the switches the switches could even be capacitively coupled or something like that perhaps but yeah I wouldn't you know I'd like to see a more physically robust device in this if I was you know trusting huge sums of bitcoins on this thing then you know and what's I would like to pay for more premium physically robust device but the security I think you know they're probably as good as you're going to get software wise so I hope you enjoyed that video and found it interesting and useful if you did please give it a big thumbs up catch you next time you

Info

Channel: EEVblog

Views: 110,623

Rating: 4.7281551 out of 5

Keywords: eevblog, trezor, hardware wallet, teardown, side channel attack, power line attack, key, private key, reverse engineering, recovery seed, how to, review, usb, power line, oscilloscope, firmware, attack, physical, security, analysis, cryptocurrency, crypto currency, bitcoin, ethereum, satoshi labs, satoshilabs, bitcoin harwdare wallet, ethereum hardware wallet

Id: BzxGoJdd8a4

Channel Id: undefined

Length: 28min 3sec (1683 seconds)

Published: Wed Jul 12 2017