Why Hardware Wallets are the Future (And Why They Have to Be Open Source)
Your computer isn’t secure. Those of you reading this from your fortified Plan 9 Tor Box can stop reading here, but for the rest of you, it’s simply true. Your computer is riddled with security vulnerabilities, and so is your phone. If an attacker wants access to your machine, or if you download even one piece of software that either is or is carrying malware (see: any download from cnet.com or its ilk), you’re in an enormous amount of trouble.
I wrote an article a few weeks ago discussing this issue, and why it makes keeping large quantities of Bitcoin so dangerous. Today, we’re going to spend some time digging into one possible solution to this problem, and what still needs to be done to make it truly viable. The proposed solution is straightforward: instead of trusting a big, unweildy, and complicated operating system, with networking capabilities, which can be compromised remotely or via an app install, what if we instead made dedicated hardware devices, with no networking, which can sign Bitcoin transactions locally, without disclosing the key to the computer it’s connected to. No app installs and a minimal code base with a carefully structured interface means you can make security near-perfect on the device, which means that no breach of your computer can possibly disclose your keys to your attackers, which is a wonderful security guarantee that you’ll get hardly anywhere else.
So what’s the problem? Well, this is where we get into the nitty gritty practicality of the thing. Right now, one of the most popular hardware wallets is Trezor, a $119 device available from www.bitcointrezor.com. The source code is open, meaning that you can go through it to make sure you trust it (or read analyses from much cleverer people who have done exactly that). So, again, what’s the problem? Well, unfortunately, the firmware running on the Trezor isn’t the only piece of software that matters. The bootloader, as users have discovered, is closed-source (the bootloader is the simple piece of code which loads and sets up the rest of the software to run). The bootloader, by necessity, has access to all of the information in the software, including the private key, and, because it’s closed source, could be doing pretty much anything with it, a huge security oversight.
When asked to rectify this, a Trezor employee responded,
“There is no security reason why bootloader should stay closed, but we were quite hesitant to open it because that’s the last piece of mosaic that our competition is missing from making a perfect TREZOR clone.”
This is an understandable motive – any hardware company lives in fear of cheap imitators. However, it’s also wrong to ask users to entrust their money to code that hasn’t been through exhaustive review by the open source community. The entire purpose of hardware wallets is defeated if you can’t look at all of the software running on them. The future of hardware wallets is either companies willing to take the risk of copycats and open source everything, relying on their reputation to provide value to users, or entirely open-source projects, in which hardware companies develop only the hardware, pulling all relevant code and drivers from well-vetted open source repositories.
These are not styles of business that the tech industry is accustomed to, but they are the only ones that are trustworthy and valuable in the long run.
This is an area in which the Bitcoin Foundation could step in. A committee of coders who can analyze the software of hardware wallets (or any third party wallet that is closed source) and give it their “seal of approval,” assuring users that it is safe and contains no malicious code.
No, it really doesn’t. Unlike a pure software wallet, where you can easily calculate the checksum for yourself, a malicious hardware provider could change the code running on their hardware at will, and most users would never notice until it was too late. Trusting that hardware will keep you safe is about as dangerous as relying on security through obscurity, and mark my words, the continual encouragement from media to rely on hardware wallets is going to result in a widespread scamming of epic proportions.
That’s a fair point, but, since it’s still perfectly possible to dump and analyze the memory of these devices yourself, it wouldn’t be too difficult for watchdog groups to routinely collect devices and test them to make sure they are what they claim to be. Most people will never actually checksum their software themselves, instead relying on others to guarantee, by periodic sampling, that the distributed software is what it claims to be.
Furthermore, hardware wallets are not security by obscurity, and the comparison is disingenuous. Hardware wallets are recognition of an old maxim in computer security, which is that computers which are networked or allow users to install programs are profoundly less secure than systems which are more restricted.
If they keep the bootloader closed, somebody else will come along anyway with a completely open-source device, and take over the market. If hardware wallets are the future, there is going to be a lot of competition, and I think Trezor would be better off publishing the bootloader to ease everybody’s concerns now while they are still the main product in this space. Otherwise, they will just fade into history as more hardware wallets come out.
open source hardware: http://www.elecfreaks.com/store/