Teen's devastating bug-report on a "tamper-proof" cryptocurrency wallet shows why companies can't be left in charge of bad news about their products

Originally published at: https://boingboing.net/2018/03/21/private-ledger-public-truth.html


DRM protections and the DMCA laws only benefit a small specialized group of people. These are not laws written to benefit the people as a whole but rather to add protections to those who can afford to buy a lawmaker.


Reminds me of the story that Mark Frauenfelder posted on BB about hacking into his “Trezor” wallet. The same hacker, Saleem Rashid, was able to help Mark get past the security in that wallet.


I’m kind of surprised the company didn’t try to get him arrested for “hacking” their “tamper-proof” crypto stick. Also, if anyone ever tells you their product is “hacker proof” or “tamper-proof” know that they’re full of sh*t or on the marketing team (I guess that’s a little redundant). The only barrier to hacking most electronics is time and money and if the payoff is big enough it will happen. The teen that pulled this off has a bright future ahead and seems to be doing things right so far, so keep up the amazing work.

1 Like

Aside from being questionably truthful, the

claim is misleading in a really weasely way: this device uses a limited(but intended to be robust and provided with various cryptographic capabilities) ‘secure element’ IC along with a general purpose microcontroller that handles the peripherals and communication with the outside world because the secure elemnt devices tend to be feature-light in the attempt to lower their attack surface.

He concocted a means of tampering with the firmware run by the main microcontroller without tripping the checks done by the crypto IC. It may well be that he didn’t coax that chip into spilling it’s guts(such things, along with their similar cousins like SIM card IC and TPMs generally lack any command for requesting the private key after it is burned in at the factory; and at least some of them resist cleverer attempts to sneak it out); but that doesn’t do you any good if the attacker owns the interface with the outside world.
It’s sort of like claiming that a smartphone with a virus is still OK because the SIM’s Ki hasn’t been obtained.


When the company released its patch, though, it downplayed the severity of the defect that Rashid had identified, calling it “NOT critical,” and made false claims to the effect that the “attack cannot extract the private keys or the seed.”

Don’t call it lying, that’s such an ugly word. Think of it as “preventing mass panic.”


This topic was automatically closed after 5 days. New replies are no longer allowed.