software attacks on hardware wallets - riscure.com · •attacker can install open-source bitcoin...
TRANSCRIPT
Software Attacks on Hardware Wallets
Introduction • Security Analyst at Riscure, Netherlands • Likes:
• Smart cards • TEE • Secure devices • Breaking stuff
• Doesn’t like: • Delayed visas Sergei Volokitin
(not Alyssa)
What is a hardware wallet? • Connects to smartphone / PC
• Stores and uses private keys
• Mainly used for cryptocurrency private keys
• Super secure
https://www.ledgerwallet.com/products/ledger-nano-s https://www.keepkey.com/wp-content/uploads/2014/08/12121301/shapeshift-large.jpg
https://trezor.io/start/ https://bitfi.com/bitfi-wallet
Software Attacks on Hardware Wallets – Sergei Volokitin
Who is the attacker?
Physical access
Supply chain Malware on PC Software Attacks on Hardware Wallets – Sergei Volokitin
What are the defenses?
• Secrets don’t leave device
• Tamper-resistant
• Keep secrets in a Secure Element
• Secure software updates
Software Attacks on Hardware Wallets – Sergei Volokitin
Why Ledger?
• Fairly new/interesting
• Based on a certified Secure Element
• Multi-app support (Btc, Eth, …)
• Support for custom applications on SE
Software Attacks on Hardware Wallets – Sergei Volokitin
Software Attacks on Hardware Wallets – Sergei Volokitin
BOLOS
Software Attacks on Hardware Wallets – Sergei Volokitin
BOLOS
Who is the attacker?
Malware app
Physical access
Supply chain
Software Attacks on Hardware Wallets – Sergei Volokitin
Ledger Nano S hardware
• STM32 MCU • Screen, buttons, USB…
• Communication with the SE
• ST31 SE
• BOLOS
• Wallets (Trusted Apps)
• Secure Flash Memory
https://www.ledger.fr/2016/06/09/secure-hardware-and-open-source/
Software Attacks on Hardware Wallets – Sergei Volokitin
• MPU isolates memory
• Application has
• ~16 KB of Flash
• ~1 KB of RAM
• Over 100 syscalls
Secure Flash
Memory
Software Attacks on Hardware Wallets – Sergei Volokitin
Trusted App
BOLOS
sha256() syscall
returns SHA256 hash
Software Attacks on Hardware Wallets – Sergei Volokitin
BOLOS
App 1
App 2
User RAM BOLOS RAM
0xFFFFFFFF
0x20000000
0x00000000
???
Software Attacks on Hardware Wallets – Sergei Volokitin
BOLOS
0 1 2 ...
sha256() syscall
• Sadly: stops working after 8kB!
PTR LEN OUTPUT – HASH SHA256
0x00000000 0x00000001 6e340b9c…17afa01d
0x00000000 0x00000002 2ee78837…907c894c
0x00000000 0x00000003 df236376…9017eaac
Software Attacks on Hardware Wallets – Sergei Volokitin
Partial memory disclosure in cx_hash()
• cx_hash() syscall takes a pointer to a context structure
• Only values from 0 to 8 are valid algorithms!
You can tell whether ANY byte in memory
is between 0-8 .. or between 9-255.
Software Attacks on Hardware Wallets – Sergei Volokitin
struct cx_hash_header_s {
cx_md_t algo;
unsigned int counter;
};
if (!known_algo(context->algo)) return [invalid hash algorithm]; if (!access_allowed(context, needed_len(context)) return [security error];
Debug app installation flag
• There are per-application flags you can set, such as:
• Application with debug flag can read ~16kB of flash belonging to another app!
Software Attacks on Hardware Wallets – Sergei Volokitin
Debug app installation flag
30
U2F App Flash
BTC App Flash
System Flash
Debug App Flash
Debug app installation flag
31
U2F App Flash
BTC App Flash
System Flash
Debug App Flash
Debug app installation flag
32
Debug App Flash
BTC App Flash
System Flash
Debug app installation flag
33
BTC App Flash
System Flash
Debug App Flash
Debug app installation flag
34
BTC App Flash
System Flash
Debug App Flash
Debug app installation flag
35
BTC App Flash
System Flash
Debug App Flash
DEMO
Software Attacks on Hardware Wallets – Sergei Volokitin
Flash is not cleared upon device reset
• User applications are not removed after device wipe…
• Good news: the global seed is reset!
• Wallet keys should be derived from seed at runtime
• most apps (e.g. Btc) do this...
Software Attacks on Hardware Wallets – Sergei Volokitin
uid counter init_flag hmacKey padding
U2F flash contents before/after reset
Software Attacks on Hardware Wallets – Sergei Volokitin
Summary
• Several vulnerabilities identified in Ledger Nano S
• Most severe consequence: U2F keys were not safe
• Ledger fixed all these vulnerabilities in a timely manner
• Bounty programs work!
• Closed source SE firmware => No community code reviews
Software Attacks on Hardware Wallets – Sergei Volokitin
What did we learn?
• Don’t trust Trusted Applications
• Hardware wallets still have software flaws
• Reset means reset – clear all that data!
Software Attacks on Hardware Wallets – Sergei Volokitin
V7. Supply chain attack • Attacker can install open-source bitcoin wallet
• CustomCA keys can be enrolled to ease development process
• CustomCA keys are not deleted upon reset
Supply chain attack:
• Buy bunch of hardware wallets
• Enroll CustomCA keys
• Install modified malicious Bitcoin application signed with CastomCA keys
• indistinguishable from genuine
• Enter the PIN three times so it goes to the reset state
• Sell devices for half-the-price
• Only reinstallation of the applets can prevent an attack Software Attacks on Hardware Wallets – Sergei Volokitin