Software Attacks on Hardware Wallets

Introduction • Security Analyst at Riscure, Netherlands • Likes:

• Smart cards • TEE • Secure devices • Breaking stuff

• Doesn’t like: • Delayed visas Sergei Volokitin

(not Alyssa)

What is a hardware wallet? • Connects to smartphone / PC

• Stores and uses private keys

• Mainly used for cryptocurrency private keys

• Super secure

https://www.ledgerwallet.com/products/ledger-nano-s https://www.keepkey.com/wp-content/uploads/2014/08/12121301/shapeshift-large.jpg

https://trezor.io/start/ https://bitfi.com/bitfi-wallet

Software Attacks on Hardware Wallets – Sergei Volokitin

Who is the attacker?

Physical access

Supply chain Malware on PC Software Attacks on Hardware Wallets – Sergei Volokitin

What are the defenses?

• Secrets don’t leave device

• Tamper-resistant

• Keep secrets in a Secure Element

• Secure software updates

Software Attacks on Hardware Wallets – Sergei Volokitin

Why Ledger?

• Fairly new/interesting

• Based on a certified Secure Element

• Multi-app support (Btc, Eth, …)

• Support for custom applications on SE

Software Attacks on Hardware Wallets – Sergei Volokitin

Software Attacks on Hardware Wallets – Sergei Volokitin

BOLOS

Software Attacks on Hardware Wallets – Sergei Volokitin

BOLOS

Who is the attacker?

Malware app

Physical access

Supply chain

Software Attacks on Hardware Wallets – Sergei Volokitin

Ledger Nano S hardware

• STM32 MCU • Screen, buttons, USB…

• Communication with the SE

• ST31 SE

• BOLOS

• Wallets (Trusted Apps)

• Secure Flash Memory

https://www.ledger.fr/2016/06/09/secure-hardware-and-open-source/

Software Attacks on Hardware Wallets – Sergei Volokitin

• MPU isolates memory

• Application has

• ~16 KB of Flash

• ~1 KB of RAM

• Over 100 syscalls

Secure Flash

Memory

Software Attacks on Hardware Wallets – Sergei Volokitin

Trusted App

BOLOS

sha256() syscall

returns SHA256 hash

Software Attacks on Hardware Wallets – Sergei Volokitin

BOLOS

App 1

App 2

User RAM BOLOS RAM

0xFFFFFFFF

0x20000000

0x00000000

???

Software Attacks on Hardware Wallets – Sergei Volokitin

BOLOS

0 1 2 ...

sha256() syscall

• Sadly: stops working after 8kB!

PTR LEN OUTPUT – HASH SHA256

0x00000000 0x00000001 6e340b9c…17afa01d

0x00000000 0x00000002 2ee78837…907c894c

0x00000000 0x00000003 df236376…9017eaac

Software Attacks on Hardware Wallets – Sergei Volokitin

Partial memory disclosure in cx_hash()

• cx_hash() syscall takes a pointer to a context structure

• Only values from 0 to 8 are valid algorithms!

You can tell whether ANY byte in memory

is between 0-8 .. or between 9-255.

Software Attacks on Hardware Wallets – Sergei Volokitin

struct cx_hash_header_s {

cx_md_t algo;

unsigned int counter;

};

if (!known_algo(context->algo)) return [invalid hash algorithm]; if (!access_allowed(context, needed_len(context)) return [security error];

Debug app installation flag

• There are per-application flags you can set, such as:

• Application with debug flag can read ~16kB of flash belonging to another app!

Software Attacks on Hardware Wallets – Sergei Volokitin

Debug app installation flag

30

U2F App Flash

BTC App Flash

System Flash

Debug App Flash

Debug app installation flag

31

U2F App Flash

BTC App Flash

System Flash

Debug App Flash

Debug app installation flag

32

Debug App Flash

BTC App Flash

System Flash

Debug app installation flag

33

BTC App Flash

System Flash

Debug App Flash

Debug app installation flag

34

BTC App Flash

System Flash

Debug App Flash

Debug app installation flag

35

BTC App Flash

System Flash

Debug App Flash

DEMO

Software Attacks on Hardware Wallets – Sergei Volokitin

Flash is not cleared upon device reset

• User applications are not removed after device wipe…

• Good news: the global seed is reset!

• Wallet keys should be derived from seed at runtime

• most apps (e.g. Btc) do this...

Software Attacks on Hardware Wallets – Sergei Volokitin

uid counter init_flag hmacKey padding

U2F flash contents before/after reset

Software Attacks on Hardware Wallets – Sergei Volokitin

Summary

• Several vulnerabilities identified in Ledger Nano S

• Most severe consequence: U2F keys were not safe

• Ledger fixed all these vulnerabilities in a timely manner

• Bounty programs work!

• Closed source SE firmware => No community code reviews

Software Attacks on Hardware Wallets – Sergei Volokitin

What did we learn?

• Don’t trust Trusted Applications

• Hardware wallets still have software flaws

• Reset means reset – clear all that data!

Software Attacks on Hardware Wallets – Sergei Volokitin

Q&A

Sergei Volokitin

volokitin@riscure.com

I wish I was giving this talk

V7. Supply chain attack • Attacker can install open-source bitcoin wallet

• CustomCA keys can be enrolled to ease development process

• CustomCA keys are not deleted upon reset

Supply chain attack:

• Buy bunch of hardware wallets

• Enroll CustomCA keys

• Install modified malicious Bitcoin application signed with CastomCA keys

• indistinguishable from genuine

• Enter the PIN three times so it goes to the reset state

• Sell devices for half-the-price

• Only reinstallation of the applets can prevent an attack Software Attacks on Hardware Wallets – Sergei Volokitin