1

One selling point of the Trezor crypto currency wallets is that they are, supposedly, "open source".

It is not clear to me exactly what assurance this provides, since I do not know what relationship exists between the published open source code that I and others can inspect and the behavior of the physical device I have in my hand.

In particular, I can think of at least two possible vulnerabilities:

  1. the software installed in the device is different from the published open-source software;
  2. the device's hardware behaves in some harmful way (maliciously or not) that is independent of what the published open-source software specifies; (for example, how would I know that my Trezor or my YubiKey does not harbor a keylogger?)

My question is: how are hardware-based security peripherals (like hardware wallets, YubiKeys, etc.) audited to guarantee against such problems?

Of course, it goes without saying that if such a security hole ever comes to light would certainly doom the manufacturer's existence, but this consideration has little weight in the short term from the customer's point of view. (As security becomes stronger, one can expect more and more extreme tactics to subvert it, including ones that would doom a company's existence.)

kjo
  • 1,043
  • 2
  • 9
  • 15

1 Answers1

3

This is exactly the common problem of root trust in computer science.

You must trust someone/something to behave as advertised. It can be reworded "putting an anchor on trust", from which "trust anchors" are a common concept.

Basically you must trust both that Satoshilab, the maker of Trezor, sends the correct firmware to factory, and that the factory is not voluntarily altering the manufactured device (which is a problem for Satoshilab themselves).

There is no definite answer, as you wouldn't just be easily auditing yourself your own Intel/AMD-based computer. As @schroeder commented, you can ask the very same question about basically every single piece of hardware you buy and every single ISO image of binary software you download, open source fully included.

So external audits come into. An increasing number of companies are relying on trusted third parties to audit their code and their design process, and publish those reports without disclosing industrial/trade secrets. In this context, there is no trade secret in open source, but think about WhatsApp...

About Trezor, the best I could find is the CTO's answer on Reddit to the same question

The code is continuously being reviewed and improved by independent (e.g. Saleem Rashid, Sunny) and semi-independent (Jochen Hoenicke and Christian Reitter) security researchers. Even our competitors are looking at our every move and have sent us some reports and ideas for improvements.

Here is a report from security researcher Saleem Rashid about Extracting TREZOR Secrets from SRAM.

It's the company business to verify that neither firmware nor hardware circuits are altered by the factory.

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35