Gian on Nostr: Threat models and Dark Skippy Source: @reardencode on X The world of hardware signing ...
Threat models and Dark Skippy
Source: @reardencode on X
The world of hardware signing device security was given a shake by the announcement of the Dark Skippy
method for a signing device to leak secrets. It has been known for years
that a malicious signing device could potentially exfiltrate secret data from the secure, offline device via the signatures it produces, but this new method improves on the state of the art in 2 important ways:
Dark Skippy enables the attacker to extract the secret data in just a few signatures rather than approximately 64.
Dark Skippy enables the attacker to extract any secret data, not only the secret key specifically being used in signing.
That sounds pretty bad. Surely this requires immediate attention of all hardware signing device makers! Not so fast. In order to decide how important this new attack is to us, we need to model the threat.
First, to use Dark Skippy, the attacker must have their code running on a user's signing device, in the portion of the device with access to the secret keys. All reputable signing device manufacturers (except SeedSigner) require signed firmware images, so an attacker would either have to compromise the device's signature verification or modify the hardware to install the attack code. The level of difficulty here varies widely from device to device, but in all cases, the attacker must compromise the supply chain to install the attack. This is not an attack that can be performed remotely either. The attacker has to physically intercept devices and reprogram or modify them.
Second, the sad reality of the bitcoin space is that attacks such as the one publicized by Junseth
are effective ways to steal people's bitcoin. These attacks do not require cryptography and do not require physically intercepting device shipments. Beyond these social engineering attacks, malware on a user's general purpose computer (laptop) is the next best way for attackers to steal users' bitcoin from the comfort of their own home. Even more sadly, the other likely way that a user will lose their bitcoin is through their own error in setting up their wallet or transferring bitcoin to that wallet.
Third, hardware signing device manufacturers employ a wide array of techniques to protect against exactly this category of supply chain compromise. From tamper evident packaging, to serialized chips that can be cryptographically verified with the vendor, to epoxy potting or ultrasonic welding, cross-component verification, and more.
The rewards of this category of attack must be much higher than easier attacks for the significantly higher costs and risks to be justified. This limits the applicability of this attack category to the likes of organized crime (both governmental and extra-governmental).
Next, we need to talk about the target, you. You have some bitcoin, and you secure it using some (or some combination of) hardware signing device. What is the likelihood that your specific device was compromised by this category of attack at the time that you bought it? How can you personally protect yourself from this attack?
Am I safe?
If your device is any of ColdCard, Trezor Safe 3/5, Ledger, BitBox02, Keystone Pro 3, BitKey; and it arrived directly from the manufacturer (or a trusted reseller) on time and in the expected condition, your device is not compromised.
There are 3 commonly used devices for whom this threat is more material:
Trezor devices without a secure element (SE)
Blockstream Jade
SeedSigner
These devices are more vulnerable because an attacker can install malicious firmware without physically modifying the device.
With any reputable device other than SeedSigner that was not physically modified, if you have installed upgraded firmware (whose signature you verified) since receiving your device and observed the expected change in behavior from the new firmware, your device is not compromised.
What about SeedSigner?
SeedSigner was used to demonstrate this attack (rather than Trezor w/o SE or Jade) because it requires no hacking of any sort to swap the firmware on the device. It is fair to say that SeedSigner is therefore the most vulnerable reputable device to this type of attack. However, even with SeedSigner: if you assembled the device yourself, and have installed firmware whose signature you verified, you are very likely safe.
I cannot make a confident assertion that you are not compromised even if you did assemble your SeedSigner yourself because SeedSigner uses more 3rd party software than others and (if you are targeted by organized crime) the SeedSigner board includes a sufficiently complex embedded firmware (that you do not replace when you install the SeedSigner software on the SD card) that the embedded firmware itself could implement this category of attack.
What do I do now?
If you are concerned that your device may have been compromised, my primary advice is to review the "Am I Safe?" section and put yourself into a posture that is safe from this attack before broadcasting your next transaction. As long as you do not publish any transactions produced from a potentially compromised device, your secrets remain safe.
However, there is one other way to gain near perfect confidence in your current device. Because all of the devices mentioned herein use RFC6979 for ECDSA signing and many of them use deterministic nonces for BIP340 signing as well (despite BIP340 recommending adding auxiliary randomness), you can compare signatures from your device with another implementation of their specified signature algorithm. Producing a random number of signatures for random sized fake UTXOs and various transaction topologies is recommended to overcome attempts to hide the exfiltration behavior. This should be considered an advanced mitigation, so do not attempt it if this sounds difficult.
Other risks from a compromised device
The other detail that was often omitted from the discussion of this vulnerability is that a malicious signing device has many other ways to attack its user. Some of these are pretty easy to mitigate, others are not.
A malicious device could produce weak seeds that the attacker is scanning for. This is harder to detect than Dark Skippy, but may not target as high value of wallets (as those wallets are more likely to bring their own seed). You can fully mitigate this type of attack by producing your own seed using some form of physical entropy and a verifiable algorithm (dice rolls, word picking, etc.).
A malicious device could leak secrets in other ways - it can emulate other USB devices and attempt to open a URL that includes the secret, it can post QR codes or NFC messages that include the secret and which host devices are likely to kindly offer to open for the user, it can include a wifi or cellular chip to directly transmit the secret, and probably more.
My point here is that Dark Skippy does not materially change the threat landscape. If you have a malicious device, you are in trouble. Find a way to ensure that you do not have a malicious device.
Conclusion
FUD sells - while this attack is exciting from a cryptography / security nerd point of view, it does not really shift the threat landscape for hardware signers. Everything I wrote about device safety applied equally before this attack.
The best hardware signing device for you is the one that you have and use. There are many different devices that can all be used to increase your security, especially when used in a multi-signature setup.
Using a Raspberry Pi based SeedSigner with high confidence is difficult. When ESP32-SeedSigner is available, it will be in the same security class as Jade (or possibly slightly higher due to supply chain risk mitigation).
Source: @reardencode on X
The world of hardware signing device security was given a shake by the announcement of the Dark Skippy
method for a signing device to leak secrets. It has been known for years
that a malicious signing device could potentially exfiltrate secret data from the secure, offline device via the signatures it produces, but this new method improves on the state of the art in 2 important ways:
Dark Skippy enables the attacker to extract the secret data in just a few signatures rather than approximately 64.
Dark Skippy enables the attacker to extract any secret data, not only the secret key specifically being used in signing.
That sounds pretty bad. Surely this requires immediate attention of all hardware signing device makers! Not so fast. In order to decide how important this new attack is to us, we need to model the threat.
First, to use Dark Skippy, the attacker must have their code running on a user's signing device, in the portion of the device with access to the secret keys. All reputable signing device manufacturers (except SeedSigner) require signed firmware images, so an attacker would either have to compromise the device's signature verification or modify the hardware to install the attack code. The level of difficulty here varies widely from device to device, but in all cases, the attacker must compromise the supply chain to install the attack. This is not an attack that can be performed remotely either. The attacker has to physically intercept devices and reprogram or modify them.
Second, the sad reality of the bitcoin space is that attacks such as the one publicized by Junseth
are effective ways to steal people's bitcoin. These attacks do not require cryptography and do not require physically intercepting device shipments. Beyond these social engineering attacks, malware on a user's general purpose computer (laptop) is the next best way for attackers to steal users' bitcoin from the comfort of their own home. Even more sadly, the other likely way that a user will lose their bitcoin is through their own error in setting up their wallet or transferring bitcoin to that wallet.
Third, hardware signing device manufacturers employ a wide array of techniques to protect against exactly this category of supply chain compromise. From tamper evident packaging, to serialized chips that can be cryptographically verified with the vendor, to epoxy potting or ultrasonic welding, cross-component verification, and more.
The rewards of this category of attack must be much higher than easier attacks for the significantly higher costs and risks to be justified. This limits the applicability of this attack category to the likes of organized crime (both governmental and extra-governmental).
Next, we need to talk about the target, you. You have some bitcoin, and you secure it using some (or some combination of) hardware signing device. What is the likelihood that your specific device was compromised by this category of attack at the time that you bought it? How can you personally protect yourself from this attack?
Am I safe?
If your device is any of ColdCard, Trezor Safe 3/5, Ledger, BitBox02, Keystone Pro 3, BitKey; and it arrived directly from the manufacturer (or a trusted reseller) on time and in the expected condition, your device is not compromised.
There are 3 commonly used devices for whom this threat is more material:
Trezor devices without a secure element (SE)
Blockstream Jade
SeedSigner
These devices are more vulnerable because an attacker can install malicious firmware without physically modifying the device.
With any reputable device other than SeedSigner that was not physically modified, if you have installed upgraded firmware (whose signature you verified) since receiving your device and observed the expected change in behavior from the new firmware, your device is not compromised.
What about SeedSigner?
SeedSigner was used to demonstrate this attack (rather than Trezor w/o SE or Jade) because it requires no hacking of any sort to swap the firmware on the device. It is fair to say that SeedSigner is therefore the most vulnerable reputable device to this type of attack. However, even with SeedSigner: if you assembled the device yourself, and have installed firmware whose signature you verified, you are very likely safe.
I cannot make a confident assertion that you are not compromised even if you did assemble your SeedSigner yourself because SeedSigner uses more 3rd party software than others and (if you are targeted by organized crime) the SeedSigner board includes a sufficiently complex embedded firmware (that you do not replace when you install the SeedSigner software on the SD card) that the embedded firmware itself could implement this category of attack.
What do I do now?
If you are concerned that your device may have been compromised, my primary advice is to review the "Am I Safe?" section and put yourself into a posture that is safe from this attack before broadcasting your next transaction. As long as you do not publish any transactions produced from a potentially compromised device, your secrets remain safe.
However, there is one other way to gain near perfect confidence in your current device. Because all of the devices mentioned herein use RFC6979 for ECDSA signing and many of them use deterministic nonces for BIP340 signing as well (despite BIP340 recommending adding auxiliary randomness), you can compare signatures from your device with another implementation of their specified signature algorithm. Producing a random number of signatures for random sized fake UTXOs and various transaction topologies is recommended to overcome attempts to hide the exfiltration behavior. This should be considered an advanced mitigation, so do not attempt it if this sounds difficult.
Other risks from a compromised device
The other detail that was often omitted from the discussion of this vulnerability is that a malicious signing device has many other ways to attack its user. Some of these are pretty easy to mitigate, others are not.
A malicious device could produce weak seeds that the attacker is scanning for. This is harder to detect than Dark Skippy, but may not target as high value of wallets (as those wallets are more likely to bring their own seed). You can fully mitigate this type of attack by producing your own seed using some form of physical entropy and a verifiable algorithm (dice rolls, word picking, etc.).
A malicious device could leak secrets in other ways - it can emulate other USB devices and attempt to open a URL that includes the secret, it can post QR codes or NFC messages that include the secret and which host devices are likely to kindly offer to open for the user, it can include a wifi or cellular chip to directly transmit the secret, and probably more.
My point here is that Dark Skippy does not materially change the threat landscape. If you have a malicious device, you are in trouble. Find a way to ensure that you do not have a malicious device.
Conclusion
FUD sells - while this attack is exciting from a cryptography / security nerd point of view, it does not really shift the threat landscape for hardware signers. Everything I wrote about device safety applied equally before this attack.
The best hardware signing device for you is the one that you have and use. There are many different devices that can all be used to increase your security, especially when used in a multi-signature setup.
Using a Raspberry Pi based SeedSigner with high confidence is difficult. When ESP32-SeedSigner is available, it will be in the same security class as Jade (or possibly slightly higher due to supply chain risk mitigation).