2. Introduction
• Security Analyst at Riscure, Netherlands
• Likes:
• Smart cards
• TEE
• Secure devices
• Breaking stuff
• Doesn’t like:
• Delayed visas Sergei Volokitin
(not Alyssa)
3. What is a hardware wallet?
• Connects to smartphone / PC
• Stores and uses private keys
• Mainly used for cryptocurrency private keys
• Super secure
https://www.ledgerwallet.com/products/ledger-nano-s https://www.keepkey.com/wp-
content/uploads/2014/08/12121301/shapeshift-large.jpg
https://trezor.io/start/ https://bitfi.com/bitfi-wallet
Software Attacks on Hardware Wallets – Sergei Volokitin
4. Who is the attacker?
Physical access
Supply chainMalware on PC Software Attacks on Hardware Wallets – Sergei Volokitin
5. What are the defenses?
• Secrets don’t leave device
• Tamper-resistant
• Keep secrets in a Secure Element
• Secure software updates
Software Attacks on Hardware Wallets – Sergei Volokitin
6.
7. Why Ledger?
• Fairly new/interesting
• Based on a certified Secure Element
• Multi-app support (Btc, Eth, …)
• Support for custom applications on SE
Software Attacks on Hardware Wallets – Sergei Volokitin
10. Who is the attacker?
Malware app
Physical access
Supply chain
Software Attacks on Hardware Wallets – Sergei Volokitin
11. Ledger Nano S hardware
• STM32 MCU
• Screen, buttons, USB…
• Communication with the SE
• ST31 SE
• BOLOS
• Wallets (Trusted Apps)
• Secure Flash Memory
https://www.ledger.fr/2016/06/09/secure-hardware-and-open-source/
Software Attacks on Hardware Wallets – Sergei Volokitin
12. • MPU isolates memory
• Application has
• ~16 KB of Flash
• ~1 KB of RAM
• Over 100 syscalls
Secure Flash
Memory
Software Attacks on Hardware Wallets – Sergei Volokitin
Trusted App
BOLOS
14. App 1
App 2
User RAM
BOLOS RAM
0xFFFFFFFF
0x20000000
0x00000000
???
Software Attacks on Hardware Wallets – Sergei Volokitin
BOLOS
15. 0 1 2 ...
sha256() syscall
• Sadly: stops working after 8kB!
PTR LEN OUTPUT – HASH SHA256
0x00000000 0x00000001 6e340b9c…17afa01d
0x00000000 0x00000002 2ee78837…907c894c
0x00000000 0x00000003 df236376…9017eaac
Software Attacks on Hardware Wallets – Sergei Volokitin
16. Partial memory disclosure in cx_hash()
• cx_hash() syscall takes a pointer to a context structure
• Only values from 0 to 8 are valid algorithms!
You can tell whether ANY byte in memory
is between 0-8 .. or between 9-255.
Software Attacks on Hardware Wallets – Sergei Volokitin
struct cx_hash_header_s {
cx_md_t algo;
unsigned int counter;
};
if (!known_algo(context->algo))
return [invalid hash algorithm];
if (!access_allowed(context, needed_len(context))
return [security error];
17. Debug app installation flag
• There are per-application flags you can set, such as:
• Application with debug flag can read ~16kB of flash belonging
to another app!
Software Attacks on Hardware Wallets – Sergei Volokitin
25. Flash is not cleared upon device reset
• User applications are not removed after device wipe…
• Good news: the global seed is reset!
• Wallet keys should be derived from seed at runtime
• most apps (e.g. Btc) do this...
Software Attacks on Hardware Wallets – Sergei Volokitin
26.
27.
28. uid counter init_flag hmacKeypadding
U2F flash contents before/after reset
Software Attacks on Hardware Wallets – Sergei Volokitin
29. Summary
• Several vulnerabilities identified in Ledger Nano S
• Most severe consequence: U2F keys were not safe
• Ledger fixed all these vulnerabilities in a timely manner
• Bounty programs work!
• Closed source SE firmware => No community code reviews
Software Attacks on Hardware Wallets – Sergei Volokitin
30. What did we learn?
• Don’t trust Trusted Applications
• Hardware wallets still have software flaws
• Reset means reset – clear all that data!
Software Attacks on Hardware Wallets – Sergei Volokitin
32. V7. Supply chain attack
• Attacker can install open-source bitcoin wallet
• CustomCA keys can be enrolled to ease development process
• CustomCA keys are not deleted upon reset
Supply chain attack:
• Buy bunch of hardware wallets
• Enroll CustomCA keys
• Install modified malicious Bitcoin application signed with CastomCA keys
• indistinguishable from genuine
• Enter the PIN three times so it goes to the reset state
• Sell devices for half-the-price
• Only reinstallation of the applets can prevent an attack
Software Attacks on Hardware Wallets – Sergei Volokitin