[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:19.26,Default,,0000,0000,0000,,{\i1}35C3 preroll music{\i0}
Dialogue: 0,0:00:19.26,0:00:24.43,Default,,0000,0000,0000,,Herald angel: Welcome everybody to our\Nnext Talk. It's the talk “Wallet.fail”.
Dialogue: 0,0:00:24.43,0:00:28.38,Default,,0000,0000,0000,,As you all know, when you have something\Nvaluable you put it somewhere safe. But as
Dialogue: 0,0:00:28.38,0:00:33.71,Default,,0000,0000,0000,,we as hackers also know there is no place\Nthat is really safe and our three speakers
Dialogue: 0,0:00:33.71,0:00:39.06,Default,,0000,0000,0000,,Thomas, Dmitry and Josh are now going to\Ndemonstrate in the next hour the art of
Dialogue: 0,0:00:39.06,0:00:43.59,Default,,0000,0000,0000,,completely breaking something apart. So\Nplease give a big round of applause for
Dialogue: 0,0:00:43.59,0:00:47.97,Default,,0000,0000,0000,,Thomas, Dmitry and Josh and have a lot of\Nfun.
Dialogue: 0,0:00:47.97,0:00:51.79,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:00:51.79,0:00:55.36,Default,,0000,0000,0000,,Dmitry: So just just to start, I'm\Ncurious how many people here actually own
Dialogue: 0,0:00:55.36,0:01:02.30,Default,,0000,0000,0000,,cryptocurrency. Raise your hand. And how\Nmany of you store it on a hardware wallet?
Dialogue: 0,0:01:02.30,0:01:09.42,Default,,0000,0000,0000,,So we're very sorry to everyone who has\Ntheir hand up. OK. So it's not just me.
Dialogue: 0,0:01:09.42,0:01:15.39,Default,,0000,0000,0000,,It's me, Josh and Thomas. So we're all\Nhardware people. We do low level hardware
Dialogue: 0,0:01:15.39,0:01:21.20,Default,,0000,0000,0000,,stuff in varying degrees and we got into\Ncryptocurrency and so I can recommend to
Dialogue: 0,0:01:21.20,0:01:25.37,Default,,0000,0000,0000,,everyone sitting in this room if you're a\Nsecurity person. There's not a lot of
Dialogue: 0,0:01:25.37,0:01:31.34,Default,,0000,0000,0000,,people doing security and cryptocurrency\Nas much as that's painful to hear. So yeah
Dialogue: 0,0:01:31.34,0:01:36.11,Default,,0000,0000,0000,,I mean a lot of this is based on reverse\Nengineering. We love cryptocurrency.
Dialogue: 0,0:01:36.11,0:01:40.66,Default,,0000,0000,0000,,I mean for us crypto also stands for\Ncryptography not just crypto currency, but
Dialogue: 0,0:01:40.66,0:01:45.73,Default,,0000,0000,0000,,no offense to anyone with this talk. It's\Njust something that it's a category that
Dialogue: 0,0:01:45.73,0:01:49.87,Default,,0000,0000,0000,,we looked at. And so the results kind of\Nspeak for themselves. And again this
Dialogue: 0,0:01:49.87,0:01:53.70,Default,,0000,0000,0000,,wouldn't be possible alone. So we have a\Nlot of people to thank. I'm not going to
Dialogue: 0,0:01:53.70,0:01:57.84,Default,,0000,0000,0000,,go through all of them individually. Just\Nbe knowing that we're thankful to everyone
Dialogue: 0,0:01:57.84,0:02:03.80,Default,,0000,0000,0000,,on this, on the slide. So yes, so we\Nstarted this about six months ago. So we
Dialogue: 0,0:02:03.80,0:02:07.29,Default,,0000,0000,0000,,wanted to take a look at cryptocurrency\Nbecause we own some cryptocurrency
Dialogue: 0,0:02:07.29,0:02:12.89,Default,,0000,0000,0000,,ourselves and we saw that everyone's using\Ncryptocurrency wallets. It's more and more
Dialogue: 0,0:02:12.89,0:02:18.71,Default,,0000,0000,0000,,the thing that you do. So we started a\Ngroup chat as you do nowadays. And we have
Dialogue: 0,0:02:18.71,0:02:26.35,Default,,0000,0000,0000,,50000 messages now and 1100 images. And I\Nhad my first, I had my son in the meantime
Dialogue: 0,0:02:26.35,0:02:30.82,Default,,0000,0000,0000,,as well. So it's a really long time that\Nwe been looking at this, etc.
Dialogue: 0,0:02:30.82,0:02:33.17,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:02:33.17,0:02:37.48,Default,,0000,0000,0000,,OK, so what do we want to achieve\Nthough? Because people don't give
Dialogue: 0,0:02:37.48,0:02:40.78,Default,,0000,0000,0000,,the kinds of attacks so you can\Nactually perform against
Dialogue: 0,0:02:40.78,0:02:44.35,Default,,0000,0000,0000,,cryptocurrency wallets enough credit.\NSo first attack is supply chain attacks
Dialogue: 0,0:02:44.35,0:02:47.91,Default,,0000,0000,0000,,where you are able to manipulate the \Ndevices before they get
Dialogue: 0,0:02:47.91,0:02:51.41,Default,,0000,0000,0000,,to the end customer.\NFirmware vulnerabilities, where you find a
Dialogue: 0,0:02:51.41,0:02:55.17,Default,,0000,0000,0000,,vulnerability in the firmware and can\Nsomehow either infect or do something else
Dialogue: 0,0:02:55.17,0:02:58.88,Default,,0000,0000,0000,,with the device. Side-channel attacks of\Ncourse. I think that's one of the more
Dialogue: 0,0:02:58.88,0:03:02.66,Default,,0000,0000,0000,,obvious ones that people are familiar\Nwith. And also chip-level vulnerabilities.
Dialogue: 0,0:03:02.66,0:03:06.38,Default,,0000,0000,0000,,So we were able to find one of each of\Nthese. And so that's the talk that we're
Dialogue: 0,0:03:06.38,0:03:10.75,Default,,0000,0000,0000,,going to talk about each one of these\Nindividually. But first, what's a wallet?
Dialogue: 0,0:03:10.75,0:03:15.16,Default,,0000,0000,0000,,Just in case you are not 100 percent\Nfamiliar with them. So a wallet, and in
Dialogue: 0,0:03:15.16,0:03:19.46,Default,,0000,0000,0000,,general cryptocurrency how do you do this,\Nit's just asymmetric cryptography. So you
Dialogue: 0,0:03:19.46,0:03:24.27,Default,,0000,0000,0000,,have a private key and a public key. The\Npublic key, basically, it gives you the
Dialogue: 0,0:03:24.27,0:03:28.94,Default,,0000,0000,0000,,address. You can derive the address from\Nthis. The address is nothing other than
Dialogue: 0,0:03:28.94,0:03:33.02,Default,,0000,0000,0000,,the public key of the wallet and you have\Nthe private key and you need this to send
Dialogue: 0,0:03:33.02,0:03:37.66,Default,,0000,0000,0000,,transactions, so to actually operate with\Nthe cryptocurrency. So this, the private
Dialogue: 0,0:03:37.66,0:03:41.63,Default,,0000,0000,0000,,key, is what needs to be kept secret. The\Npublic key is something that everyone can
Dialogue: 0,0:03:41.63,0:03:45.83,Default,,0000,0000,0000,,know so that they can send cryptocurrency\Nto you. But it kind of sucks to have a
Dialogue: 0,0:03:45.83,0:03:50.19,Default,,0000,0000,0000,,separate for each cryptocurrency-pair or\Nfor each wallet maybe even multiple
Dialogue: 0,0:03:50.19,0:03:55.83,Default,,0000,0000,0000,,wallets. It sucks to generate a new\Ncryptographic pair for each one of them.
Dialogue: 0,0:03:55.83,0:04:00.39,Default,,0000,0000,0000,,So the people, the wonderful people,\Nbehind bitcoin have thought of something
Dialogue: 0,0:04:00.39,0:04:06.83,Default,,0000,0000,0000,,for this and it's called BIP32/BIP44. And,\Nso, what it is is you have a cryptographic
Dialogue: 0,0:04:06.83,0:04:13.81,Default,,0000,0000,0000,,seed and you can actually derive the\Naccounts from a single seed. So you
Dialogue: 0,0:04:13.81,0:04:18.16,Default,,0000,0000,0000,,basically store one seed and you're able\Nto implement and do unlimited amount of
Dialogue: 0,0:04:18.16,0:04:23.48,Default,,0000,0000,0000,,wallets. Okay. So basically you do key\Nderivation, you add some data, do key
Dialogue: 0,0:04:23.48,0:04:27.33,Default,,0000,0000,0000,,derivation and you can have an unlimited\Namount of wallets while storing a single
Dialogue: 0,0:04:27.33,0:04:31.29,Default,,0000,0000,0000,,seed. And this is what you're using when\Nyou're using a hardware wallet. So and of
Dialogue: 0,0:04:31.29,0:04:35.24,Default,,0000,0000,0000,,course for each key derivation there will\Nbe a new private key and a public key, but
Dialogue: 0,0:04:35.24,0:04:38.76,Default,,0000,0000,0000,,it will be generated in a predictable\Nmanner and you only need a store one
Dialogue: 0,0:04:38.76,0:04:42.63,Default,,0000,0000,0000,,secret seed. So you only have to store the\Nseed. You can write it down, and that's
Dialogue: 0,0:04:42.63,0:04:46.73,Default,,0000,0000,0000,,the advantage. But it's difficult to write\Ndown because it's binary data. So come
Dialogue: 0,0:04:46.73,0:04:52.16,Default,,0000,0000,0000,,BIP39, which is what you're most used to,\Nwhich is a format in which you can take
Dialogue: 0,0:04:52.16,0:04:55.88,Default,,0000,0000,0000,,that cryptographic seed, that binary data,\Nand actually convert it to a set of
Dialogue: 0,0:04:55.88,0:05:00.02,Default,,0000,0000,0000,,dictionary words that you can then easily\Nwrite down on a piece of paper and store
Dialogue: 0,0:05:00.02,0:05:03.89,Default,,0000,0000,0000,,it at your mother's house, or store half\Nof it at your mother's house and half of
Dialogue: 0,0:05:03.89,0:05:07.71,Default,,0000,0000,0000,,it at your grandmother's house. And that\Nway somebody would have to go into both
Dialogue: 0,0:05:07.71,0:05:13.82,Default,,0000,0000,0000,,houses simultaneously to get your words.\NSo yeah. So what's a hardware wallet?
Dialogue: 0,0:05:13.82,0:05:17.80,Default,,0000,0000,0000,,So we just talked about what's a wallet.\NSo why do you even need a hardware wallet?
Dialogue: 0,0:05:17.80,0:05:22.37,Default,,0000,0000,0000,,Well, the problem is, of course, computers\Ncan get backdoored, have malware running
Dialogue: 0,0:05:22.37,0:05:26.38,Default,,0000,0000,0000,,on them and this is what you want to pre-\Nvent against. How do you do this? You have
Dialogue: 0,0:05:26.38,0:05:30.14,Default,,0000,0000,0000,,a secure device, you store your seeds\Nexternally. Usually, this is a USB-
Dialogue: 0,0:05:30.14,0:05:35.18,Default,,0000,0000,0000,,connected device that you store your\Ncrypto on and so you can trust this even
Dialogue: 0,0:05:35.18,0:05:39.10,Default,,0000,0000,0000,,if you can't trust your computer. This is\Nthe idea. So what happens is the computer
Dialogue: 0,0:05:39.10,0:05:42.94,Default,,0000,0000,0000,,sends the transaction to the device. The\Ndevice gets the transaction, it can
Dialogue: 0,0:05:42.94,0:05:46.66,Default,,0000,0000,0000,,actually confirm or deny the transaction.\NIt also displays the transaction. So
Dialogue: 0,0:05:46.66,0:05:50.43,Default,,0000,0000,0000,,before you do any cryptographic signing,\Nyou can see is that actually what I was
Dialogue: 0,0:05:50.43,0:05:55.37,Default,,0000,0000,0000,,doing or was my computer owned and is it\Ninitiating the transaction for me? So you
Dialogue: 0,0:05:55.37,0:06:00.41,Default,,0000,0000,0000,,sign the transaction and also, yeah, the\Nseed never leaves the transaction, but the
Dialogue: 0,0:06:00.41,0:06:04.16,Default,,0000,0000,0000,,hardware signs a transaction for you. You\Nsend it back to the computer and the
Dialogue: 0,0:06:04.16,0:06:09.61,Default,,0000,0000,0000,,computer can actually take that and send\Nit to the Internet. OK? So that's a quick
Dialogue: 0,0:06:09.61,0:06:14.92,Default,,0000,0000,0000,,rundown of how crypto or, sorry, how\Nhardware wallets work. So the first thing
Dialogue: 0,0:06:14.92,0:06:19.89,Default,,0000,0000,0000,,that we looked at was supply chain attacks\Nwhich is where Josh gonna pick up. You
Dialogue: 0,0:06:19.89,0:06:26.41,Default,,0000,0000,0000,,have a mic. Oh sorry.\NJosh: Ok, so the three big things I want
Dialogue: 0,0:06:26.41,0:06:30.03,Default,,0000,0000,0000,,to leave you with as we go through the\Nsupply chain attacks are, stickers for
Dialogue: 0,0:06:30.03,0:06:34.21,Default,,0000,0000,0000,,laptops, they are not for security. So\Nwe're going to be talking about stickers
Dialogue: 0,0:06:34.21,0:06:39.33,Default,,0000,0000,0000,,today. They're there for laptop\Ndecorations, they are not for security.
Dialogue: 0,0:06:39.33,0:06:43.22,Default,,0000,0000,0000,,Supply chain attacks are easy to perform,\Nbut they're quite hard to perform at
Dialogue: 0,0:06:43.22,0:06:47.62,Default,,0000,0000,0000,,scale. And the last takeaway that I will\Nleave you with is that, the vendor's
Dialogue: 0,0:06:47.62,0:06:52.72,Default,,0000,0000,0000,,threat model may not actually be your\Nthreat model. So security stickers, some
Dialogue: 0,0:06:52.72,0:06:56.46,Default,,0000,0000,0000,,of the wallet vendors are using them. I\Nhave seen them on other products, they
Dialogue: 0,0:06:56.46,0:07:01.29,Default,,0000,0000,0000,,seem to be quite popular. I have a friend\Nand colleague named Joe Fitzpatrick, he
Dialogue: 0,0:07:01.29,0:07:06.69,Default,,0000,0000,0000,,also likes stickers. So the stickers that\Nhe makes are the same as we find on his
Dialogue: 0,0:07:06.69,0:07:11.29,Default,,0000,0000,0000,,security product. They have holograms.\NThey have unique serial numbers. And they
Dialogue: 0,0:07:11.29,0:07:16.38,Default,,0000,0000,0000,,leave you with that nice warm fuzzy\Nsecurity feeling. Joe makes some funny
Dialogue: 0,0:07:16.38,0:07:21.69,Default,,0000,0000,0000,,ones. You can get a Fitz 140-2 approved\Nstickers. You don't have to pay the money
Dialogue: 0,0:07:21.69,0:07:27.41,Default,,0000,0000,0000,,for the FIPS one, just get the Fitz one.\NSo the first device I looked at was the
Dialogue: 0,0:07:27.41,0:07:34.27,Default,,0000,0000,0000,,Trezor One. The Trezor One actually has\Ntwo levels of protection on the packaging.
Dialogue: 0,0:07:34.27,0:07:40.45,Default,,0000,0000,0000,,There's the hologram sticker than the\Nactual box is enclosed with an adhesive.
Dialogue: 0,0:07:40.45,0:07:44.35,Default,,0000,0000,0000,,So it's supposed to be that you actually\Nhave to rip open the box to get into it.
Dialogue: 0,0:07:44.35,0:07:47.83,Default,,0000,0000,0000,,But if you use a hot air gun or a\Nhairdryer it's actually quite easy to
Dialogue: 0,0:07:47.83,0:07:51.95,Default,,0000,0000,0000,,remove. And so if you see on the left\Nthere that's the original package and on
Dialogue: 0,0:07:51.95,0:07:57.49,Default,,0000,0000,0000,,the right this is a box that I opened and\Nput everything back into. And if you look
Dialogue: 0,0:07:57.49,0:08:01.07,Default,,0000,0000,0000,,closely there is a little bit of gap\Nthere. The sticker has a little bit of
Dialogue: 0,0:08:01.07,0:08:05.49,Default,,0000,0000,0000,,break but this was the first try. And it's\Npretty close. So trust me taking a sticker
Dialogue: 0,0:08:05.49,0:08:09.78,Default,,0000,0000,0000,,off is not very hard. Now if you remember\Nthis picture of the sticker cause we're
Dialogue: 0,0:08:09.78,0:08:14.37,Default,,0000,0000,0000,,going to come back to it. So but for the\Nvendor this is actually a real problem so
Dialogue: 0,0:08:14.37,0:08:18.38,Default,,0000,0000,0000,,Trezor did put a blog post out that one of\Nthe challenges they face is that they're
Dialogue: 0,0:08:18.38,0:08:22.82,Default,,0000,0000,0000,,facing counterfeiting of their devices. So\Nthis is from their blog post. They say hey
Dialogue: 0,0:08:22.82,0:08:26.40,Default,,0000,0000,0000,,you know we've noticed that there's\Ncounterfeit devices. You have to look at
Dialogue: 0,0:08:26.40,0:08:30.67,Default,,0000,0000,0000,,the stickers to see that they are legit.\NSo I said remember look at that sticker.
Dialogue: 0,0:08:30.67,0:08:35.01,Default,,0000,0000,0000,,So I bought that case about a year and a\Nhalf ago for my previous DevCon talk and
Dialogue: 0,0:08:35.01,0:08:39.29,Default,,0000,0000,0000,,it's the same sticker that they're saying\Nis fake here. So then on their wiki it's
Dialogue: 0,0:08:39.29,0:08:43.16,Default,,0000,0000,0000,,very confusing because there's three sets\Nof stickers so basically, yeah, stickers
Dialogue: 0,0:08:43.16,0:08:47.89,Default,,0000,0000,0000,,are very confusing. They cause problems\Nfor end users. And I was not even sure if
Dialogue: 0,0:08:47.89,0:08:54.68,Default,,0000,0000,0000,,I bought a real Trezor or a cloned one. So\Nthis morning I got out a new case. And
Dialogue: 0,0:08:54.68,0:08:59.01,Default,,0000,0000,0000,,just to make sure I took off the sticker\Nusing very sophisticated equipment
Dialogue: 0,0:08:59.01,0:09:04.29,Default,,0000,0000,0000,,including a very expensive Dyson hairdryer\Nthat was included in the AirBnB and I was
Dialogue: 0,0:09:04.29,0:09:08.17,Default,,0000,0000,0000,,able to remove the sticker.\NSo it comes off
Dialogue: 0,0:09:08.17,0:09:14.39,Default,,0000,0000,0000,,with zero residue. So yes stickers do\Nnot provide any security. On the Trezor T
Dialogue: 0,0:09:14.39,0:09:18.35,Default,,0000,0000,0000,,they switched it from the box and now the\Nbox can be opened easily. But now there's
Dialogue: 0,0:09:18.35,0:09:24.14,Default,,0000,0000,0000,,a sticker on the USB-C port. Again as you\Nwould expect use hot air and you can
Dialogue: 0,0:09:24.14,0:09:28.94,Default,,0000,0000,0000,,easily remove it. Pro tip: don't set the\Nhot air rework that high I had it set for
Dialogue: 0,0:09:28.94,0:09:33.32,Default,,0000,0000,0000,,lead free reworking and I actually melted\Nthe enclosure. So if you're going to do
Dialogue: 0,0:09:33.32,0:09:37.71,Default,,0000,0000,0000,,this kind of supply chain attack, maybe,\Nno, set the heat a little lower but if you
Dialogue: 0,0:09:37.71,0:09:44.69,Default,,0000,0000,0000,,just google how to remove stickers the\Nsame attack methods work. So this causes
Dialogue: 0,0:09:44.69,0:09:49.75,Default,,0000,0000,0000,,a bit of confusion because the ledger\Ndevice has a very, I will say, in your
Dialogue: 0,0:09:49.75,0:09:55.21,Default,,0000,0000,0000,,face a piece of paper when you open the\Nbox it says there are no stickers in this
Dialogue: 0,0:09:55.21,0:10:02.00,Default,,0000,0000,0000,,box. However I combed through about 250\N1-star Amazon reviews and a lot of them
Dialogue: 0,0:10:02.00,0:10:06.22,Default,,0000,0000,0000,,have to do with confusion about the\Nstickers. So some of them are actually
Dialogue: 0,0:10:06.22,0:10:10.73,Default,,0000,0000,0000,,quite funny. So this this one started out\N"Note to wallet hackers", so I was really
Dialogue: 0,0:10:10.73,0:10:15.41,Default,,0000,0000,0000,,into this. So I was like, OK, pro tip\Nwhat's this guy have to say? And basically
Dialogue: 0,0:10:15.41,0:10:18.94,Default,,0000,0000,0000,,he was complaining that there's\Nfingerprints on the device. That's how he
Dialogue: 0,0:10:18.94,0:10:23.88,Default,,0000,0000,0000,,knew it was hacked. Another one complained\Nthat the fingerprints were on the wallet
Dialogue: 0,0:10:23.88,0:10:27.69,Default,,0000,0000,0000,,and there was a hair underneath. So if\Nyou're doing supply chain attacks be sure
Dialogue: 0,0:10:27.69,0:10:32.39,Default,,0000,0000,0000,,to remove any evidence of your\Nfingerprints or hair. So anyway stickers
Dialogue: 0,0:10:32.39,0:10:36.61,Default,,0000,0000,0000,,don't work. That's all I want to say about\Nthat. Once you get through this enclosure
Dialogue: 0,0:10:36.61,0:10:40.86,Default,,0000,0000,0000,,though you then have to have the challenge\Nof actually opening the enclosure. These
Dialogue: 0,0:10:40.86,0:10:44.77,Default,,0000,0000,0000,,are three different wallet devices: Ledger\NNano on the left, the Trezor One and the
Dialogue: 0,0:10:44.77,0:10:49.24,Default,,0000,0000,0000,,Trezor T on the bottom all of which\Nactually open pretty easily. So the Trezor
Dialogue: 0,0:10:49.24,0:10:53.58,Default,,0000,0000,0000,,One, even, so, I'm still not sure if\Nthat's the counterfeit or the real one,
Dialogue: 0,0:10:53.58,0:10:57.93,Default,,0000,0000,0000,,but I get on the on the real one today. I\Nwas able to pop open enclosure. So it is
Dialogue: 0,0:10:57.93,0:11:01.66,Default,,0000,0000,0000,,ultra sonically welded but you can pry it\Nin there and open it. The Ledger Nano
Dialogue: 0,0:11:01.66,0:11:06.07,Default,,0000,0000,0000,,opens very easily, like, without any\Nequipment. But once you do this, you know
Dialogue: 0,0:11:06.07,0:11:09.69,Default,,0000,0000,0000,,what do you do once it's opened? So the\Nattack basically is you take the
Dialogue: 0,0:11:09.69,0:11:13.34,Default,,0000,0000,0000,,microcontroller and you rework it. So you\Nremove the microcontroller from the
Dialogue: 0,0:11:13.34,0:11:17.26,Default,,0000,0000,0000,,printed circuit board and you put on a new\None that you bought from a distributor.
Dialogue: 0,0:11:17.26,0:11:20.66,Default,,0000,0000,0000,,Once you've done that on the Trezor\Ndevices you can put your compromised
Dialogue: 0,0:11:20.66,0:11:24.61,Default,,0000,0000,0000,,bootloader on there. So this is, I did not\Ngo as far to make the compromised
Dialogue: 0,0:11:24.61,0:11:28.38,Default,,0000,0000,0000,,bootloader, but I did confirm that once I\Nswitched the microcontroller, I could
Dialogue: 0,0:11:28.38,0:11:33.20,Default,,0000,0000,0000,,connect with a debugger over SWD and I\Nhave free access to the chip. So some of
Dialogue: 0,0:11:33.20,0:11:39.19,Default,,0000,0000,0000,,the parts got blown off when I was\Nreworking but the SDM works fine. So yeah.
Dialogue: 0,0:11:39.19,0:11:43.14,Default,,0000,0000,0000,,So you just rework, reflash and then you\Nput everything back together. So next I
Dialogue: 0,0:11:43.14,0:11:47.36,Default,,0000,0000,0000,,want to talk about hardware implants. So\Nyou may remember the story that came out
Dialogue: 0,0:11:47.36,0:11:51.39,Default,,0000,0000,0000,,there was this big hack by Bloomberg about\Nhardware implants. I wanted to make a
Dialogue: 0,0:11:51.39,0:11:55.57,Default,,0000,0000,0000,,hardware implant. I also wanted to have a\Nlittle bit of fun with this. So, we, in
Dialogue: 0,0:11:55.57,0:12:00.39,Default,,0000,0000,0000,,honor of the Bloomberg story which has\Nsome, you may have some issues with it.
Dialogue: 0,0:12:00.39,0:12:06.01,Default,,0000,0000,0000,,We're about to talk about the BloomBurglar\Nwhich is a super micro fun implant. So the
Dialogue: 0,0:12:06.01,0:12:10.01,Default,,0000,0000,0000,,goals for this implant is I wanted this\Nimplant to happen after receipt. So it is
Dialogue: 0,0:12:10.01,0:12:14.32,Default,,0000,0000,0000,,both a supply chain attack and a physical\None like a red team can perform this. A
Dialogue: 0,0:12:14.32,0:12:18.97,Default,,0000,0000,0000,,malicious insider could also perform this\Nattack. Zero firmware, because more fun.
Dialogue: 0,0:12:18.97,0:12:22.98,Default,,0000,0000,0000,,It has to fit inside of a hardware wallet,\Nso it has to be small it has to also
Dialogue: 0,0:12:22.98,0:12:26.80,Default,,0000,0000,0000,,bypass the core security function,\Notherwise it's not an implant. Very few
Dialogue: 0,0:12:26.80,0:12:31.87,Default,,0000,0000,0000,,components. I have a thousand of them with\Nme. So I wanted to be able to offer Makers
Dialogue: 0,0:12:31.87,0:12:37.93,Default,,0000,0000,0000,,and DIYers to participate in the hardware\Nimplant fun. So what kind of implant did I
Dialogue: 0,0:12:37.93,0:12:42.10,Default,,0000,0000,0000,,end up with. Well, I decided to do a\Nbasically, an RF-triggered switch and so
Dialogue: 0,0:12:42.10,0:12:47.12,Default,,0000,0000,0000,,the idea is on these devices there's a\Nbutton and the button is the last line of
Dialogue: 0,0:12:47.12,0:12:51.44,Default,,0000,0000,0000,,defense. So all the vendors assume that\Nthe host is going to be compromised. They
Dialogue: 0,0:12:51.44,0:12:55.16,Default,,0000,0000,0000,,just assume that's going to be easy\Nbecause that's software. And so once you
Dialogue: 0,0:12:55.16,0:12:59.03,Default,,0000,0000,0000,,have a compromised host you have to send\Nit to the device and then the human -- so
Dialogue: 0,0:12:59.03,0:13:03.13,Default,,0000,0000,0000,,humans are still needed -- humans have to\Nlook at it and say "Is this the right
Dialogue: 0,0:13:03.13,0:13:07.62,Default,,0000,0000,0000,,transaction or not?" They have to say yes\Nor no. So now with this implant I can,
Dialogue: 0,0:13:07.62,0:13:11.70,Default,,0000,0000,0000,,through RF, I can trigger the yes button.\NSo a human is not required to send
Dialogue: 0,0:13:11.70,0:13:15.37,Default,,0000,0000,0000,,transactions, I can remotely trigger it.\NBasically the RF comes in through the
Dialogue: 0,0:13:15.37,0:13:19.04,Default,,0000,0000,0000,,antenna it goes through a single\Ntransistor which is the main component and
Dialogue: 0,0:13:19.04,0:13:22.89,Default,,0000,0000,0000,,it pulls the button low. And I'm sorry to\Nsay that the bill of materials is quite
Dialogue: 0,0:13:22.89,0:13:28.36,Default,,0000,0000,0000,,expensive at three dollars and 16 cents.\NTwo dollars and 61 cents of that is this
Dialogue: 0,0:13:28.36,0:13:33.78,Default,,0000,0000,0000,,potentiometer I had to use. So it is a\Nlittle bit expensive. I'm sorry. Also, why
Dialogue: 0,0:13:33.78,0:13:39.25,Default,,0000,0000,0000,,is this so big. I mean this is an American\NDime I can fit two on them. What's the
Dialogue: 0,0:13:39.25,0:13:43.11,Default,,0000,0000,0000,,deal. Why is it so big. Well I optimized\Nit for hand assembly. So it would be, you
Dialogue: 0,0:13:43.11,0:13:47.02,Default,,0000,0000,0000,,know, more fun to use, but basically you\Nput the antenna in and then there's an out
Dialogue: 0,0:13:47.02,0:13:51.06,Default,,0000,0000,0000,,button and, like I said, I have a thousand\Nwith me. So just for scale. This is how it
Dialogue: 0,0:13:51.06,0:13:55.72,Default,,0000,0000,0000,,fits on the Ledger Nano. This is how it\Nfits on the Trezor. It is also because
Dialogue: 0,0:13:55.72,0:13:59.58,Default,,0000,0000,0000,,breadboard-friendly is a thing. So we made\Nit breadboard-friendly. So you can also
Dialogue: 0,0:13:59.58,0:14:04.23,Default,,0000,0000,0000,,play along very easily at home. So then\Nthe last challenge with an RF implant is
Dialogue: 0,0:14:04.23,0:14:07.92,Default,,0000,0000,0000,,how do you design antenna to fit in there.\NAnd so the big thing there with an
Dialogue: 0,0:14:07.92,0:14:11.85,Default,,0000,0000,0000,,SMA connector is the first prototype\NI did. Experimented with a few antenna
Dialogue: 0,0:14:11.85,0:14:15.92,Default,,0000,0000,0000,,designs but that remember it, it all has\Nto fit inside the Ledger. So that's
Dialogue: 0,0:14:15.92,0:14:20.52,Default,,0000,0000,0000,,actually quite easy because a Ledger Nano\Nhas a plenty of room to insert extra
Dialogue: 0,0:14:20.52,0:14:26.63,Default,,0000,0000,0000,,circuitry and so it quite fits easily in\Nthe Ledger Nano. And then I did the
Dialogue: 0,0:14:26.63,0:14:30.07,Default,,0000,0000,0000,,implant and then I started to go through\Nthe wallet process. I got to a
Dialogue: 0,0:14:30.07,0:14:34.68,Default,,0000,0000,0000,,check that said is might, you know, is the\NLedger device genuine. And here I actually
Dialogue: 0,0:14:34.68,0:14:39.63,Default,,0000,0000,0000,,got a little bit nervous because it wasn't\Nworking, and so it wasn't working. I was
Dialogue: 0,0:14:39.63,0:14:43.57,Default,,0000,0000,0000,,like, maybe they were checking this, you\Nknow how did they detect it. Don't worry,
Dialogue: 0,0:14:43.57,0:14:47.96,Default,,0000,0000,0000,,it's only Linux. So it just doesn't work\Non Linux. So that was no problem. I did it
Dialogue: 0,0:14:47.96,0:14:52.49,Default,,0000,0000,0000,,on windows and no problems. The device was\Ngenuine, I was able to move on. So the
Dialogue: 0,0:14:52.49,0:14:56.48,Default,,0000,0000,0000,,thing is, this is a very crude receiver,\Nbut the attacker can always use more
Dialogue: 0,0:14:56.48,0:15:02.20,Default,,0000,0000,0000,,power. So here I have this is my antenna\Nsetup in the basement, and with a 50W
Dialogue: 0,0:15:02.20,0:15:06.71,Default,,0000,0000,0000,,transmitter I can remotely trigger the\Nbutton at 11 meters, and at this point I'm
Dialogue: 0,0:15:06.71,0:15:10.59,Default,,0000,0000,0000,,just limited by my basement size. I'm\Npretty very confident that I'd be able to
Dialogue: 0,0:15:10.59,0:15:16.55,Default,,0000,0000,0000,,remotely trigger this thing further. Yeah.\NSo here we're going to see a demo of what
Dialogue: 0,0:15:16.55,0:15:20.38,Default,,0000,0000,0000,,it looks like and for the other problem\Nyou have with hardware implants is how do
Dialogue: 0,0:15:20.38,0:15:24.36,Default,,0000,0000,0000,,you know you have the implanted device. So\Nyou have to label it some way. Ledger has
Dialogue: 0,0:15:24.36,0:15:29.29,Default,,0000,0000,0000,,this kind of Latin phrase that scrolls " I\Nwanted my own Latin phrase" And so this is
Dialogue: 0,0:15:29.29,0:15:33.31,Default,,0000,0000,0000,,how I know this is my implanted device. So\Nwhat we're going to see is that the
Dialogue: 0,0:15:33.31,0:15:37.19,Default,,0000,0000,0000,,transaction screens is gonna show up. This\Nis, and I'm basically going to trigger
Dialogue: 0,0:15:37.19,0:15:40.81,Default,,0000,0000,0000,,this remotely, so I'm going to show that\Nradio come in and then it's going to
Dialogue: 0,0:15:40.81,0:15:47.59,Default,,0000,0000,0000,,approve the transaction without any hands.\NSo this is the transaction. There is the
Dialogue: 0,0:15:47.59,0:15:51.95,Default,,0000,0000,0000,,screen going. This is the way it supposed\Nto verify. There's the radio coming in at
Dialogue: 0,0:15:51.95,0:15:56.40,Default,,0000,0000,0000,,433 MHz and then it's going to proceed to\Nthe next screen without me touching the
Dialogue: 0,0:15:56.40,0:16:02.26,Default,,0000,0000,0000,,button. There you go. So this is remotely\Ntriggered, and that would have sent
Dialogue: 0,0:16:02.26,0:16:06.27,Default,,0000,0000,0000,,transactions. So if you think about the\Ncontext that you have a malicious software
Dialogue: 0,0:16:06.27,0:16:10.64,Default,,0000,0000,0000,,implant that sent it to a wrong address,\Nthe attacker now can remotely accept that
Dialogue: 0,0:16:10.64,0:16:19.61,Default,,0000,0000,0000,,and bypass the security module.\N{\i1}Applause{\i0}
Dialogue: 0,0:16:19.61,0:16:25.65,Default,,0000,0000,0000,,So, yeah, on the recaps, stickers are for\Nlaptops, not for security. Supply chain
Dialogue: 0,0:16:25.65,0:16:29.97,Default,,0000,0000,0000,,attacks are very easy to do at a hardware\Nlevel, but they're quite hard to do at
Dialogue: 0,0:16:29.97,0:16:33.72,Default,,0000,0000,0000,,scale. And when the vendor says the device\Nis genuine, that may mean different
Dialogue: 0,0:16:33.72,0:16:42.78,Default,,0000,0000,0000,,things.\NThomas: to segue to the next part, so six
Dialogue: 0,0:16:42.78,0:16:47.79,Default,,0000,0000,0000,,months ago, Josh Datko said something that\NI found kind of funny and it's almost
Dialogue: 0,0:16:47.79,0:16:52.62,Default,,0000,0000,0000,,correct: "If you put funny constants in\Nyour code, they will end up on DEFCON
Dialogue: 0,0:16:52.62,0:16:56.74,Default,,0000,0000,0000,,slides, and they won't be laughing with\Nyou." Small mistake, they won't end up at
Dialogue: 0,0:16:56.74,0:17:03.41,Default,,0000,0000,0000,,DEF CON, they will be at CCC. and so\Nintroducing the fOOdbabe vulnerability,
Dialogue: 0,0:17:03.41,0:17:09.36,Default,,0000,0000,0000,,it's a bootloader vulnerability in a\NLedger Nano S. We did not come up with
Dialogue: 0,0:17:09.36,0:17:14.05,Default,,0000,0000,0000,,this constant. It's literally in the code\Nas we'll see later. So the name was not
Dialogue: 0,0:17:14.05,0:17:19.11,Default,,0000,0000,0000,,ours, but we like it. So we also bought\Nthe domain foodba.be.
Dialogue: 0,0:17:19.11,0:17:23.93,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NLedger Nano S is a very simple wallet. It
Dialogue: 0,0:17:23.93,0:17:28.38,Default,,0000,0000,0000,,simply has a small display, it has a USB\Nport and two buttons. That's really all
Dialogue: 0,0:17:28.38,0:17:33.17,Default,,0000,0000,0000,,there is. And you should take it apart.\NYou see it's just some pieces of plastic,
Dialogue: 0,0:17:33.17,0:17:38.57,Default,,0000,0000,0000,,the display and the PCB. And looking at\Nthe PCB, it kind of has an interesting
Dialogue: 0,0:17:38.57,0:17:44.77,Default,,0000,0000,0000,,architecture where you have a STM32, which\Nis just a general purpose microcontroller,
Dialogue: 0,0:17:44.77,0:17:50.25,Default,,0000,0000,0000,,and a ST31, which is a secret element that\Nis for example used in pay-TV and so on.
Dialogue: 0,0:17:50.25,0:17:56.29,Default,,0000,0000,0000,,And is regarded as a very high security\Nchip, basically. And if you turn the PCB
Dialogue: 0,0:17:56.29,0:18:00.07,Default,,0000,0000,0000,,around, you'll see that they were nice\Nenough to leave the programming port for
Dialogue: 0,0:18:00.07,0:18:06.77,Default,,0000,0000,0000,,the STM32 open to us, ENABLED.\N{\i1}Laughter{\i0}
Dialogue: 0,0:18:06.77,0:18:13.44,Default,,0000,0000,0000,,And this has been suspected by other\Npeople that we verified it. But you know,
Dialogue: 0,0:18:13.44,0:18:17.81,Default,,0000,0000,0000,,you have to go through it. And obviously\NLedger is aware of this. And so let's look
Dialogue: 0,0:18:17.81,0:18:23.43,Default,,0000,0000,0000,,at the security model that the Ledger Nano\NS has. The basic idea is that if we look
Dialogue: 0,0:18:23.43,0:18:28.70,Default,,0000,0000,0000,,at this device, we kind of have this\Nschematic of the STM32 being on the left
Dialogue: 0,0:18:28.70,0:18:33.64,Default,,0000,0000,0000,,and the ST31 on the right. And as you can\Nsee, all peripherals are connected to the
Dialogue: 0,0:18:33.64,0:18:39.04,Default,,0000,0000,0000,,STM32. That is because the ST31 does not\Nhave enough pins to connect peripherals.
Dialogue: 0,0:18:39.04,0:18:43.81,Default,,0000,0000,0000,,It literally only has a one pin interface,\Nwhich is for the smartcard protocols
Dialogue: 0,0:18:43.81,0:18:50.56,Default,,0000,0000,0000,,basically. And so all the heavy lifting is\Ndone by the STM32. And Ledger splits it up
Dialogue: 0,0:18:50.56,0:18:56.59,Default,,0000,0000,0000,,into the unsecure part and the secure\Npart. And the idea is that the STM32 acts
Dialogue: 0,0:18:56.59,0:19:00.86,Default,,0000,0000,0000,,as a proxy. So it's basically the hardware\Ndriver for the button, for the display,
Dialogue: 0,0:19:00.86,0:19:06.22,Default,,0000,0000,0000,,for the USB, similar to a northbridge in\Nyour standard computer. And when you take
Dialogue: 0,0:19:06.22,0:19:11.16,Default,,0000,0000,0000,,a computer and want to make a transaction,\Nyou create your transaction on the
Dialogue: 0,0:19:11.16,0:19:18.77,Default,,0000,0000,0000,,computer, it goes through USB to the\NSTM32, and the STM32 then forwards it to
Dialogue: 0,0:19:18.77,0:19:25.48,Default,,0000,0000,0000,,the ST31. THe ST31 then says, Oh, a new\Ntransaction, I want trust the user to
Dialogue: 0,0:19:25.48,0:19:31.01,Default,,0000,0000,0000,,confirm it. So it sends a display command\Nto the STM32 which in turn displays that
Dialogue: 0,0:19:31.01,0:19:36.19,Default,,0000,0000,0000,,on the screen. And then you press the\N"yes" button again it goes the same route
Dialogue: 0,0:19:36.19,0:19:41.43,Default,,0000,0000,0000,,to the ST31, which then internally signs\Nthe transaction. So the seed never leaves
Dialogue: 0,0:19:41.43,0:19:47.47,Default,,0000,0000,0000,,the device and our assigned transaction\Ngoes back through the STM, through USB to
Dialogue: 0,0:19:47.47,0:19:54.40,Default,,0000,0000,0000,,the computer. To us, this means if this\Nchip is compromised, we can send malicious
Dialogue: 0,0:19:54.40,0:20:01.50,Default,,0000,0000,0000,,transactions to the ST31 and confirm them\Nourselves. Or we can even go and show a
Dialogue: 0,0:20:01.50,0:20:06.97,Default,,0000,0000,0000,,different transaction on the screen than\Nwe are actually sending to the ST31. And
Dialogue: 0,0:20:06.97,0:20:11.57,Default,,0000,0000,0000,,Ledger is aware of this and we'll talk\Nabout how they try to mitigate this later.
Dialogue: 0,0:20:11.57,0:20:15.72,Default,,0000,0000,0000,,But first we have to find an exploit,\Nbecause while we do have debugging access
Dialogue: 0,0:20:15.72,0:20:22.25,Default,,0000,0000,0000,,to the chip, hardware access is sometimes\Nkind of buggy. No offence. So we wanted to
Dialogue: 0,0:20:22.25,0:20:26.55,Default,,0000,0000,0000,,have a software bug. And so we started\Nreverse engineering the firmware upgrade
Dialogue: 0,0:20:26.55,0:20:34.18,Default,,0000,0000,0000,,process. And when you look at the\Nbootloader, the bootloader for the Ledger
Dialogue: 0,0:20:34.18,0:20:38.53,Default,,0000,0000,0000,,used to be open-source, and back then they\Ndidn't have any verification of the
Dialogue: 0,0:20:38.53,0:20:42.78,Default,,0000,0000,0000,,firmware. So you could basically boot the\Ndevice into bootloader mode, flash
Dialogue: 0,0:20:42.78,0:20:47.61,Default,,0000,0000,0000,,whatever from where you want, and then it\Nwould run it. After someone, Saleem in
Dialogue: 0,0:20:47.61,0:20:51.73,Default,,0000,0000,0000,,this case, wrote about this, they changed\Nit, and they changed it to do some
Dialogue: 0,0:20:51.73,0:20:56.07,Default,,0000,0000,0000,,cryptographic measure. And we were too\Nlazy to reverse engineer the cryptographic
Dialogue: 0,0:20:56.07,0:21:00.73,Default,,0000,0000,0000,,measure because it's very time consuming,\Nvery hard. So we looked more at the parts
Dialogue: 0,0:21:00.73,0:21:06.14,Default,,0000,0000,0000,,surrounding it and how we can maybe find a\Nbug in the bootloader to break it. And it
Dialogue: 0,0:21:06.14,0:21:14.13,Default,,0000,0000,0000,,turns out that when you try to upgrade\Nyour Ledger, you accept four different
Dialogue: 0,0:21:14.13,0:21:18.82,Default,,0000,0000,0000,,commands. One is select segment, which\Nallows you to select the address base at
Dialogue: 0,0:21:18.82,0:21:22.73,Default,,0000,0000,0000,,which you're firmware will be flashed. One\Nis the load command, which allows you to
Dialogue: 0,0:21:22.73,0:21:27.57,Default,,0000,0000,0000,,write data to flash. Then you have the\Nflush command, which is basically like
Dialogue: 0,0:21:27.57,0:21:32.88,Default,,0000,0000,0000,,f-sync on Linux and writes your changes to\Nthe non-volatile memory. And you have the
Dialogue: 0,0:21:32.88,0:21:38.55,Default,,0000,0000,0000,,boot command, which verifies the flash\Ncode and starts booting it. So to us the
Dialogue: 0,0:21:38.55,0:21:43.72,Default,,0000,0000,0000,,boot command is the most interesting,\Nbecause it provides all verification and
Dialogue: 0,0:21:43.72,0:21:50.01,Default,,0000,0000,0000,,it attempts to ensure that no malicious\Nimage is booted. And it turns out that if
Dialogue: 0,0:21:50.01,0:21:54.02,Default,,0000,0000,0000,,you issue the boot command, it compares\Nthe whole image to whatever
Dialogue: 0,0:21:54.02,0:21:59.42,Default,,0000,0000,0000,,cryptographically function they use, and\Nif it's successfully verified, they write
Dialogue: 0,0:21:59.42,0:22:08.64,Default,,0000,0000,0000,,a constant to the address 0x0800 3000, and\Nthat constant is OxF00DBABE. And so, to
Dialogue: 0,0:22:08.64,0:22:14.69,Default,,0000,0000,0000,,not have to verify the entire flash on\Neach boot, they just do this once, so only
Dialogue: 0,0:22:14.69,0:22:22.10,Default,,0000,0000,0000,,after firmware upgrade. So basically if\Nyou boot up the ledger, it boots, it waits
Dialogue: 0,0:22:22.10,0:22:25.99,Default,,0000,0000,0000,,500 milliseconds. It checks if you have a\Nbutton pressed. If yes, it goes to
Dialogue: 0,0:22:25.99,0:22:32.58,Default,,0000,0000,0000,,bootloader. Otherwise it loads the\Nconstant at 0x08003000. And if it's
Dialogue: 0,0:22:32.58,0:22:36.60,Default,,0000,0000,0000,,0xF00DBABE, it boots the firmware. So our\Ngoal is to write a 0xF00DBABE to that
Dialogue: 0,0:22:36.60,0:22:43.60,Default,,0000,0000,0000,,address. First attempt, we just issue a\Nselect segment command to exactly that
Dialogue: 0,0:22:43.60,0:22:51.56,Default,,0000,0000,0000,,address. We just write 0xF00DBABE to it,\Nflush and reset the device. Didn't work
Dialogue: 0,0:22:51.56,0:22:57.05,Default,,0000,0000,0000,,unfortunately. so we had to do more\Nreverse engineering. It turns out that
Dialogue: 0,0:22:57.05,0:23:02.10,Default,,0000,0000,0000,,they use an interesting approach to ensure\Nthat you don't accidentally flash over the
Dialogue: 0,0:23:02.10,0:23:06.69,Default,,0000,0000,0000,,bootloader. So they basically blacklist a\Nwhole memory region. So if you try to
Dialogue: 0,0:23:06.69,0:23:15.25,Default,,0000,0000,0000,,flash from 0x0800_0000 up to 0x0800_3000.\NIt returns an error. If you try to
Dialogue: 0,0:23:15.25,0:23:19.30,Default,,0000,0000,0000,,directly write to F00DBABE, They thought\Nabout it, and they have a very specific
Dialogue: 0,0:23:19.30,0:23:25.74,Default,,0000,0000,0000,,code path to prevent that. So they memset\Nit to zero and you're screwed again. And
Dialogue: 0,0:23:25.74,0:23:31.74,Default,,0000,0000,0000,,then finally it writes assuming you didn't\Nerror out. But it turns out that the STM32
Dialogue: 0,0:23:31.74,0:23:36.95,Default,,0000,0000,0000,,has kind of an interesting memory map and\Non a lot of chips, you cannot only map
Dialogue: 0,0:23:36.95,0:23:41.69,Default,,0000,0000,0000,,your flash to one address, but you can\Nalso have it mapped to another address.
Dialogue: 0,0:23:41.69,0:23:50.99,Default,,0000,0000,0000,,And in this case the flash is indeed also\Nmapped to the address 0. And so the
Dialogue: 0,0:23:50.99,0:23:57.17,Default,,0000,0000,0000,,bootloader uses a blacklisting approach,\Nso it only excludes certain memory areas.
Dialogue: 0,0:23:57.17,0:24:01.22,Default,,0000,0000,0000,,But it doesn't use whitelisting where you\Ncould only explicitly write to this memory
Dialogue: 0,0:24:01.22,0:24:08.70,Default,,0000,0000,0000,,region. So they do not block writing to\N0x0000_0000. Profit! Second attempt. We
Dialogue: 0,0:24:08.70,0:24:15.40,Default,,0000,0000,0000,,just select the segment at 0x0000_3000,\Nwhich maps to 0x0800_3000, we write
Dialogue: 0,0:24:15.40,0:24:23.10,Default,,0000,0000,0000,,0xF00DBABE to it, we flush, reset, and we\Ncan flash custom firmware! Awesome!
Dialogue: 0,0:24:23.10,0:24:32.52,Default,,0000,0000,0000,,{\i1}Applause{\i0}\NSo what do you do when you have a device
Dialogue: 0,0:24:32.52,0:24:40.18,Default,,0000,0000,0000,,that, where the display is not big enough\Nto run DOM with a custom firmware. So in
Dialogue: 0,0:24:40.18,0:24:44.09,Default,,0000,0000,0000,,this case it's an original letter, press\Nthe button, put it into bootloader mode,
Dialogue: 0,0:24:44.09,0:24:59.96,Default,,0000,0000,0000,,which is part of the normal operation, and\N{\i1}Laughtes and Applause{\i0}
Dialogue: 0,0:24:59.96,0:25:06.52,Default,,0000,0000,0000,,If you want to play a bit of snake, come\Nby later. How are they protecting against
Dialogue: 0,0:25:06.52,0:25:11.67,Default,,0000,0000,0000,,this? I've mentioned before Ledger is\Naware that you can reflash this STM32. And
Dialogue: 0,0:25:11.67,0:25:16.40,Default,,0000,0000,0000,,they are, they put in some measures to\Nprevent you from doing malicious stuff.
Dialogue: 0,0:25:16.40,0:25:20.87,Default,,0000,0000,0000,,And basically what they do and this is\Nvery simplified, and we did not bother to
Dialogue: 0,0:25:20.87,0:25:26.63,Default,,0000,0000,0000,,fully reverse engineer because we didn't\Nneed to, basically. When the chip boots,
Dialogue: 0,0:25:26.63,0:25:31.49,Default,,0000,0000,0000,,it sends its entire firmware to the ST31,\Nwhich then performs some kind of hashing
Dialogue: 0,0:25:31.49,0:25:36.70,Default,,0000,0000,0000,,also, verifies that the firmware as\Nauthentic. And it also measures the time
Dialogue: 0,0:25:36.70,0:25:40.76,Default,,0000,0000,0000,,it takes to send the firmware. This is to\Nprevent you from just running a
Dialogue: 0,0:25:40.76,0:25:48.77,Default,,0000,0000,0000,,compression algorithm on the STM32 and\Nsend it very slowly. How do we bypass
Dialogue: 0,0:25:48.77,0:25:55.72,Default,,0000,0000,0000,,this? So our idea was, because we not only\Nhave flash, we also have RAM. So what if
Dialogue: 0,0:25:55.72,0:26:04.16,Default,,0000,0000,0000,,we create a compromised and compressed\Nfirmware that copies itself to RAM? We
Dialogue: 0,0:26:04.16,0:26:10.24,Default,,0000,0000,0000,,jump to it and then it writes its entire\Ncompressed firmware to flash,
Dialogue: 0,0:26:10.24,0:26:14.96,Default,,0000,0000,0000,,uncompressed in that case, and then we\Njust call the original code on the secure
Dialogue: 0,0:26:14.96,0:26:21.29,Default,,0000,0000,0000,,element. It would verify the firmware, it\Nwould run with a real timing and boots up
Dialogue: 0,0:26:21.29,0:26:28.00,Default,,0000,0000,0000,,regularly. And so we attempted this. It\Ntook quite a while to achieve.
Dialogue: 0,0:26:28.00,0:26:31.57,Default,,0000,0000,0000,,Because basically, you can't do ZIP, you\Ncan't do LZMA, because even if you
Dialogue: 0,0:26:31.57,0:26:36.85,Default,,0000,0000,0000,,compress the image you don't have enough\Nspace for complex compressor. So our
Dialogue: 0,0:26:36.85,0:26:41.96,Default,,0000,0000,0000,,attempt was to find duplicate bytes,\Nsqueeze them together and make space for a
Dialogue: 0,0:26:41.96,0:26:46.39,Default,,0000,0000,0000,,custom payload. And basically we just have\Na table that says, okay, now you will have
Dialogue: 0,0:26:46.39,0:26:52.59,Default,,0000,0000,0000,,six zeros or something. And our each table\Nentry only takes a single byte. So, and
Dialogue: 0,0:26:52.59,0:26:56.61,Default,,0000,0000,0000,,it's only like 10 instructions in\Nassembler to run this decompressor, so you
Dialogue: 0,0:26:56.61,0:27:01.00,Default,,0000,0000,0000,,don't have the large code base. It's very\Neasy to use. And it turns out that even
Dialogue: 0,0:27:01.00,0:27:05.33,Default,,0000,0000,0000,,with a very simple detector, like in this\Ncase we rerun the script to find the
Dialogue: 0,0:27:05.33,0:27:10.75,Default,,0000,0000,0000,,longest duplicate data, and you can see on\Nthe first try, we get like 260 bytes of
Dialogue: 0,0:27:10.75,0:27:17.22,Default,,0000,0000,0000,,space for our payload, which is enough for\Na lot of things, let's say. And we have a
Dialogue: 0,0:27:17.22,0:27:22.33,Default,,0000,0000,0000,,working PoC of concept of this and we\Nwould go into a lot of details, but if we
Dialogue: 0,0:27:22.33,0:27:27.45,Default,,0000,0000,0000,,only got an hour. And so we will release\Nafter this talk and on non-offensive
Dialogue: 0,0:27:27.45,0:27:31.85,Default,,0000,0000,0000,,example of this that you can look at how\Ndoes it work, what can you do even if
Dialogue: 0,0:27:31.85,0:27:37.17,Default,,0000,0000,0000,,you're firmware is attempting to be\Nverified. And we also and this is very
Dialogue: 0,0:27:37.17,0:27:41.39,Default,,0000,0000,0000,,exciting we are working with the YouTube\NLiveOverflow and he created a 20 minute
Dialogue: 0,0:27:41.39,0:27:46.92,Default,,0000,0000,0000,,video on walking through this entire\NF00DBABE vulnerability, how did the
Dialogue: 0,0:27:46.92,0:27:51.88,Default,,0000,0000,0000,,verification works and how to bypass it to\Na certain degree. We don't want to
Dialogue: 0,0:27:51.88,0:27:56.92,Default,,0000,0000,0000,,weaponize it. So we did not, we will not\Nrelease the first the full thing, but
Dialogue: 0,0:27:56.92,0:28:02.68,Default,,0000,0000,0000,,yeah, very excited for this. Stay tuned on\Nour Twitter and we'll link it for sure. As
Dialogue: 0,0:28:02.68,0:28:06.39,Default,,0000,0000,0000,,part of this, we also have a lot of\Nsoftware that we will release. So public
Dialogue: 0,0:28:06.39,0:28:10.32,Default,,0000,0000,0000,,release, we'll release the snake firmware.\NSo hopefully this evening you'll be able
Dialogue: 0,0:28:10.32,0:28:15.25,Default,,0000,0000,0000,,to play snake on your Ledger. If you\Nbought some bitcoin at twenty thousand now
Dialogue: 0,0:28:15.25,0:28:21.07,Default,,0000,0000,0000,,you're bankrupt, you can at least play\Nsnake. We will opensource the compressor
Dialogue: 0,0:28:21.07,0:28:26.35,Default,,0000,0000,0000,,and the extractor. We built a logic\Nanalyzer plugin for this markup protocol
Dialogue: 0,0:28:26.35,0:28:31.33,Default,,0000,0000,0000,,and we built software that analyzes the\Ncommunication between the STM32 and the
Dialogue: 0,0:28:31.33,0:28:36.90,Default,,0000,0000,0000,,ST31 on the Ledger specific data, and you\Ncan just dump it. So if you guys are
Dialogue: 0,0:28:36.90,0:28:45.50,Default,,0000,0000,0000,,interested in for example trying to break\Ninto the ST31, please have a go. And
Dialogue: 0,0:28:45.50,0:28:50.30,Default,,0000,0000,0000,,Ledger has a second device, which is\Ncalled the Ledger Blue. We assume the
Dialogue: 0,0:28:50.30,0:28:55.30,Default,,0000,0000,0000,,reason it's called the Ledger Blue is\Nbecause it contains Bluetooth. But they
Dialogue: 0,0:28:55.30,0:29:00.06,Default,,0000,0000,0000,,never enable Bluetooth. So it's basically\Njust a regular Ledger with a color display
Dialogue: 0,0:29:00.06,0:29:06.24,Default,,0000,0000,0000,,and a big battery in it. And we call this\Npart "Fantastic Signals and how to find
Dialogue: 0,0:29:06.24,0:29:10.21,Default,,0000,0000,0000,,them".\N{\i1}Laughter{\i0}
Dialogue: 0,0:29:10.21,0:29:14.98,Default,,0000,0000,0000,,Because when we opened up this device and\Nwe were chatting, we have this nice
Dialogue: 0,0:29:14.98,0:29:20.53,Default,,0000,0000,0000,,telegram chat room where we're chatting\N24/7 while doing this. And we opened up
Dialogue: 0,0:29:20.53,0:29:24.46,Default,,0000,0000,0000,,the device and the first thing,like\Nliterally five minutes after opening it, I
Dialogue: 0,0:29:24.46,0:29:29.65,Default,,0000,0000,0000,,saw that you have the secure element on\Nthe left and the STM32 on the right. You
Dialogue: 0,0:29:29.65,0:29:36.22,Default,,0000,0000,0000,,have some other stuff like the Bluetooth\Nmodule and so on. The trace between the
Dialogue: 0,0:29:36.22,0:29:42.44,Default,,0000,0000,0000,,secure element and the microcontroller is\Npretty long and contains a pretty fast
Dialogue: 0,0:29:42.44,0:29:50.59,Default,,0000,0000,0000,,signal. So what is a long conductor with a\Nfast changing current? Anyone got a clue?
Dialogue: 0,0:29:50.59,0:29:54.84,Default,,0000,0000,0000,,{\i1}Interjection{\i0}\NCorrect. It's an antenna.
Dialogue: 0,0:29:54.84,0:30:02.55,Default,,0000,0000,0000,,So I pulled out my HackRF \Nsoftware defined radio, this
Dialogue: 0,0:30:02.55,0:30:08.47,Default,,0000,0000,0000,,is just a very, a more sophisticated RTL-\NSDR, so you can just sniff arbitrary
Dialogue: 0,0:30:08.47,0:30:13.60,Default,,0000,0000,0000,,signals with it. I got a random shitty\Ntelescope antenna on Amazon and they have
Dialogue: 0,0:30:13.60,0:30:20.33,Default,,0000,0000,0000,,my Ledger blue. So on this screen, you can\Nsee the blue thing is the radio spectrum
Dialogue: 0,0:30:20.33,0:30:26.79,Default,,0000,0000,0000,,around 169 MHz and if we start entering\Nour pin we can see that there's a weak
Dialogue: 0,0:30:26.79,0:30:29.96,Default,,0000,0000,0000,,signal.\N{\i1}Laughter{\i0}
Dialogue: 0,0:30:29.96,0:30:37.67,Default,,0000,0000,0000,,You guys see where this is going. On the\Nradio. Unfortunately that signal is pretty
Dialogue: 0,0:30:37.67,0:30:46.41,Default,,0000,0000,0000,,weak. Luckily they included an antenna.\NThey call it a USB cable, but I'm not so
Dialogue: 0,0:30:46.41,0:30:53.61,Default,,0000,0000,0000,,sure about it. So this time with USB\Nconnected, and we do the same thing again.
Dialogue: 0,0:30:53.61,0:31:00.00,Default,,0000,0000,0000,,You can see like crazy radio spikes and\Nthis is right next to each other. But even
Dialogue: 0,0:31:00.00,0:31:05.82,Default,,0000,0000,0000,,if you go a couple of meters. I was\Nlimited as Josh by my living room space.
Dialogue: 0,0:31:05.82,0:31:11.95,Default,,0000,0000,0000,,You get a couple of meters of decent\Nreception. So our goal was to find out
Dialogue: 0,0:31:11.95,0:31:17.97,Default,,0000,0000,0000,,what is this signal and if we just look at\Nthe recorded amplitude of the signal, we
Dialogue: 0,0:31:17.97,0:31:23.29,Default,,0000,0000,0000,,get this. And if you do a lot of probing\Nand so on, you immediately see, ok, there
Dialogue: 0,0:31:23.29,0:31:29.38,Default,,0000,0000,0000,,are spikes and there are 11 of them and\Nthen there's a pause and then are small
Dialogue: 0,0:31:29.38,0:31:34.76,Default,,0000,0000,0000,,spikes. So this is probably some kind of\Nprotocol that first sends 11 bytes of data
Dialogue: 0,0:31:34.76,0:31:39.42,Default,,0000,0000,0000,,then pauses, and then sends more data. So\Nwe looked at the back of the device,
Dialogue: 0,0:31:39.42,0:31:43.57,Default,,0000,0000,0000,,started probing every single connection\Nand tried to figure out is this the secure
Dialogue: 0,0:31:43.57,0:31:50.21,Default,,0000,0000,0000,,element? Is this whatever? And it turned\Nout to be the display bus. So we can sniff
Dialogue: 0,0:31:50.21,0:31:56.83,Default,,0000,0000,0000,,information on what is sent to the display\Nremotely. And if you, if we look at the
Dialogue: 0,0:31:56.83,0:32:01.04,Default,,0000,0000,0000,,signal that gets sent in blue, it's the\Nsignal that gets sent when you press the
Dialogue: 0,0:32:01.04,0:32:07.01,Default,,0000,0000,0000,,letter zero on the pin pad and an orange\Nwhen you press the letter seven. So we can
Dialogue: 0,0:32:07.01,0:32:11.30,Default,,0000,0000,0000,,see a very clear difference at certain\Npoints on the signal which confirmed our
Dialogue: 0,0:32:11.30,0:32:16.85,Default,,0000,0000,0000,,suspicion. But building software for this\Nis kind of boring, like digital signal
Dialogue: 0,0:32:16.85,0:32:22.38,Default,,0000,0000,0000,,processing is not really my thing. So what\Ndo we do? And we wanted to increase the
Dialogue: 0,0:32:22.38,0:32:29.14,Default,,0000,0000,0000,,buzzword load in our talk a bit. And so we\Nare hacking blockchain IoT devices, using
Dialogue: 0,0:32:29.14,0:32:40.93,Default,,0000,0000,0000,,artificial intelligence, in the cloud.\N{\i1}Applause and Laughter{\i0}
Dialogue: 0,0:32:40.93,0:32:47.66,Default,,0000,0000,0000,,So our ideal was we record training\Nsignals, we use some kind of prefiltering,
Dialogue: 0,0:32:47.66,0:32:55.13,Default,,0000,0000,0000,,we train AI on it. Profit! Literally.\NProblem is, getting training data really
Dialogue: 0,0:32:55.13,0:32:59.31,Default,,0000,0000,0000,,sucks, because you don't want to sit there\Nfor 10 hours pressing the same key on a
Dialogue: 0,0:32:59.31,0:33:06.09,Default,,0000,0000,0000,,pin pad. It really doesn't sound like fun.\NAnd so this needs automation. So,
Dialogue: 0,0:33:06.09,0:33:11.70,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NSo we took in Arduino, we took a roll of
Dialogue: 0,0:33:11.70,0:33:17.56,Default,,0000,0000,0000,,masking tape, a piece of acrylic glass, a\NPCB vice and this is a HUAWEI-pen for the
Dialogue: 0,0:33:17.56,0:33:24.94,Default,,0000,0000,0000,,extra amount of Chinese backdoor. And we\Nlet this run for a couple of hours. And
Dialogue: 0,0:33:24.94,0:33:32.36,Default,,0000,0000,0000,,you can actually see that every time it\Npresses down, you can see that the digit
Dialogue: 0,0:33:32.36,0:33:37.48,Default,,0000,0000,0000,,that you pressed is highlighted and the\Ndifference in the signal we saw earlier is
Dialogue: 0,0:33:37.48,0:33:42.60,Default,,0000,0000,0000,,probably the x and y coordinate, of where\Nit highlights the button. And that's the
Dialogue: 0,0:33:42.60,0:33:51.06,Default,,0000,0000,0000,,difference. We can see in the trace. And\Nso we had a lot of recorded data. Now we
Dialogue: 0,0:33:51.06,0:33:58.24,Default,,0000,0000,0000,,created a training set. We created a test\Nset, preprocessing Tensorflow ai model.
Dialogue: 0,0:33:58.24,0:34:05.19,Default,,0000,0000,0000,,It's really easy surprisingly. And we\Ntried our test set did a prediction. And
Dialogue: 0,0:34:05.19,0:34:10.36,Default,,0000,0000,0000,,so the big question how accurate is it.\NAnd it turns out. So this is the the
Dialogue: 0,0:34:10.36,0:34:16.53,Default,,0000,0000,0000,,result of a cut of the test set. And if we\Nzoom in on this this basically tells you
Dialogue: 0,0:34:16.53,0:34:21.59,Default,,0000,0000,0000,,we have the signal of this great thing\Nit's just a picture representation of the
Dialogue: 0,0:34:21.59,0:34:28.55,Default,,0000,0000,0000,,signal and it tells you how sure it is,\Nwhat digit it is. In this case it's 7 with
Dialogue: 0,0:34:28.55,0:34:35.17,Default,,0000,0000,0000,,98 percent likelihood. So pretty good. In\Nour test set we only have one wrong result
Dialogue: 0,0:34:35.17,0:34:40.76,Default,,0000,0000,0000,,and overall we get it wrong 90 percent\Naccuracy and to move this in the cloud we
Dialogue: 0,0:34:40.76,0:34:46.70,Default,,0000,0000,0000,,are hosting this on the Google cloud. As\Nthe LedgerAI for you guys to play with and
Dialogue: 0,0:34:46.70,0:34:51.42,Default,,0000,0000,0000,,we'll publish it online with a limited\Ndataset that is trained on a very close
Dialogue: 0,0:34:51.42,0:34:56.02,Default,,0000,0000,0000,,space. You cannot do something super\Nmalicious with it but it's nice to play
Dialogue: 0,0:34:56.02,0:35:01.51,Default,,0000,0000,0000,,around and see how this was done. And this\Nbrings us to the next part, glitch me if
Dialogue: 0,0:35:01.51,0:35:11.77,Default,,0000,0000,0000,,you can. Thank you.\N{\i1}Applause{\i0}
Dialogue: 0,0:35:11.77,0:35:17.02,Default,,0000,0000,0000,,Josh: So now we're going to talk about the\Nsilicon level vulnerability with glitching
Dialogue: 0,0:35:17.02,0:35:21.34,Default,,0000,0000,0000,,attacks fault injectio so to review.\NSo to review I will be talking about the
Dialogue: 0,0:35:21.34,0:35:25.53,Default,,0000,0000,0000,,trezor one. And so I just want to go over\Nvery quickly what the architecture is of
Dialogue: 0,0:35:25.53,0:35:31.91,Default,,0000,0000,0000,,the trezor one and some previous work that\Nis done. So the Trezor One is quite a
Dialogue: 0,0:35:31.91,0:35:37.80,Default,,0000,0000,0000,,simple embedded device. It consists of\Nonly a few components. It has an OLED
Dialogue: 0,0:35:37.80,0:35:44.06,Default,,0000,0000,0000,,display it has some buttons and has a USB\Nconnector that are all externally facing.
Dialogue: 0,0:35:44.06,0:35:53.62,Default,,0000,0000,0000,,Internally it has its main brain if you\Nwill the STM32F205 microcontroller which
Dialogue: 0,0:35:53.62,0:35:57.92,Default,,0000,0000,0000,,controls all the other operations on the\NTrezor, that display, the USB, and the two
Dialogue: 0,0:35:57.92,0:36:05.13,Default,,0000,0000,0000,,buttons. So last year we gave a talk at\NDEFCON "Breaking Bitcoin Hardware Wallets"
Dialogue: 0,0:36:05.13,0:36:09.55,Default,,0000,0000,0000,,here we use the chip whisper to mainly do\Nthe glitching attacks, the conclusions
Dialogue: 0,0:36:09.55,0:36:16.40,Default,,0000,0000,0000,,from last year is that the F2O5 was\Nvulnerable to fault injection but it was
Dialogue: 0,0:36:16.40,0:36:21.50,Default,,0000,0000,0000,,inconclusive if we could do a exploit via\Nthe fault. So this year we have a
Dialogue: 0,0:36:21.50,0:36:27.47,Default,,0000,0000,0000,,different result but the output of that\Nwork was this board was
Dialogue: 0,0:36:27.47,0:36:29.20,Default,,0000,0000,0000,,called the breaking bitcoin board.
Dialogue: 0,0:36:29.20,0:36:34.13,Default,,0000,0000,0000,,Basically it was a Trezor clone that just\Nmade it easy to attach wires and probes
Dialogue: 0,0:36:34.13,0:36:38.52,Default,,0000,0000,0000,,and so we made this board. The design\Nschematics are all online. It's open
Dialogue: 0,0:36:38.52,0:36:42.97,Default,,0000,0000,0000,,source hardware. This is the chip\Nwhisperer set up that we were using so we
Dialogue: 0,0:36:42.97,0:36:47.26,Default,,0000,0000,0000,,made the board specifically to fit on the\Nchip whisperer target board. And this is
Dialogue: 0,0:36:47.26,0:36:51.74,Default,,0000,0000,0000,,just what it looks like when you use the\Nchip whisper GUI to perform a glitch. And
Dialogue: 0,0:36:51.74,0:36:56.44,Default,,0000,0000,0000,,here we were doing application level code\Nso it's very different but I gave that
Dialogue: 0,0:36:56.44,0:37:07.02,Default,,0000,0000,0000,,talk and then I met Dmitry and Thomas.\NDmitry: Fortunately we had Josh to do the
Dialogue: 0,0:37:07.02,0:37:11.69,Default,,0000,0000,0000,,talk last year and to kind of exhaust a\Nlot of the firmware vulnerabilities that
Dialogue: 0,0:37:11.69,0:37:15.57,Default,,0000,0000,0000,,were actually hardware vulnerabilities in\Nthe firmware that might have been there.
Dialogue: 0,0:37:15.57,0:37:19.75,Default,,0000,0000,0000,,So we immediately knew that we could\Nexclude this. And so you can start looking
Dialogue: 0,0:37:19.75,0:37:23.99,Default,,0000,0000,0000,,at the underlying microcontrollers. So in\Nthis case it's STM32 microcontroller that
Dialogue: 0,0:37:23.99,0:37:28.56,Default,,0000,0000,0000,,they use inside of it and it controls\Neverything. So compromising the STM32
Dialogue: 0,0:37:28.56,0:37:33.43,Default,,0000,0000,0000,,microcontroller means that you can\Ncompromise, you can compromise the device.
Dialogue: 0,0:37:33.43,0:37:38.69,Default,,0000,0000,0000,,So I mean so there's a couple of papers\Nthat have covered some of the
Dialogue: 0,0:37:38.69,0:37:42.80,Default,,0000,0000,0000,,vulnerabilities in the STM32 specifically\Nthere's one which describes a UV attack
Dialogue: 0,0:37:42.80,0:37:49.09,Default,,0000,0000,0000,,which lets you downgrade the security on\Nthe STM32. So we determined that paper
Dialogue: 0,0:37:49.09,0:37:53.88,Default,,0000,0000,0000,,unfortunately does not apply to our result\Nbecause the Trezor or is smart enough when
Dialogue: 0,0:37:53.88,0:37:58.67,Default,,0000,0000,0000,,it boot's to check the value stored in\NFlash. And if it has been altered in any
Dialogue: 0,0:37:58.67,0:38:03.52,Default,,0000,0000,0000,,way to set it correctly. So they actually\Neven protect against this kind of attack.
Dialogue: 0,0:38:03.52,0:38:08.19,Default,,0000,0000,0000,,But nevertheless you can see that there is\Nsome vulnerabilities. So there is another
Dialogue: 0,0:38:08.19,0:38:12.31,Default,,0000,0000,0000,,paper which unfortunately has not been\Npublished yet and we couldn't get in touch
Dialogue: 0,0:38:12.31,0:38:15.88,Default,,0000,0000,0000,,with the authors yet. That should be\Ncoming out in January hopefully which
Dialogue: 0,0:38:15.88,0:38:23.38,Default,,0000,0000,0000,,describes glitches against the STM32 F1\Nand STM32 F3. So now we have the F0, the
Dialogue: 0,0:38:23.38,0:38:30.25,Default,,0000,0000,0000,,F1, and the F3 and so basically here's the\Nproduct matrix. So three of them are
Dialogue: 0,0:38:30.25,0:38:37.53,Default,,0000,0000,0000,,already vulnerable. So what we're looking\Nat SDM 32 F2 and potentially STM32 F4 if
Dialogue: 0,0:38:37.53,0:38:43.16,Default,,0000,0000,0000,,we're talking about the Trezor model T so\Nthose we do not have vulnerabilities for
Dialogue: 0,0:38:43.16,0:38:49.74,Default,,0000,0000,0000,,yet. So let's take a look at how how it\Nworks really quickly. So the way that STM
Dialogue: 0,0:38:49.74,0:38:56.01,Default,,0000,0000,0000,,implements security on the STM32 is that\Nthey store an option byte and the option
Dialogue: 0,0:38:56.01,0:39:02.12,Default,,0000,0000,0000,,byte the thing to remember is on on a\Ncortex M3 or M4 microcontroller that you
Dialogue: 0,0:39:02.12,0:39:06.01,Default,,0000,0000,0000,,don't have anything other than flash. So\Neven though they call it option buy or
Dialogue: 0,0:39:06.01,0:39:10.13,Default,,0000,0000,0000,,refer you to this is fusing or being\Npermanent and hardware. It's still stored
Dialogue: 0,0:39:10.13,0:39:14.18,Default,,0000,0000,0000,,and flash just like the user application\Nis stored in flash. So it's the same exact
Dialogue: 0,0:39:14.18,0:39:19.39,Default,,0000,0000,0000,,same non-volatile memory that's otherwise\Nused. So basically when you get a new SDM
Dialogue: 0,0:39:19.39,0:39:24.40,Default,,0000,0000,0000,,32 it's shipped in a state where you have\Nfull access. So that's how Josh was able
Dialogue: 0,0:39:24.40,0:39:30.53,Default,,0000,0000,0000,,to rework abord and flash it with new\Nfirmware. And there is the ultimate
Dialogue: 0,0:39:30.53,0:39:35.65,Default,,0000,0000,0000,,security is what's called RDP2. So there\Nyou have no access but you can see that
Dialogue: 0,0:39:35.65,0:39:43.55,Default,,0000,0000,0000,,basically if you have a value other than\Naa or cc which correspond to RDP0 and RDP2
Dialogue: 0,0:39:43.55,0:39:48.67,Default,,0000,0000,0000,,respectively then you have what's called\NRDP1 and this is interesting because it
Dialogue: 0,0:39:48.67,0:39:52.59,Default,,0000,0000,0000,,doesn't give you access to the flash which\Nis actually where the cryptographic seed
Dialogue: 0,0:39:52.59,0:39:57.05,Default,,0000,0000,0000,,is stored on the Trezor but it gives you\Naccess to RAM, it gives you access to the
Dialogue: 0,0:39:57.05,0:40:01.44,Default,,0000,0000,0000,,registers but it doesn't give you flash\Naccess like I said and it doesn't give you
Dialogue: 0,0:40:01.44,0:40:05.35,Default,,0000,0000,0000,,single stepping as well so connecting a\Ndebugger and this mode will actually cause
Dialogue: 0,0:40:05.35,0:40:10.48,Default,,0000,0000,0000,,the hardware to hard fault which we'll see\Nin the second. So basically what we want
Dialogue: 0,0:40:10.48,0:40:16.10,Default,,0000,0000,0000,,to try to do is to downgrade RDP2 which is\Nwhat the trezor is set to. And we want
Dialogue: 0,0:40:16.10,0:40:24.45,Default,,0000,0000,0000,,to be able to access the device at RDP1\Nwhich is somewhat vulnerable state. This
Dialogue: 0,0:40:24.45,0:40:29.16,Default,,0000,0000,0000,,so I should say that this is this is the\Ncorrect way to approach this and it's
Dialogue: 0,0:40:29.16,0:40:35.27,Default,,0000,0000,0000,,great for doing an educational talk. But\Nin all honesty there's three of us. And so
Dialogue: 0,0:40:35.27,0:40:39.86,Default,,0000,0000,0000,,we did this completely in the dark over a\Nover 3 months trying different
Dialogue: 0,0:40:39.86,0:40:44.33,Default,,0000,0000,0000,,parameters on our on our glitch setups\Nwhich also later and were able to find
Dialogue: 0,0:40:44.33,0:40:49.74,Default,,0000,0000,0000,,this. But I'm here to explain it to all of\Nyou so that it's easy to reproduce. So if
Dialogue: 0,0:40:49.74,0:40:53.64,Default,,0000,0000,0000,,you actually watch the SDM 30F2 boot\Nyou'll see that it's relatively slow and
Dialogue: 0,0:40:53.64,0:40:57.78,Default,,0000,0000,0000,,it's only this slow after you power cycle\Nthe board. So it takes approximately
Dialogue: 0,0:40:57.78,0:41:02.34,Default,,0000,0000,0000,,1.8 milliseconds to boot which is\Na microcontroller terms pretty slow so you
Dialogue: 0,0:41:02.34,0:41:06.17,Default,,0000,0000,0000,,can see there's the power supply there's\Nthe IO pin and that's approximately how
Dialogue: 0,0:41:06.17,0:41:10.72,Default,,0000,0000,0000,,long it takes to boot the firmware so you\Ncan see that's where the IO actually
Dialogue: 0,0:41:10.72,0:41:16.25,Default,,0000,0000,0000,,toggles so 120 milliseconds later. So we\Njust wrote some firmware to basically
Dialogue: 0,0:41:16.25,0:41:20.13,Default,,0000,0000,0000,,toggle one of the pins measured within an\Noscilloscope. Now we have the timing of
Dialogue: 0,0:41:20.13,0:41:24.83,Default,,0000,0000,0000,,how long that takes. So that's not super\Ninteresting because that's not really a
Dialogue: 0,0:41:24.83,0:41:29.01,Default,,0000,0000,0000,,trigger. And each one of these\Nmicrocontrollers internally it has a boot
Dialogue: 0,0:41:29.01,0:41:34.79,Default,,0000,0000,0000,,rom so it has some some rom read only\Nmemory. It's not non-volatile memory it's
Dialogue: 0,0:41:34.79,0:41:40.62,Default,,0000,0000,0000,,not the flash. It's literally a rom which\Nis inside the chip itself. It's it's hard
Dialogue: 0,0:41:40.62,0:41:45.59,Default,,0000,0000,0000,,coded. It cannot be fixed or patched that\Ngets executed first. So we wanted to
Dialogue: 0,0:41:45.59,0:41:49.51,Default,,0000,0000,0000,,actually attack that because anything else\Nis the user application and that's what
Dialogue: 0,0:41:49.51,0:41:54.34,Default,,0000,0000,0000,,Josh did last year. So you can kind of\Nstart to fiddle this down. So you see that
Dialogue: 0,0:41:54.34,0:41:58.60,Default,,0000,0000,0000,,1.4 milliseconds of the reboot\Nnothing actually happens because this is
Dialogue: 0,0:41:58.60,0:42:02.45,Default,,0000,0000,0000,,now the reset line. And so the reset line\Ngoes high after 1.4 millisecond
Dialogue: 0,0:42:02.45,0:42:06.06,Default,,0000,0000,0000,,so you can ignore the first\N1.4 milliseconds after you
Dialogue: 0,0:42:06.06,0:42:10.56,Default,,0000,0000,0000,,cycle the power. So now the next step that\Nyou can actually do is you can connect
Dialogue: 0,0:42:10.56,0:42:15.87,Default,,0000,0000,0000,,what's called a shunt resistor. So\Noscilloscopes are there to measure
Dialogue: 0,0:42:15.87,0:42:19.35,Default,,0000,0000,0000,,voltage and so you want to actually\Nmeasure current to be able to know how
Dialogue: 0,0:42:19.35,0:42:23.45,Default,,0000,0000,0000,,much power is being consumed\Nby the device. So you do what's called
Dialogue: 0,0:42:23.45,0:42:26.72,Default,,0000,0000,0000,,a shunt measurement and that's\Nwhat I have on this slide right here.
Dialogue: 0,0:42:26.72,0:42:30.84,Default,,0000,0000,0000,,So you have the blue signal is now\Nactually the power consumption. And so now
Dialogue: 0,0:42:30.84,0:42:34.64,Default,,0000,0000,0000,,you can actually look and see what's\Nhappening. So the first thing that happens
Dialogue: 0,0:42:34.64,0:42:38.86,Default,,0000,0000,0000,,is we have the execution of the BootROM.\NYou can see in the power consumption curve
Dialogue: 0,0:42:38.86,0:42:44.44,Default,,0000,0000,0000,,you can clearly see this moment in time.\NThen you have basically where the flash
Dialogue: 0,0:42:44.44,0:42:49.21,Default,,0000,0000,0000,,and option bytes actually get read\Nsomewhat at least within the BootROM. And
Dialogue: 0,0:42:49.21,0:42:53.62,Default,,0000,0000,0000,,finally the third distinctive moment in\Ntime is where the application actually
Dialogue: 0,0:42:53.62,0:42:58.24,Default,,0000,0000,0000,,begins to execute. So now we've taken this\N1.8 milliseconds which is a
Dialogue: 0,0:42:58.24,0:43:03.20,Default,,0000,0000,0000,,relatively long time and reduced it to 200\Nmicroseconds. We're actually interested
Dialogue: 0,0:43:03.20,0:43:07.91,Default,,0000,0000,0000,,in. And not only that we know that we're\Nactually interested in having slightly
Dialogue: 0,0:43:07.91,0:43:12.65,Default,,0000,0000,0000,,higher power consumption than the normal\Nexecution of the bootloader or the BootROM
Dialogue: 0,0:43:12.65,0:43:19.23,Default,,0000,0000,0000,,rather and this is somewhere between\Nlet's say 170 microseconds and 200
Dialogue: 0,0:43:19.23,0:43:23.76,Default,,0000,0000,0000,,microseconds. So this is the time at which\Nwe actually need to glitch and this is
Dialogue: 0,0:43:23.76,0:43:28.46,Default,,0000,0000,0000,,also reasonable parameters. If you're\Ntrying to reproduce this at home. So what
Dialogue: 0,0:43:28.46,0:43:33.57,Default,,0000,0000,0000,,do you need to reproduce this thing. So I.\NThe greatest thing that came out in the
Dialogue: 0,0:43:33.57,0:43:38.66,Default,,0000,0000,0000,,last couple of years is the these cheap\NChinese power supplies where you take a
Dialogue: 0,0:43:38.66,0:43:43.60,Default,,0000,0000,0000,,cheap you know old wall wart from one of\Nyour old Linksys routers you plug it in
Dialogue: 0,0:43:43.60,0:43:48.86,Default,,0000,0000,0000,,and then you actually have a controllable\Npower supply with with voltage and current
Dialogue: 0,0:43:48.86,0:43:53.46,Default,,0000,0000,0000,,and you can adjust this and control this.\NAnd so that's what we're using here. The
Dialogue: 0,0:43:53.46,0:43:56.64,Default,,0000,0000,0000,,second thing that I have to actually
Dialogue: 0,0:43:56.64,0:44:01.39,Default,,0000,0000,0000,,control the timing is an FPGA. I mean I\Nuse FPGA's for everything and this is
Dialogue: 0,0:44:01.39,0:44:05.85,Default,,0000,0000,0000,,something that was easiest to put together\Nwith an FPGA because FPGAs have constant
Dialogue: 0,0:44:05.85,0:44:11.47,Default,,0000,0000,0000,,timing. So finally we have a multiplexer\Nthere as well and the multiplexers are
Dialogue: 0,0:44:11.47,0:44:16.75,Default,,0000,0000,0000,,actually switching between two voltages\Nbetween ground so completely cutting the
Dialogue: 0,0:44:16.75,0:44:21.26,Default,,0000,0000,0000,,voltage off and the normal operating\Nvoltage of the microcontroller. And
Dialogue: 0,0:44:21.26,0:44:27.31,Default,,0000,0000,0000,,finally we have a debugger, the J-link\Nwhich is highly advised if you want to
Dialogue: 0,0:44:27.31,0:44:33.31,Default,,0000,0000,0000,,ever do Jtag stuff. So it's just a Jtag\Ndebugger and basically what happens is
Dialogue: 0,0:44:33.31,0:44:39.54,Default,,0000,0000,0000,,you let this run for a while and it looks\Nlike this. It's not really super eventful
Dialogue: 0,0:44:39.54,0:44:43.59,Default,,0000,0000,0000,,so you can see that the voltage the yellow\Nsignal is actually the voltage and you can
Dialogue: 0,0:44:43.59,0:44:46.77,Default,,0000,0000,0000,,see we're just dipping the voltage at\Ndifferent points in time and
Dialogue: 0,0:44:46.77,0:44:51.63,Default,,0000,0000,0000,,simultaneously we have a python script\Nchecking if we have Jtag access or not.
Dialogue: 0,0:44:51.63,0:44:56.68,Default,,0000,0000,0000,,Protip to all the new dads if you do this\Nat home you can turn your oscilloscope
Dialogue: 0,0:44:56.68,0:45:00.50,Default,,0000,0000,0000,,towards the door, so that when you get up\Nat night because the baby's crying, you
Dialogue: 0,0:45:00.50,0:45:06.06,Default,,0000,0000,0000,,can see if it's still running or not. So\Nit's very, it's highly advised. So now
Dialogue: 0,0:45:06.06,0:45:10.90,Default,,0000,0000,0000,,Thomas is going to tell us how to get the\Nseed into into RAM.
Dialogue: 0,0:45:10.90,0:45:17.50,Default,,0000,0000,0000,,Thomas: So we had this thing running for\N3 months roughly across 3
Dialogue: 0,0:45:17.50,0:45:22.02,Default,,0000,0000,0000,,continents because Josh is in America,\NDmitry is in Russia and I'm in Germany and
Dialogue: 0,0:45:22.02,0:45:26.61,Default,,0000,0000,0000,,so it took us 3 months to get a\Nsuccessful glitch and even then we didn't
Dialogue: 0,0:45:26.61,0:45:32.09,Default,,0000,0000,0000,,believe it at first because we exhausted\Neverything basically. And the only reason
Dialogue: 0,0:45:32.09,0:45:39.29,Default,,0000,0000,0000,,we finally got it working is that we did a\Nmistake where we misstook 70 ms with
Dialogue: 0,0:45:39.29,0:45:43.71,Default,,0000,0000,0000,,170 ms and had it run for a long time. And\Nthat's how we found out that the BootROM
Dialogue: 0,0:45:43.71,0:45:48.92,Default,,0000,0000,0000,,is actually super slow to boot on this\Ndevice. And once we had this downgrade
Dialogue: 0,0:45:48.92,0:45:56.81,Default,,0000,0000,0000,,from RDP2 to RDP1, we were able to read\Nthe RAM, but we cannot read the flash
Dialogue: 0,0:45:56.81,0:46:03.70,Default,,0000,0000,0000,,which actually contains the seed. And so\Nhow do we find this? And our idea was we
Dialogue: 0,0:46:03.70,0:46:08.54,Default,,0000,0000,0000,,start reviewing the upgrade procedure\Nbecause on the Trezor, the way the
Dialogue: 0,0:46:08.54,0:46:12.78,Default,,0000,0000,0000,,bootloader works is, it doesn't require a\NPIN or anything to upgrade the firmware,
Dialogue: 0,0:46:12.78,0:46:16.39,Default,,0000,0000,0000,,which makes sense, because let's say you\Nhave a bug in the pin function you want to
Dialogue: 0,0:46:16.39,0:46:21.61,Default,,0000,0000,0000,,somehow be able to get rid of it, right?\NAnd the other thing is if you flash a
Dialogue: 0,0:46:21.61,0:46:28.97,Default,,0000,0000,0000,,fully valid firmware it retains the data,\Nit retains your seed. if you flash and not
Dialogue: 0,0:46:28.97,0:46:35.17,Default,,0000,0000,0000,,genuine one. It actually will erase your\Nseed and so on. And the big, and they do a
Dialogue: 0,0:46:35.17,0:46:38.99,Default,,0000,0000,0000,,really good job on the firmware\Nverification. We reviewed it for days and
Dialogue: 0,0:46:38.99,0:46:43.64,Default,,0000,0000,0000,,days and days and didn't find anything.\NBut so how does this upgrade procedure
Dialogue: 0,0:46:43.64,0:46:48.22,Default,,0000,0000,0000,,work? how is this seat retained? And so\Nwhen you reviewed the relevant code you
Dialogue: 0,0:46:48.22,0:46:54.31,Default,,0000,0000,0000,,see that there is a call to backup\Nmetadata which sounds like it's going to
Dialogue: 0,0:46:54.31,0:46:59.86,Default,,0000,0000,0000,,retain somehow your data. And indeed you\Ncan see that it's literally a mem-copy
Dialogue: 0,0:46:59.86,0:47:06.03,Default,,0000,0000,0000,,from the data on flash we're interested\Ninto RAM. And so our basic procedure
Dialogue: 0,0:47:06.03,0:47:11.63,Default,,0000,0000,0000,,was, we go into bootloader we start the\Nfirmware upgrade and we stop it before the
Dialogue: 0,0:47:11.63,0:47:16.60,Default,,0000,0000,0000,,RAM gets cleared. Because if you finish\Nthe upgrade procedure, the Trezor actually
Dialogue: 0,0:47:16.60,0:47:22.39,Default,,0000,0000,0000,,clears its memory again, which is a very\Ndecent way to do it. But we've found a way
Dialogue: 0,0:47:22.39,0:47:25.81,Default,,0000,0000,0000,,to retain it in RAM. So it turns out that\Nwhen you start the firmware upgrade
Dialogue: 0,0:47:25.81,0:47:32.88,Default,,0000,0000,0000,,process, it eventually asks you to verify\Nto check some of what you just flashed and
Dialogue: 0,0:47:32.88,0:47:38.54,Default,,0000,0000,0000,,it turns out that at this point in time,\Nthe seed is still in RAM and we can read
Dialogue: 0,0:47:38.54,0:47:47.41,Default,,0000,0000,0000,,it out via RDP2. And this is relatively\Nsimple to do once you actually manage to
Dialogue: 0,0:47:47.41,0:47:51.78,Default,,0000,0000,0000,,glitch the device. You basically just run\Nopenocd dump_image, you get an image of
Dialogue: 0,0:47:51.78,0:47:57.06,Default,,0000,0000,0000,,the SRAM and you have the whole RAM\Ncontents and so.
Dialogue: 0,0:47:57.06,0:48:04.33,Default,,0000,0000,0000,,Dmitry: What are we going to do,Thomas?\NWhat high tech hacking tool will be using
Dialogue: 0,0:48:04.33,0:48:09.63,Default,,0000,0000,0000,,today to extract the seed?\NThomas:So we actually before we were
Dialogue: 0,0:48:09.63,0:48:14.31,Default,,0000,0000,0000,,successful, we had hours of talks on the\Nhow do we, how is this seed stored and so
Dialogue: 0,0:48:14.31,0:48:18.88,Default,,0000,0000,0000,,on. But we've found this super\Nsophisticated seed extraction tool that
Dialogue: 0,0:48:18.88,0:48:26.01,Default,,0000,0000,0000,,only runs on POSIX and POSIX-like systems,\Nit's called strings.
Dialogue: 0,0:48:26.01,0:48:30.14,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NAnd so basically it turns out that when
Dialogue: 0,0:48:30.14,0:48:37.64,Default,,0000,0000,0000,,you have a firmware dump as we have RAM\Ndump as we do now, and we go to we just
Dialogue: 0,0:48:37.64,0:48:43.55,Default,,0000,0000,0000,,run strings on the dump. We get a couple\Nof really nice words and I don't know if
Dialogue: 0,0:48:43.55,0:48:49.34,Default,,0000,0000,0000,,you remember the intro, but this is your\Nseeds.
Dialogue: 0,0:48:49.34,0:48:55.60,Default,,0000,0000,0000,,{\i1}Applause{\i0}\NAnd you might be wondering what this
Dialogue: 0,0:48:55.60,0:48:59.90,Default,,0000,0000,0000,,little number is. This is your pin to the\Ndevice.
Dialogue: 0,0:48:59.90,0:49:09.02,Default,,0000,0000,0000,,{\i1}Laughters{\i0}\NThat was a great day. And so Josh, or one
Dialogue: 0,0:49:09.02,0:49:16.37,Default,,0000,0000,0000,,of Josh's employees took all this mess we\Ncreated on all desks and made it into this
Dialogue: 0,0:49:16.37,0:49:23.60,Default,,0000,0000,0000,,nice device which is basically a socket\Nwhere you put in your chip and then we can
Dialogue: 0,0:49:23.60,0:49:28.48,Default,,0000,0000,0000,,read out the seed and so on.\NDmitry: And all of this stuff including
Dialogue: 0,0:49:28.48,0:49:32.60,Default,,0000,0000,0000,,the board design, FPGA codes, and the\NVerilog code that we use, I mean if
Dialogue: 0,0:49:32.60,0:49:36.81,Default,,0000,0000,0000,,somebody wants to, they can apply it and\Ndo the same thing with one of the ICEPICKs
Dialogue: 0,0:49:36.81,0:49:41.06,Default,,0000,0000,0000,,or one of the more open source friendly\NFPGA boards. This just happens to be the
Dialogue: 0,0:49:41.06,0:49:46.71,Default,,0000,0000,0000,,one that we all had lying around and could\Nreproduce the work with. You can go ahead
Dialogue: 0,0:49:46.71,0:49:50.85,Default,,0000,0000,0000,,and do it. I mean we suspect, I think\NThomas said, we suspect you might be able
Dialogue: 0,0:49:50.85,0:49:54.91,Default,,0000,0000,0000,,to do with Arduino as well, because the\Nactual glitch pulse is only approximately
Dialogue: 0,0:49:54.91,0:50:02.06,Default,,0000,0000,0000,,60 μs or sorry, 6 μs in time. So it's a\Nrelatively slow signal as well, so it
Dialogue: 0,0:50:02.06,0:50:08.31,Default,,0000,0000,0000,,should be relatively repeatable even with\Nsomething cheaper than this. But this is a
Dialogue: 0,0:50:08.31,0:50:12.20,Default,,0000,0000,0000,,way to automate this even better and to\Nnot have dangling wires or any of the
Dialogue: 0,0:50:12.20,0:50:16.87,Default,,0000,0000,0000,,small soldering that was required to do it\Nin situ in the device which we had on the
Dialogue: 0,0:50:16.87,0:50:22.11,Default,,0000,0000,0000,,previous slide. So all of that we're going\Nto have it on GIthub. And so I think the
Dialogue: 0,0:50:22.11,0:50:28.08,Default,,0000,0000,0000,,final, the final thing.\NThomas: one more thing before we are,
Dialogue: 0,0:50:28.08,0:50:35.55,Default,,0000,0000,0000,,sorry. One more thing. So this breaks a\Nlot of the Trezor security, but there is
Dialogue: 0,0:50:35.55,0:50:41.06,Default,,0000,0000,0000,,a way to protect your seed against this,\NSo if you use a passphrase on your device,
Dialogue: 0,0:50:41.06,0:50:46.52,Default,,0000,0000,0000,,the way we understood it, it basically\Ndoesn't allows somebody with hardware
Dialogue: 0,0:50:46.52,0:50:51.85,Default,,0000,0000,0000,,access to steal all your funds. So if you\Nadd a passphrase to your Trezor, a good
Dialogue: 0,0:50:51.85,0:50:57.76,Default,,0000,0000,0000,,passphrase and your machine is not already\Nowned you can somehow somewhat protect
Dialogue: 0,0:50:57.76,0:51:03.22,Default,,0000,0000,0000,,against this. But a lot of people don't.\NSo we are really sorry we didn't mean any
Dialogue: 0,0:51:03.22,0:51:08.52,Default,,0000,0000,0000,,harm.\NDmitry: So yeah, that's the conclusion I
Dialogue: 0,0:51:08.52,0:51:14.31,Default,,0000,0000,0000,,would say. So yeah I mean, so all the\Nstuff we're going to put online, I guess I
Dialogue: 0,0:51:14.31,0:51:20.59,Default,,0000,0000,0000,,said, so you can follow us for the links\Non the online. wallet.fail, it's a domain
Dialogue: 0,0:51:20.59,0:51:26.42,Default,,0000,0000,0000,,name, believe it or not, fail is a TLD. So\Nyou can go to github.com/walletfail,
Dialogue: 0,0:51:26.42,0:51:32.60,Default,,0000,0000,0000,,twitter.com/walletfail. You can follow me,\NThomas, and Josh on Twitter as well and
Dialogue: 0,0:51:32.60,0:51:36.71,Default,,0000,0000,0000,,like I said, we'll be releasing all this\Nstuff so it will go up slowly. Just
Dialogue: 0,0:51:36.71,0:51:40.73,Default,,0000,0000,0000,,because I think when we set out six months\Nago we did not expect us to have 100
Dialogue: 0,0:51:40.73,0:51:45.62,Default,,0000,0000,0000,,percent success in everything that we were\Nplanning to do. so that's a first for me
Dialogue: 0,0:51:45.62,0:51:48.42,Default,,0000,0000,0000,,at the very least.\NThomas: The saddest part is that we have
Dialogue: 0,0:51:48.42,0:51:54.95,Default,,0000,0000,0000,,more vulnerabilities to other wallets,\Nbut, only one hour. And so we also have
Dialogue: 0,0:51:54.95,0:51:58.72,Default,,0000,0000,0000,,some stuff to give out so we have the\Nhardware implant PCBs, we have thousands
Dialogue: 0,0:51:58.72,0:52:01.81,Default,,0000,0000,0000,,of them if you want to get some.\NDmitry: Off to Josh.
Dialogue: 0,0:52:01.81,0:52:08.81,Default,,0000,0000,0000,,Thomas: We even have components for them\Nfor like 100 devices so hit us up and we
Dialogue: 0,0:52:08.81,0:52:11.02,Default,,0000,0000,0000,,can do something. Thank you.
Dialogue: 0,0:52:11.02,0:52:21.96,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:52:21.96,0:52:25.65,Default,,0000,0000,0000,,Herald: Thank you guys, it's an amazing\Ntalk. I feel really inspired to break
Dialogue: 0,0:52:25.65,0:52:30.63,Default,,0000,0000,0000,,things apart in a very creative way. We\Nhave some time left for questions. So if
Dialogue: 0,0:52:30.63,0:52:34.72,Default,,0000,0000,0000,,you have questions, please line up at the\Nmicrophones. But first we're going to
Dialogue: 0,0:52:34.72,0:52:37.30,Default,,0000,0000,0000,,start with a question from the Internet.
Dialogue: 0,0:52:37.30,0:52:40.24,Default,,0000,0000,0000,,Signal Angel: Thank you,\NI've got two related
Dialogue: 0,0:52:40.24,0:52:44.24,Default,,0000,0000,0000,,questions from the internet. First one,\Nhow hard did you guys laugh when bitify
Dialogue: 0,0:52:44.24,0:52:50.60,Default,,0000,0000,0000,,announced that their Android-based wallet\Nwas unhackable? And second question, have
Dialogue: 0,0:52:50.60,0:52:55.51,Default,,0000,0000,0000,,you had a try to attack larger processors\Nlike ARM-based processors?
Dialogue: 0,0:52:55.51,0:53:00.90,Default,,0000,0000,0000,,Thomas: So maybe let's start with Bitfi.\NSo we only talk about somewhat secure
Dialogue: 0,0:53:00.90,0:53:06.72,Default,,0000,0000,0000,,wallets, we didn't want to use a Chinese\Nphone in this talk. So we laughed pretty
Dialogue: 0,0:53:06.72,0:53:13.89,Default,,0000,0000,0000,,hard and we ordered some, but yeah.\NDmitry: And I mean this was covered
Dialogue: 0,0:53:13.89,0:53:17.78,Default,,0000,0000,0000,,extensively. So another guy who you should\Nfollow on Twitter @cybergibbons gave a
Dialogue: 0,0:53:17.78,0:53:22.16,Default,,0000,0000,0000,,talk at hardwear.io on the topic of the\NBitfi. He was summarizing research that
Dialogue: 0,0:53:22.16,0:53:25.57,Default,,0000,0000,0000,,he did in conjunction with a bunch of\Nother people as well. So if you're
Dialogue: 0,0:53:25.57,0:53:27.97,Default,,0000,0000,0000,,interested in the Bitfi you should go look\Nat them.
Dialogue: 0,0:53:27.97,0:53:30.17,Default,,0000,0000,0000,,So the second question was about ARM-based
Dialogue: 0,0:53:30.17,0:53:35.42,Default,,0000,0000,0000,,controllers. I mean all of these were\NARM-based. Every single chip as far as I
Dialogue: 0,0:53:35.42,0:53:38.99,Default,,0000,0000,0000,,know that we looked at was was ARM-based\Nin one way or another.
Dialogue: 0,0:53:38.99,0:53:40.21,Default,,0000,0000,0000,,Thomas: Yeah and there's,
Dialogue: 0,0:53:40.21,0:53:44.06,Default,,0000,0000,0000,,so if you're interested in this, look at\Nglitching the Nintendo Switch where they
Dialogue: 0,0:53:44.06,0:53:48.36,Default,,0000,0000,0000,,glitch the Tegra used in the Nintendo\NSwitch, which is very interesting and will
Dialogue: 0,0:53:48.36,0:53:52.92,Default,,0000,0000,0000,,give a lot of inspiration in that\Nregard, basically.
Dialogue: 0,0:53:52.92,0:53:57.21,Default,,0000,0000,0000,,Herald: Thank you. A question for\Nmicrophone 4 please.
Dialogue: 0,0:53:57.21,0:54:01.76,Default,,0000,0000,0000,,Mic 4: Hi, Trezor CPO here, first thank\Nyou for the talk, we worked with you to
Dialogue: 0,0:54:01.76,0:54:06.01,Default,,0000,0000,0000,,fix the issues as soon as are recommend to\Nprod and if anyone interested in hacking
Dialogue: 0,0:54:06.01,0:54:13.73,Default,,0000,0000,0000,,hardware wallets, we are really interested\Nin working with the hardware hackers
Dialogue: 0,0:54:13.73,0:54:17.94,Default,,0000,0000,0000,,community and we have a\Nresponsible disclosure program.
Dialogue: 0,0:54:17.94,0:54:24.06,Default,,0000,0000,0000,,you mentioned problems with supply chain\Nattacks, but gave no solutions, so let me
Dialogue: 0,0:54:24.06,0:54:30.11,Default,,0000,0000,0000,,give you one. Trezor is open source\Nhardware so you can build your own
Dialogue: 0,0:54:30.11,0:54:32.24,Default,,0000,0000,0000,,from locally sourced components
Dialogue: 0,0:54:32.24,0:54:37.95,Default,,0000,0000,0000,,and if you are paranoid and don't want to\Ndeal with these kind of attacks.
Dialogue: 0,0:54:37.95,0:54:44.14,Default,,0000,0000,0000,,but my question is, is there any\Nother solution except for building
Dialogue: 0,0:54:44.14,0:54:47.26,Default,,0000,0000,0000,,your own wallet or inspecting\Nthe code to run and
Dialogue: 0,0:54:47.26,0:54:50.38,Default,,0000,0000,0000,,interrogate about basically?
Dialogue: 0,0:54:50.38,0:54:55.24,Default,,0000,0000,0000,,Thomas: First Thank you. One thing we\Nshould mention is that when we looked at
Dialogue: 0,0:54:55.24,0:54:59.92,Default,,0000,0000,0000,,the Trezor code, the reason we had to end\Nup glitching this chip for three months is
Dialogue: 0,0:54:59.92,0:55:04.08,Default,,0000,0000,0000,,that we couldn't break the firmware\Notherwise. So they do a great job. And
Dialogue: 0,0:55:04.08,0:55:08.48,Default,,0000,0000,0000,,it's really awesome.\N{\i1}Applause{\i0}
Dialogue: 0,0:55:08.48,0:55:15.57,Default,,0000,0000,0000,,Dmitry: Yes. The firmware on the Trezor is\Nsomething to look at. I mean I recommend
Dialogue: 0,0:55:15.57,0:55:19.58,Default,,0000,0000,0000,,that, I mean we all do consulting work as\Nwell. And so it's something that I
Dialogue: 0,0:55:19.58,0:55:24.74,Default,,0000,0000,0000,,recommend that people who are interested\Nin looking at how to prevent certain doom
Dialogue: 0,0:55:24.74,0:55:28.44,Default,,0000,0000,0000,,mitigations and hardware. It's an\Nexcellent project to look at. And so
Dialogue: 0,0:55:28.44,0:55:32.39,Default,,0000,0000,0000,,Trezor should be commended on that. But at\Nthe end of the day it doesn't mean that
Dialogue: 0,0:55:32.39,0:55:37.27,Default,,0000,0000,0000,,the chip that the Trezor uses is secure\Nagainst these kinds of attacks. And that's
Dialogue: 0,0:55:37.27,0:55:41.37,Default,,0000,0000,0000,,where we had a fallback to looking for\Nsilicon vulnerabilities against a chip
Dialogue: 0,0:55:41.37,0:55:44.93,Default,,0000,0000,0000,,or, sorry, a wallet like the Trezor.
Dialogue: 0,0:55:45.81,0:55:48.03,Default,,0000,0000,0000,,Josh: I would say on this hygeine side,
Dialogue: 0,0:55:48.03,0:55:53.00,Default,,0000,0000,0000,,this is a very difficult problem,\Ngovernments especially have this issue.
Dialogue: 0,0:55:53.00,0:55:57.19,Default,,0000,0000,0000,,You can do cryptographic attestation, but\Nas we saw with the Ledger nano,
Dialogue: 0,0:55:57.19,0:56:01.10,Default,,0000,0000,0000,,that cryptographic attestation didn't help\Nverify that the requests were legitimate
Dialogue: 0,0:56:01.10,0:56:05.11,Default,,0000,0000,0000,,against a hardware attack, so there's been\Ntalk about X-raying the board and all this
Dialogue: 0,0:56:05.11,0:56:08.54,Default,,0000,0000,0000,,stuff, but this is still very much an\Nopen problem in hardware security.
Dialogue: 0,0:56:08.54,0:56:11.02,Default,,0000,0000,0000,,Herald: Another question from microphone\N3.
Dialogue: 0,0:56:11.02,0:56:16.31,Default,,0000,0000,0000,,Mic: Actually I have a suggestion.\NHerald: Make it short, though. Because
Dialogue: 0,0:56:16.31,0:56:19.39,Default,,0000,0000,0000,,usually we just take questions. One\Nsentence.
Dialogue: 0,0:56:19.39,0:56:25.20,Default,,0000,0000,0000,,Mic: A few MCUs actually have Jtag\Nconnected via hardware fuses.
Dialogue: 0,0:56:25.66,0:56:28.53,Default,,0000,0000,0000,,So this might be useful
Dialogue: 0,0:56:28.53,0:56:35.60,Default,,0000,0000,0000,,at least slow down glitching attacks.\NDmitry: Thanks. I agree. But these are
Dialogue: 0,0:56:35.60,0:56:40.76,Default,,0000,0000,0000,,not Cortex-M microcontrollers I can tell\Nyou that with 100% certainty. It has to do
Dialogue: 0,0:56:40.76,0:56:44.11,Default,,0000,0000,0000,,a lot with the fact that the\Nmicrocontrollers that are being used in
Dialogue: 0,0:56:44.11,0:56:48.46,Default,,0000,0000,0000,,these devices, they're built to spec to\Nthe spec that ARM specified that ARM
Dialogue: 0,0:56:48.46,0:56:53.80,Default,,0000,0000,0000,,thinks would be a good set of features for\Nthis class of device or rather for the for
Dialogue: 0,0:56:53.80,0:56:57.99,Default,,0000,0000,0000,,the CPUs for the class of device that they\Nended up getting put in. So anything
Dialogue: 0,0:56:57.99,0:57:02.95,Default,,0000,0000,0000,,Cortex-M is gonna to have vulnerabilities\Nthat are more or less like the silicon
Dialogue: 0,0:57:02.95,0:57:06.86,Default,,0000,0000,0000,,vulnerabilities that we have. It's just I\Nmean if you ask me I think it's a matter
Dialogue: 0,0:57:06.86,0:57:11.05,Default,,0000,0000,0000,,of time just to sit there. I mean\Nfortunately we had something like 3 months
Dialogue: 0,0:57:11.05,0:57:16.77,Default,,0000,0000,0000,,of just glitching to be able to find find\Nthese bugs. But if you can apply that much
Dialogue: 0,0:57:16.77,0:57:22.20,Default,,0000,0000,0000,,to find it silicon attack you might be\Nable to find this kind of vulnerability as
Dialogue: 0,0:57:22.20,0:57:25.58,Default,,0000,0000,0000,,well in other Cortex-M products. Only\Nthree minutes.
Dialogue: 0,0:57:25.58,0:57:28.94,Default,,0000,0000,0000,,Herald: All good. Another question from\Nmicrophone 4 please.
Dialogue: 0,0:57:28.94,0:57:33.93,Default,,0000,0000,0000,,Mic 4: So obviously as part of your work\Nyou analyzed the firmware of these
Dialogue: 0,0:57:33.93,0:57:40.15,Default,,0000,0000,0000,,devices. Did you find that the firmware \Nis in any way obfuscated or encrypted?
Dialogue: 0,0:57:40.15,0:57:45.38,Default,,0000,0000,0000,,Thomas: So basically yep, on these chips\Nyou cannot really encrypt the firmware. On
Dialogue: 0,0:57:45.38,0:57:51.00,Default,,0000,0000,0000,,the ST31 you can encrypt it. But we didn't\Nhave to look at it because the ST31 is not
Dialogue: 0,0:57:51.00,0:57:54.71,Default,,0000,0000,0000,,something you have to break but so no\Nthere was no real obfuscation that we
Dialogue: 0,0:57:54.71,0:57:58.78,Default,,0000,0000,0000,,could see. But we also don't have the code\Nin the case of letters so I just stared at
Dialogue: 0,0:57:58.78,0:58:05.22,Default,,0000,0000,0000,,IDA pro for hours and yeah.\NHerald: The next person on microphone 4.
Dialogue: 0,0:58:05.22,0:58:11.31,Default,,0000,0000,0000,,Mic 4: Hello, did you have a look at the\Nentropy chip that generates the master
Dialogue: 0,0:58:11.31,0:58:14.88,Default,,0000,0000,0000,,seeds on both of these hardware devices,\Nand what's your take on that?
Dialogue: 0,0:58:14.88,0:58:21.53,Default,,0000,0000,0000,,Dmitry: I mean, so we already hovered how\Nthe Trezor works. There is only one chip
Dialogue: 0,0:58:21.53,0:58:26.76,Default,,0000,0000,0000,,and it's the STM32 so I know that there\Nwas a known issue with Trezor back in the
Dialogue: 0,0:58:26.76,0:58:32.95,Default,,0000,0000,0000,,day where they weren't seeding the\Nbasically the RNG correctly. But this was
Dialogue: 0,0:58:32.95,0:58:37.82,Default,,0000,0000,0000,,fixed. But for our attacks this wasn't\Nthis wasn't an issue. I mean if you were
Dialogue: 0,0:58:37.82,0:58:42.71,Default,,0000,0000,0000,,concerned about how strong these are, how\Nstrong the random number generators are
Dialogue: 0,0:58:42.71,0:58:48.56,Default,,0000,0000,0000,,for creating a seed you could actually\Ncreate a BIP39 wallet outside of any
Dialogue: 0,0:58:48.56,0:58:53.54,Default,,0000,0000,0000,,one of these and then just use them for\Ntheir hardware features and get the seed
Dialogue: 0,0:58:53.54,0:58:56.33,Default,,0000,0000,0000,,from outside.\NHerald: And if you have a question, do
Dialogue: 0,0:58:56.33,0:59:00.17,Default,,0000,0000,0000,,move to the microphone if you're able to.\NBut first we have another question from
Dialogue: 0,0:59:00.17,0:59:03.94,Default,,0000,0000,0000,,the Internet.\NSA: Thank you. Did you guys see the
Dialogue: 0,0:59:03.94,0:59:09.47,Default,,0000,0000,0000,,dinosaur hiphop zero wallet?\NThomas: No but if you send it to us
Dialogue: 0,0:59:09.47,0:59:11.66,Default,,0000,0000,0000,,we are happy to look at it.\NThomas: Oh you did.
Dialogue: 0,0:59:11.66,0:59:14.63,Default,,0000,0000,0000,,Dmitry: Yeah, we had the it\NJosh: The dinosaur hiphop wallet -
Dialogue: 0,0:59:14.63,0:59:18.38,Default,,0000,0000,0000,,Thank you for the kind of trick questions\N- So the design of the dinosaur hiphop
Dialogue: 0,0:59:18.38,0:59:21.78,Default,,0000,0000,0000,,wallet was a trezor clone\Nthat we looked at last year.
Dialogue: 0,0:59:21.78,0:59:23.93,Default,,0000,0000,0000,,Thomas: Ah\NJosh: Called breaking bitcoin board
Dialogue: 0,0:59:23.93,0:59:27.36,Default,,0000,0000,0000,,so that if we didn't, otherwise\Nfunctionally it's a trezor clone
Dialogue: 0,0:59:27.36,0:59:30.12,Default,,0000,0000,0000,,but we stole a lot of the instructions\Nfrom dinosaur hiphop
Dialogue: 0,0:59:30.12,0:59:33.44,Default,,0000,0000,0000,,make the breaking bitcoin board\Nand then prepare the operating system.
Dialogue: 0,0:59:33.44,0:59:37.31,Default,,0000,0000,0000,,Dmitry: I mean, and maybe on that note\NI would say that in terms of looking at
Dialogue: 0,0:59:37.31,0:59:42.32,Default,,0000,0000,0000,,what wallets are actually be used you'll\Nfind that, so the Ledger is a very popular
Dialogue: 0,0:59:42.32,0:59:44.27,Default,,0000,0000,0000,,wallet, the Trezor is a very popular
Dialogue: 0,0:59:44.27,0:59:50.08,Default,,0000,0000,0000,,wallet. But since the Trezor is opensource\Nthere is a lot of clones and forks of the
Dialogue: 0,0:59:50.08,0:59:55.93,Default,,0000,0000,0000,,Trezor. And when I say that not all of\Nthem run the latest security patches that
Dialogue: 0,0:59:55.93,1:00:00.43,Default,,0000,0000,0000,,have been applied to the Trezor code base.\NSo that's also something that you can do
Dialogue: 0,1:00:00.43,1:00:04.83,Default,,0000,0000,0000,,is basically diff the projects and see\Nwhich one of them which ones are staying
Dialogue: 0,1:00:04.83,1:00:06.17,Default,,0000,0000,0000,,up to date and which aren't.
Dialogue: 0,1:00:06.17,1:00:08.82,Default,,0000,0000,0000,,Herald: Your question has to be the very\Nlast one today.
Dialogue: 0,1:00:08.82,1:00:15.78,Default,,0000,0000,0000,,Please speak directly into the microphone.\NEven closer to the mic.
Dialogue: 0,1:00:15.78,1:00:25.32,Default,,0000,0000,0000,,Mic: Seeing as this is the first CCC for\Nmany of us and some of us might not have
Dialogue: 0,1:00:25.32,1:00:29.94,Default,,0000,0000,0000,,that much experience in hardware hacking.\NDo you have any tips for beginners?
Dialogue: 0,1:00:29.94,1:00:39.21,Default,,0000,0000,0000,,Thomas: Yeah lots of them. Buy an Arduino \Nlearn what mistakes you do with it and
Dialogue: 0,1:00:39.21,1:00:44.10,Default,,0000,0000,0000,,learn how hardware works, basically. Watch\Na lot of online videos and I think you
Dialogue: 0,1:00:44.10,1:00:48.53,Default,,0000,0000,0000,,gave presentations, you gave\Npresentations. I gave some presentations.
Dialogue: 0,1:00:48.53,1:00:53.52,Default,,0000,0000,0000,,So just watch talks, watch LiveOverflow.\NLiveOverflow, great YouTube channel on
Dialogue: 0,1:00:53.52,1:00:59.62,Default,,0000,0000,0000,,exactly this stuff. And also don't\Nhesitate to reach out to us. If you have a
Dialogue: 0,1:00:59.62,1:01:04.58,Default,,0000,0000,0000,,question. Always contact us\Ninfo@wallet.fail, on Twitter, wherever. we
Dialogue: 0,1:01:04.58,1:01:07.49,Default,,0000,0000,0000,,are happy to talk to you. It might take a\Nwhile.
Dialogue: 0,1:01:07.49,1:01:12.04,Default,,0000,0000,0000,,Josh: On non-security electronics, if you\Ngo to Sparkfun or Adafruit, they have lots
Dialogue: 0,1:01:12.04,1:01:15.84,Default,,0000,0000,0000,,of free material of how electronics work,\Nhow to get started. It's not security
Dialogue: 0,1:01:15.84,1:01:18.14,Default,,0000,0000,0000,,related, but it's a very good\Nelectronics program
Dialogue: 0,1:01:18.14,1:01:21.14,Default,,0000,0000,0000,,Dmitry: But I'll say I started\Nwith Arduino too.
Dialogue: 0,1:01:23.64,1:01:27.49,Default,,0000,0000,0000,,Herald: All right thank you guys so much\Nfor the very nice questions and you guys
Dialogue: 0,1:01:27.49,1:01:30.15,Default,,0000,0000,0000,,for the amazing and inspiring talk.\NThank you so much.
Dialogue: 0,1:01:30.15,1:01:31.67,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,1:01:31.67,1:01:58.00,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin the years 2018-2020. Join, and help us!