Good morning Twitter. This post about Ledger cryptocurrency hardware wallet vulnerabilities is extremely cool, and not just for cryptocurrency people. Let me talk a bit about it. 1/https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/ …
-
Show this thread
-
There is a common architectural theme in certain embedded devices: they incorporate a secure processor (or processor component) to protect critical secrets or ensure correct behavior. I’ve seen this in all kinds of devices, not just cryptocurrency wallets. 2/
1 reply 9 retweets 47 likesShow this thread -
(For an obvious example, every recent iPhone has a Secure Enclave processor that stores your fingerprint data and cryptographic keys. But these devices are used elsewhere as well. https://www.theiphonewiki.com/wiki/Secure_Enclave …) 3/
1 reply 6 retweets 44 likesShow this thread -
Secure co-processors typically incorporate some kind of tamper-resistant physical casing as well as a limited interface to protect secret data. They often have some crypto functions on board, and can “attest” (prove to remote parties) that they’re running the right software. 4/
1 reply 6 retweets 42 likesShow this thread -
None of these processors can withstand all attacks. But let’s ignore that part and assume they can, for the moment. This still leaves a huge gaping hole in many devices. 5/
1 reply 4 retweets 37 likesShow this thread -
You see, the typical “secure element” isn’t powerful enough to drive your entire device (including the pretty GUI and peripherals and network communication if that’s available). So most devices have a second “insecure” processor to do all that stuff. 6/
3 replies 8 retweets 41 likesShow this thread
You're being too kind to them. Driving the display and buttons is the only really critical feature, and for the sort of tiny display on a Ledger, you can do that even from the wimpiest Arduino. Not using the secure CPU for that is just being lazy.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.