 put it somewhere safe. But as the attackers also know, there's no place that is really safe. And our three speakers, Thomas, Dimitri and Josh, are now going to demonstrate in the next hour the art of completely breaking something apart. So please give a big round of applause for Thomas, Dimitri and Josh and have a lot of fun. So just to start, I'm curious how many people here actually own cryptocurrency? Raise your hand. Oh, and how many of you store it on a hardware wallet? So we're very sorry to everyone who has their hand up. So it's not just me, it's me, Josh and Thomas. So we're all hardware people. We do low-level hardware stuff and varying degrees. And we got into cryptocurrency, and so I can recommend to everyone sitting in this room if you're a security person, there's not a lot of people doing security in cryptocurrency as much as they're painful to hear. So, yeah, I mean, a lot of this is based on reverse engineering. We love cryptocurrency. I mean, for us, crypto also stands for cryptography, not cryptocurrency. But no offense to anyone with this talk. It's just something that it's a category that we looked at and show the results kind of speak for themselves. And again, this wouldn't be possible alone. So we have a lot of people to thank. I'm not going to go through all of them individually. Just be known that we're thankful to everyone on this slide. So, yeah, so we started this about six months ago. So we wanted to take a look at cryptocurrency because we own some cryptocurrency ourselves, and we saw that everyone's using cryptocurrency wallets. It's more and more the thing that you do. So we started a group chat as you do nowadays. And we have 15,000 messages now and 1,100 images. And I had my son in the meantime as well. So it's a really long time that we've been looking at this, et cetera. So what do we want to achieve though? Because people don't give the kinds of attacks so you can actually perform against cryptocurrency wallets on a credit. So first attack is supply chain attacks where you are able to manipulate the devices before they get to the end customer. Firmware vulnerabilities where you find a vulnerability in the firmware and somehow either infect or do something else. Firmware. There's the possibility where you attack side channels. And then there's the possibility to attack the chip. But first of all, what is a wallet? What is a wallet in this area? How do you do that? This is asymmetric cryptography. You have a private and public key. The public key gives you the address. That's right. And then you have the private key where you need to send coins. The private key has to be kept secret. The public key, you give it to everyone. But it's stupid for everyone to have their own storage. And that's why people thought about Bitcoin. They developed a standard called Bip32 or Bip44. And with that you can store more in one storage. That's what you do. You take a set of coins. That's the secret seat here. You add data. And with this initial value, you can save a number of keys. You can download this thing, but that's difficult. And that's why you transfer it into the standard Bip39. And here you can see how such a translation could work. And then you can save this piece of paper somewhere. If you save it in different places, then you have to break it into two different places. What is a hardware burst now? We are afraid that some malware will run on the PC. And that's why you often use a hardware token. And on the right side you can see that. What you use here is that the computer sends the transaction to the device. This thing gives it to the user again. It takes the confirmation and then subscribes it. And then it's sent back to the computer. And the computer can then send it to the internet. That's how hardware wallets work. The first thing we looked at was the delivery chain. So the three things that we will leave with you. Stickers, stickers are for laptops, that's not for security. We will talk about stickers today, stickers. They are for the beautification of laptops. Supply chains are easy to carry out, but are scaling bad. And the last thing is that the sellers of the third model don't necessarily have to be your third model. Security stickers, I've seen them on many products. They seem to be very popular. I have a colleague who also likes these stickers. His stickers are the same that you can find on security. They have holograms and have serial numbers. They look nice and leave you with a good feeling back. The first device we looked at was the Tresor 1. It has two security levels on the packaging. There is once the hologram sticker. And then the box itself is closed with a sticker. That means you have to open the box. But with a hot air you can remove it all. On the left you can see the original and on the right you can see how I opened it and put everything back in. If you look closely, you can see a few traces that were opened. But it is very difficult to recognize. For the sellers it is a real problem. They have published a blog post saying that there is a problem that many people fake their devices. They found that there are fake devices. You have to look at the stickers to see that it is original. I bought it a year and a half ago. It is the same sticker as they claim that it is fake. On their wiki it is also very confusing because there are three different stickers. The stickers are very confusing and cause problems for the users. And even I was a little worried if I bought an original Tresor or not. That's why I bought a new one and opened the box with very refined technology. I opened the box with the foil and I was able to remove the sticker. I was able to remove it without any resistance. So stickers don't give you security. The box can be opened but there is also a sticker on the USB-C port. But you can easily remove it with the foil. A small tip, don't make it too hot. Otherwise the device will melt the case. So maybe the temperature will be lower. It is very confusing. Because this device is a very strange document. It says that there are no stickers in this box. There are a lot of Amazon reviews with a star that say that the sticker is missing. Attention, a hint for Geldbörsenhacker. I was very excited about it. Someone complained that the fingerprints are on the device and there was even a hair in the box. It doesn't work on stickers, so that's all I wanted to say. But as soon as you open it you have to open the case. There are now three devices, a Nano and a treasure. They all open very easily. I'm still not sure if it's really the original or fake. It's very easy to open. It's ultrashall welded, but the Nano opened very easily, even without tools. And then you open it as soon as it's opened. You take the microcontroller and remove it. And you just put a new one on it that you bought. As soon as you did that you can put a compromised bootloader on it. I didn't do that. I just put a debugger on it and I had a complete access to the chip. A few things broke, but it just happened. You just have to open it, build it apart, flash it and assemble it. Then there's this hardware implantation. There was briefly the story of Blumerg about this hardware implantation. I wanted to try that too. During the Blumberg story with which there were a few problems, I would like to talk about the Blumburgler. This is an implantation that is probably a supply chain attack, but can also cause a bad insider. So it has to be small. It has to fit into such a wallet. And of course it has to bridge security functions. I have a thousand pieces with me. That means I want to distribute a few here for our maker. So what did I do? I made a radio button. There is a button for the device. And all sellers just accept that the host is compromised. And as soon as you have a compromised host, you have to send it to the device. But then the host has to look at it. Is that okay? And then they have to say yes or no. So with this implantation I can press a yes button via radio waves. You don't need a host for that. I can just press a button. The radio waves come via an antenna. They go through a transistor and it pulls a button down. The bill of materials is very expensive. That's about $3. And it's so sad that it's so expensive. And why is it so big? It's an American 10 cents piece. Why is it so big? I optimized it by hand. You just have to put the antenna on it. There is a button. And I have a thousand pieces with me. This is a comparison. It looks like it's on the devices. But it also fits on breadboards. You could also try it at home. The last challenge is how to develop the antenna. And here is the first prototype. I experimented with a few antenna designs at home. But it really has to fit into the device. It's actually very simple. Because there is a lot of space to put in other switches. Then I built in an implant. I tried it out. And there is a test. Is your device really authentic? I didn't look closely. Maybe they'll see. It was just Linux. It just doesn't work under Linux. So I made a window. No problem. The device is authentic. So I could continue. It's a very rough receiver. But the engraver can simply use more power. This is my antenna in the cell. With a 50 watt transmitter. I had a range of 11 meters. And that was just the problem. Just the size of my cell. I'm very confident that you can solve bigger distances. Here is a demonstration of how it looks. Because the problem is... Where do you know that the device is? And there is a sentence that is shown. What you see is that the transaction screen is coming. And I'm going to turn off the device without touching it. That's the transaction. You have to click on it. And there is the radio with 430 MHz. And it goes on without pressing a button. And there it is. So if you have a beautiful implant, then the attacker can bridge this security module out of the distance. So a short summary. The stickers are for laptops, but not for security. The supply chain attacks are easy to do, but difficult to scale. If the seller says that the device is authentic, that can have different meanings. And now to the next part. Josh said something funny six months ago. If you put strange constants in your code tools, then they will appear on DevCon Slides. And they won't laugh at you. And now I'm going to turn it off. And now there is an attack here. In this Ledger Nano. And this constant is actually found in the program code again. And that means something like an essence machine. So here you can see the Ledger Nano. It has two buttons. It has a USB connection and an OLED. If we take a look at each other, then you can see a few pieces of plastic, a display and the USB connection. There is an integrated architecture. There is the STM32. That's a general microcontroller. There is the STM31. That's the security element. And that's a chip with very high security. And then there is the program part for the STM32. And then there is the program part for the STM32. And then there is the program part for the STM32. The STM32. And it is now turned on. That's what other people suspected. We checked it out. And of course, Ledger knows that. So now let's take a look at the security model. Basically, you can see the two components here. All peripherals are attached to the STM32. But it doesn't have enough pins for it. It only has one pin connection. So the STM31 only has one pin. And everything that is done makes the STM32. It is like a proxy. The hardware driver for the buttons and so on. To feed the STM31. If I now use the computer to run a transaction, then I'll put it on the computer, send it through the USB to the STM32. He sends it to the STM31. He says, show me. So he asks the STM32 to show this question. And he gets the answer from the STM32. And then he writes it. And then this transaction goes back through the STM32 to the USB port. And then to the computer. So if you commit this STM32 chip, then you can send the transaction yourself. Or you can show something else on the screen when you actually write it down. And later, we know that the manufacturer knows that. And they have a few ideas what they want to do. Sometimes hardware access has problems, but we wanted to find a software box. So we looked at how the firmware upgrade works in this system. So the bootloader was, at the beginning, open as-off. And they had no over-testing of the firmware. You could use it from anywhere, and then we could run it. And then Salim published a blog post. And then they changed it. And now they've looked around and looked if you can find some bugs in the bootloader, if you can attack them. So if you try to upgrade it, then there are four commands that are accepted. So you can say where it should go. Then there is a loud command with which you can load it. The flash command actually writes that. And the boot command with which it is checked, the integrity is checked and then restarted. So the boot command writes the image. It is checked cryptographically. And if it is successful, then they write a constant to this address 0x 0800 3000. And this constant is Food Babe. That means you don't have to check the flash every time you try it, but you just do it once. If the boot is booted, then wait five milliseconds, then wait on the button. If the loader goes to the bootloader, otherwise he gets the constant, checks it over, and if there is a constant on the address, then you try it again. So we have chosen the target address, we have written the value, then we have sent it to the write command, we have turned it off again, but it didn't work. So they have now said, if you try to write there, then this area is simply not served. That's where the bootloader lives. If you try to write to this special address, then they have a special method to make sure that nothing happens. But the SCM32 has an interesting memory card. And you can see here that this memory area takes place at two places. The bootloader has therefore excluded certain memory areas, but it didn't make a wide listing, so it was only allowed to write at certain places. So that means we write it now to another address. We say, please write all the way to the beginning, then the next command, please write this data, then we write, and at once we can write custom firmware. So what do we do when we have a device, where the display is not large enough to run on it? So we have now turned it on, we have brought the bootloader mode. And now we can run it here. How do you protect yourself against it? The manufacturer, Ledger, knows that this is possible. This is an simplified view, and we didn't take everything apart. If the chip starts, then it sends all its firmware to the SCM31, so they measure both the time as well as the check-sum, and they measure the time so that no compression algorithm can run. So we boot a compromised and compromised firmware, we copy the chip into RAM, then we jump into RAM, we take the compromised firmware and send it to the original firmware. And then the boot is right. It took a while. You can't do these complicated things, because you don't have enough speakers. So we looked for a duplicated, double device, and we made a space together. And our decompressor needs a 10-assembly instruction. So we ran the script, with which we saved 300 and 258 bytes. So we only have an hour left. We could tell a lot of details about this packer. So we showed what you can do, if the firmware tries to be verified. We also published a video on YouTube, where you can see how to get around it. We didn't release it fully, because we didn't want to support it, but we published the Snake firmware. So if you bought Bitcoin for 20,000, and now you're a player, then you can play Snake. So we wrote an analyzer, which analyzed the communication between these two chips. And if you want to break into the ST31, then you can try it out. Ledger also has a second device, which is the Ledger Blue, probably included as Bluetooth. But they never switched it on. It's actually a standard Ledger with a color display. We call this part fantastic signals, and how you can find them, when you open it. The first thing we found in there, is the security element. This module, this track is very long, and has a very fast signal. So what is a long ladder with a fast, changing signal, that's an antenna. I got a software defined radio, so you can start your favorite signals. I got a telescope antenna, and I took the Ledger Blue. So on the blue is the radio spectrum, at 160 MHz. And when you put the pin in, you can see a light signal. So on the radio you can see that. But unfortunately the signal is very weak. But the antenna is included. They call it an USB cable, but if you connect the USB cable, then it's a very nice signal. I just got two meters away, but it probably went on. I just made it in my living room. Now we have to find out, what kind of signal this is. We look at the drawn amplitudes. There are tips, 11 tips, a pause, and then a few more. This is probably a protocol, which sends 11 bytes of data, then a pause, and then send it again. We have now checked all the connection points. And now we have found, we can write with what is sent to the display. The blue is the number 0, and orange is the number 7. And that confirms what we have found. To write the code, it's pretty boring. And we just wanted to add a few new bash words in our talk. So let's say, we hack the blockchain, the Internet of Things, with artificial intelligence in the cloud. Our thought was, that we simply record a few training signals, filter it, then train an artificial intelligence with it. But now it's stupid to get these training data. I don't want to tap any numbers for 10 hours. So we have an Arduino, and we took the Huawei pen, and we let it run for 2 hours. Every time you press it down, you can see that the symbol is black on the screen. And probably that's the X and Y coordinates, where you make the button black. And you can see that. We have now made a training set, a test set, we have pre-worked it, we put it into TensorFlow, a model for artificial intelligence. And then we put the test set in, we checked it, and this is our accuracy. The gray is the signal. It says here, how secure am I that the number 7 is. Very good. We have one result, that's bad. And in total we get about 90% accuracy. And to put it here in the cloud, we hosted it on Google. And that's here under the name Ledger AI. You can play around with it. And that brings us to the next part. So now we're going to talk about the silicone silicon. We're going to talk about the Treasure One. We want to talk quickly about the architecture, and which previous work took place about it. The Treasure One is a simple embedded system, and it has an OLED display, buttons, and a USB connector, which are all external. Intern has the brain, if you like, an F205 microcontroller, which controls the other functions, and the buttons. Last year we gave a talk at the DevCon about the breaking Bitcoin hardware wallets. Here we are mainly because of the glitching attacks. The conclusion of last year was that it was inconclusive if we could exploit an injection with a fault. But the board is in principle a clone, and we designed this board, and the schematics are all online. This is the chip whisperer setup that we use. We designed this board specifically to act with it. This is what it looks like when you use the chip whisperer GUI. Here we do application level code, and then I met Dimitri and Thomas. Luckily, we had Josh to do the talk last year. He was a bit upset with the company's vulnerabilities. We can start with the microcontroller, in this case the STM32, and it controls everything. This means compromising the whole system. There are some papers that cover these vulnerabilities, and there is the possibility to downgrade security. This is to check the value in the interface, and then correct it. They protected this type of attack. There is another publication that is not yet published. It will be released in January. It describes how you attack the STM32F1 and STM32F3, and here is the product matrix. Three pieces are already broken, and the Tracer Model T has the F4, F4. Let's see how it works. STM certainly saves an option, and it is saved on a Cortex M3 or M4 microcontroller, but it is still saved in Flash. It is the same save that is also used otherwise. If you get a new one, then the chip is in a state where it allows full attack. The ultimate security is ADP2, where you have no attack at all. If you have something different than A or CC, then you have the ADP1 mode, and you can access Flash. You can't access Flash, but you can also switch on single-step mode. But you can read RAM. The question is, how do we get from ADP2 to ADP1, and we want to access the device in the state of ADP1 where it can attack. That is the right way to approach it. We are in the third phase. We did this for three months. We tried out different things, and at some point we found something. But here we explain it in the simple way that it works for the first time. You can see that it is relatively slow, but it is only at the beginning, only at the first time so slow. You can see that the current is switched on and the IOP is on. And here you can see the delay. We switched off one pin, and now we have the time frame. How long does it take? That is not so interesting, because it is not really a trigger. Intern has a boot ROM, and that is not a Flash browser. That is really a ROM image chip. That is fixed in there, that cannot be changed, and that is executed for the first time. We want to attack that, because the rest is user space, and we did that last year. So first 1.4 milliseconds, nothing happened at all. So you can forget these first 1.4 milliseconds, and now you can connect a shunt resistance and see how much current you need. The blue signal is the current consumption. So the first thing that happens is that boot ROM is executed. And then here you have the relation and the option byte, where they are read, at least within the boot ROM. And then at the third time point is where the application is executed. Now we have these 1.8 milliseconds, which is pretty long, and have reduced it to 200 microseconds. And not only that, we also know that we are interested in... that we are interested in in the higher power consumption. And that is somewhere... that is 170 microseconds. That is the time when we have to click and that is also a fixed parameter to have to reproduce it at home. What do we need? The biggest, the biggest thing that came out in the last months is the Chinese current supply. You have a controllable current source that you can control. That is what we use. The second thing we have here to control the timing is an FPGA. I use FPGA for everything. With an FPGA it was the easiest thing to do because you constantly have the timing. Then we have a multiplexer and this multiplexer changes between two voltages, between earth, to completely separate voltages to control the microcontrollers. And finally there is a debugger, the J-Link, which is very easy to recommend, to do JTAC. JTAC is just a JTAC debugger and what happens is you let it run for a while and it looks like this. It is not really very suitable. But you can see that the voltage, the yellow signal, you can see that at different time points that break the voltage. And we have a Python script that shows if we have a JTAC approach. Now you tell us, Thomas, how do we get the seed into the ram? We let it run for about three months in Germany, Russia and Germany. It took us three months and at first we didn't believe it because we really tried everything. The only reason was that we got it running because we made a mistake, because we changed 17 microseconds with 170 microseconds. And that's why we found that the ram is very slow when booting on this JTAC. And as soon as we had it from ADP 2 to ADP 1, we could read the ram out but we couldn't read the flash where the seed is actually stuck. But how do we find that now? Our idea was to look at the upgrade procedure. The bootloader works so that you don't need a pin to update the firmware. So that you don't need a pin to update the firmware. That makes sense because if you have a bug, you have to get rid of it. On the other hand, if you have a valid firmware flash, then it holds the seed. And if you don't have an original flash, then it will delete the seed. And they do that really well. For firmware verification, they do it really well. We didn't find anything every day. So how does this upgrade work? How is the seed saved? When you look at the code, you can see that there is a call to beta-gub-metadata. And that's as if the data is saved. And that's actually just a memcopy of flash in the ram. So that was our step-by-step. We go to bootloader. We start the firmware upgrade and we hold it until the ram is deleted. Because after the upgrade its save is deleted. But we found out that it stays in the ram. When the firmware updates, then it asks you to check the checksum. And at this point the seed is still in the ram. And we can read it about our ADP2. It's easy as long as you have it. As soon as you have clicked it, you just open the CD and dump the image. Then you get an s-ram and you have a complete ram content. What do we do, Thomas? What kind of high-tech hacking tool do we use to get the seed out? Before we were successful, we had hours of maintenance. How do we get the seed? And then we had this very sophisticated tool and it only works on POSIX and POSIX-like systems and it's called strings. And it turned out that when you have a firmware dump, if you have a ram dump like us and you use strings on the dump, then you get some nice words. And when you remember the intro, that's what you see. It probably asks you what the 1-2-3-4 is. That's the pin for your device. That was a good day. Josh or one of Josh's employees took the whole chaos on our desk and packed it into this little device. It's basically a socket where you put a chip and then we can get the seed out. But all that including the word design, the FPGA code, the Veriloc source code. If you want, you could do that with your open source FPGA boards. That's just what we had. And we could work with it. You could just take it and do it yourself. We think that we could do it with the Arduino, because the glitch is just 16 micro-seconds 6 micro-seconds in the time. That's easy to do. Just repeatable with cheaper things than this now. But that's just a kind of automation without any cables and without looting. All that we did on GitHub. And one more thing before we stop. That's pretty much a lot of the treasure security. If you use a passphrase on your device, then it doesn't work. So if you have a passphrase on your treasure, then a good passphrase on your machine isn't infiltrated yet. Then it works. But a lot of people don't use it. It hurts us. We really didn't want to do anything bad. But that's all we're going to do online. Then you can follow us on Twitter on wallet.fail It's actually a domain. You can go to GitHub on Twitter. You can follow us on Twitter. On Twitter and we're going to publish it all. But on GitHub we didn't expect 100% success in what we wanted to do. And we did it. And it's the first time that we did it. We also have other debt burses. But we only have an hour. We also have a few things. We also have a thousand of these PCBs with us. We even have components for about 100 devices. We can do it. Thank you very much. Thank you for this amazing talk. I feel really inspired to break things apart in a very creative way. We have some time left for questions. If you have questions, please line up at the microphones. But first we're going to start with a question from the Internet. Thank you. I have about two questions. How hard did you laugh that the Android-based wallet unhaggable is. The second question, have you ever tried to hack bigger devices? So let's start with BitFly. So we're talking about some more secure money, and we didn't want to use a Kinesis phone. We laughed a lot, we ordered a few, but... Yeah, that was already reported extensively. CyberGibbons on Twitter gave a talk about a hardware diorama, and he did research together with a few other people. If you're interested, take a look at that. The second question is about AM controllers. All of the controllers were AM. All of them we looked at were ARM architecture. If you're interested, take a look at the Nintendo's glitching. It's also very interesting and there's a lot of inspiration in this regard. Microphone 4, please. Hello. Thank you for fixing the issues. If anyone is interested in hacking hardware wallets, we're very interested in working with the community. We have a full disclosure program. You have problems with the delivery chain. Let me say, Treasury is open source hardware and you can build your own from open source components. If you're paranoid, you shouldn't prepare for these attacks. Is there a solution to build your own wallet or to inspect it? First of all, thank you very much. What we should have done when we looked at the code. The reason why we wanted to glitch for three months was that we couldn't hack the company differently. That was really good work. Of course, the company is really interested in what you can look at. We're doing all the advice work here. What I can recommend is people who are interested in preventing something like this. Then it's an outstanding project to look at. You should really recommend Treasury for this. At the end of the day, it doesn't mean that the chip is safe against these attacks. That's why we looked at the chip level on a silicon scale. On a wallet like the Treasury. On the supply chain side, it's really difficult because the government has the problem. Like with Legend Nano, you can make cryptographic stickers. It didn't work. You can look at it with Röntgen, but that's really an open problem in hardware security. I have a... Please, make it short, because we're actually just taking questions. One sentence, please. There are some MCOs that have JTEC connectors for hardware security. They could be used to magnetize attacks. I agree, but they're not Cortex-M microprocessors with 100% security. It has so much to do with the microcontroller that's used in these devices. They're built after this specification of ARM. What ARM thinks is a good set on features. Everything Cortex-M has weak spots, which are more or less like the silicon weak spots that we found. It's just a matter of time that you have. Luckily, you have three months to make this glitch. But if you have so much time, then you can probably find it in other Cortex-M products. And one more question from the microphone, please. So, actually, from your work, did you analyze some of these devices? Did you find any way that the firmware was obfuscated? So, on the firmware, you can't really close the firmware, but we didn't have to look at it, because the SD31 didn't have any obfuscation that we saw. Of course, we also started the Quellcode on Ida Pro. The next person on microphone 4. Hello. Have you ever looked into the entropy generation of the master seats with both of these devices? And what do you think about it? We had already covered how the reservoir works. There is only one chip, and that is the SD32. We know that there is a well-known problem, when the additional generator didn't really initialize, but that's fixed. But that wasn't a problem for our attack. If you take care of how strong the coincidence is, then you can use a BIP32 to generate money outside of this hardware and use it outside of it. If you have a question, come to the microphone. One more question from the Internet. Thank you. Have you seen the Dinosauria Hip Hop Zero Wallet? No, we haven't. If you're interested in it, please do it. The Dinosauria Hip Hop Zero Wallet was a treasure clone. We looked at that last year to make the Bitcoin Wallet. We used a lot of the instructions to make the Breaking Bitcoin Wallet. But if you take a look at what wallets are actually being used, the ledger is very popular. The treasure is very popular. But since the treasure is open source, there are a lot of clones and forks. But not all use the last security patches, which are used for the treasure code base. That's something you can do. Which projects are really up to date and secure? The question is now the last one for today. Please come closer to the microphone. If you see that this is the first congress for many of us and many of us don't have much experience in hardware hacking. Yes, a lot even. Buy an Arduino. Learn what you're doing wrong. Learn how hardware works. Watch a lot of online videos. I mean, you gave me lectures. I gave lectures. Watch lectures. Watch Live Overflow. That's a great YouTube channel about this topic. And don't hesitate if you have questions. Then get in touch with us. Here at InfoEdWalletFail or on Twitter, wherever you are. We are always happy. It can take a while, but we like to do it. There is a lot of free material, how electronics works. It's not only about security, but I also started with an Arduino 2. Thank you very much for the questions. Thank you for the interview. Thank you for listening. That was the translation of OS 10.000.