Paper at CCS Workshop on Decentralized Finance and security (DeFi) accepted
We are happy to announce that our paper „Better Keep Cash in Your Boots – Hardware Wallets Are the New Single Point of Failure” from Adrian Dabrowski (University of California, Irvine), Katharina Pfeffer (SBA Research), Markus Reichel (Vienna University of Technology), Alexandra Mai (SBA Research), Edgar R. Weippl (University of Vienna), and Michael Franz (University of California, Irvine) has been accepted at the CCS Workshop on Decentralized Finance and security (DeFi). The conference will take place November 15th to 19th, 2021.
A preprint will follow.
Hardware wallets are currently considered the most secure way to manage cryptocurrency keys and sign transactions. However, previous publications show that such tokens can be replaced or manipulated in a number of hard-to-detect ways pre- or post-delivery to the user and that implemented (remote) attestation and authenticity checks fail their purpose for multiple reasons.
We analyzed the architecture of current products by examining their initialization procedure and attestation methods. Unlike previous publications, we found that tightened attestation and communications encryption will not solve the fundamental architectural flaws sustainably. We conclude that the architecture of current-generation cryptocurrency hardware wallets missed the opportunity for a resilient design by copying the PC’s wallet architecture and thus merely shifting the single point of trust from the PC to the hardware wallet.
We advocate a mutually verified architecture through changes to BIP32/BIP44 wallet architectures to incorporate collaborative signatures and key generation. This way, neither a compromised wallet nor a compromised PC can meaningfully manipulate keys or transactions.