by Thomas Hartman and Dawn Parker
In 2013 Edward Snowden revealed that for decades, the NSA has been breaking security so that they could have your passwords. The NSA did the hard part of systematically undermining security by infiltrating the math and cryptography committees responsible for keeping the Internet safe. Identity thieves now have only to pick the low-hanging fruit of ubiquitous cheap exploits and they have your passwords, too.
Security is fractally broken at every level: by hurry, by lazy design, by state-funded black hats at the NSA.
At the hardware level, the motto is: physical access equals root. Unless you keep your everyday computing device in a tamper-evident container when you’re not watching it, the assumption should be: it’s hacked, whether you know it or not.
Everyday computing devices are not tamper-resistant, and present large attack surfaces. The hardware is not tamper-resistant physically, to evil maid attacks. The software is not tamper-resistant to viruses. Thanks in part to meddling by the NSA, these days you don’t need to download and run a program to get a virus. You can get a virus by visiting the wrong web page. Antivirus is the cure that is worse than the disease.
It’s true for Windows, true also for Mac and Ubuntu and your tablet, true for the embedded devices in your car and pacemaker, and coming soon to a toaster near you.
It’s a painful lesson, one that we are understandably reluctant to learn. In the real world, nobody has the discipline to keep their fancy new Macbook in one of these. Therefore, no one is safe.
We may be beating a dead horse here, but your laptop/iPad/iPhone is just not a safe place to sign bitcoin transactions. It is not a safe place to sign GPG messages either, or authenticate against an SSH agent, if GPG or SSH protect valuable assets.
It is also not secure to enter bank or credit card passwords on your personal devices, but you can bury your head in the sand and hope that banks and insurance will cover the bill when identity thieves get your loot. Sometimes they do, sometimes they don’t.
Learned helplessness, tempered only by low-level paranoia, infests every interaction of our electronically mediated lives. It’s 2015, and everything is bugged.
Well, almost everything.
In 2014, a bitcoin hardware wallet came on the market called Trezor. Most bitcoin hardware wallets in use today are what I call Trezor-likes. Trezor was first, and Trezor embraced an open-source model for both hardware and software, encouraging copycats. The copycats came, and in their turn by and large also open-sourced their work, so that the bitcoin security community could audit and endorse their competing products. Now we have Trezor itself; Ledger Nano and friends; Keepkey; the el cheapo, rather shady Trezor knockoff bwallet from china; and others hopefully coming soon. It is beneficial to have as many Trezor-likes as possible on the market in order to create an ecosysytemic response to a formidable threat, because ecosystems are much more robust than any singular defense.
The Trezor-likes are signing devices. They sign bitcoin transactions, and are designed never to leak private signing keys. In a world where 7-10% of all bitcoin ever mined was lost or stolen, this is no trivial feat. With a Trezor, an attacker can trick you into signing a transaction to a wrong address. But the attacker can’t steal all your bitcoin, not even if he swipes the device, without an easy-to-memorize but hard-to-steal pin code. With the original Trezor, the pin code is entered scrambled so even if the laptop is bugged, you’re safe to sign transactions without giving away the pin.
We are also beginning to see Trezor being used to produce signatures for general authentication purposes, such as website signins or managing SSH private keys.
Trezor-like devices are the right solution to the problem of today’s broken authentication. For high-value assets, and this includes bank and credit card sign-ins, we should really be authenticating with signatures from secure devices that we control, not passwords. If the financial sector embraced Trezor-likes for sign-in, identity fraud would evaporate overnight.
The Trezor is tamper-resistant, and presents a small attack surface. It wouldn’t hurt to keep one’s Trezor in a safe, or a tamper-proof evidence baggie; but because it is tamper-resistant, you don’t really need to.
Trezor-likes are not only a good place to keep bitcoin, but any kind of authentication key. Trezor already works as an SSH agent, and perhaps we will soon see support for GPG as well.
Trezor could be bugged. I don’t know for sure. But the small attack surface, open code and hardware specs, and lots of suspicious eyes ensure that if it is bugged, there’s a good chance of discovering the problem; once discovered, it’s tractable to get it fixed.
Trezor was the first bitcoin hardware wallet, but it wasn’t thef first secure signing element. We have Ubikey, we’ve had various stabs at GPG signing on a stick. But mostly these solutions were built on non-open-spec hardware, and in any case, they didn’t sell very well.
Most importantly, Trezor teaches the right lesson. To use a Trezor to authenticate is to realize that passwords are a broken solution to the wrong problem. It’s the opposite of the cynicism and learned helplesness that is entrenched even among security professionals today.
Trezor-like is a product category in its infancy, but you can already tell there is traction. Because bitcoin is easy to steal, and once it’s gone, it’s gone, bitcoin users really need this. Today bitcoin, tomorrow… hopefully everything.
Trezor has sold a few thousand units. At $100, it’s a bit pricey, though it may be worth it to spring for the original, for the built-in display alone. Sales data are not readily available for the significantly cheaper Ledger Nano and friends, but due to its widespread integration into third-party apps, it seems that that Nano may be leading in units sold among the Trezor-likes. I would be surprised, however, if Nano has broken ten thousand units sold. It’s early days yet. If bitcoin stays on its success path, by 2017, they will be giving these things away for free in cereal boxes.
If you have bitcoin, consider buying a Trezor(-like). Forget bitcoin; if you use SSH, buy a Trezor and start storing your keys somewhere attackers truly can’t get at them.
No more helpless cowering before the NSA. Let’s fix the problem. A Trezor, or Trezor-like in your arsenal can be not ony a powerful defense against identity theft, it is a veritable modern-day strike for personal liberty.