Side-channel attacks are how most hardware wallets get hacked. Someone with enough time, resources and skill to scrutinize the device’s circuit board is able to steal the private keys. Currently, Secure Elements and Passphrase features are the most talked about as effective defenses against side-channel attacks. However, because physical attacks are dependent on physical access to the device, the most straightforward way to deal with side-channel attacks may be a self-destruct mechanism. In this article we will introduce the Cobo Vault’s self-destruct mechanism, which is built into the screen.
What is a Side-Channel Attack?
If you have read our article explaining how the Secure Element keeps sensitive information from being exploited by side-channel attacks, feel free to skip on. For those who don’t know, side-channel attacks use access to the device’s circuit board to analyze device behaviors such as power consumption, timing of operations, and electromagnetic radiation. Whenever a device processes sensitive information, traces of the sensitive information are left in these physical activities, which can be used to piece together private keys. Kraken Security Labs recently demonstrated that a Trezor can be hacked with just 15 minutes of physical access, although their attack model does not account for Passphrase and Trezor does not have a Secure Element.
Self-Destruct Mechanisms in Traditional Banking
Around the world today, newly upgraded ATM machines are becoming resistant to physical attacks by incorporating a mechanism to destroy the cash they store the moment they detect an attempt to dismantle it. This defense sometimes triggers an ink capsule to explode and taint the cash or a shredding component to rip the fiat up. This is because if thieves are able to make away with an ATM machine, they can open it with the right tools. Many POS machines used to swipe credit cards are also incorporating a self-destruct mechanism.
Like these machines, a hardware wallet is significantly more vulnerable when it’s in the attacker’s hands. A self-destruct mechanism is the most straightforward way to prevent theft in both cases because governments can just reprint their money, while you can just start over from your recovery phrase if you have stored it in a secure location. Sort of like how the doomsday machine in Dr. Strangelove is the ultimate deterrent, only that your recovery seeds are your fallout shelters.
How it Works
The Cobo Vault’s lack of Bluetooth, WiFi, USB, and NFC communication capabilities means that the only way information can get in and out is through QR codes, which are auditable, or the circuit board inside. Because going through the device body would require cutting tools that are likely to damage the circuit board in the process as well as visibly deface the product, a physical attack is most likely to proceed with a removal of the screen. This is also the case because there are no ports on the device aside from the TF card slot. Consequently, access to the circuit board would likely be accomplished by using a heat gun to melt the glue that holds the screen in place.
The Cobo Vault’s self-destruct mechanism has two components that touch each other. One is attached to the screen and conducts electricity to the other, which is on the circuit board. If the two come out of contact, the component on the circuit board will detect that the screen has been removed and immediately erase all sensitive information. The device will be bricked after self-destruct is activated, so be aware of that if you’re someone who likes taking apart and toying around with devices.
Anti-tamper components on the screen (left) and circuit board (right).
Importance for Side-Channel and Supply Chain Attacks
While no security mechanism guarantees complete security, the Cobo Vault’s self-destruct mechanism significantly raises the cost of any potential physical attack. Traditionally, counter measures for side-channel attacks have focused on how to reduce the leakage of information or obscure its relationship to sensitive information, which is how a Secure Element makes sure your private keys never leave it. By making it a challenge to even try to start probing the Secure Element, the self-destruct mechanism drives up the cost of side-channel attacks to the point of being a potent deterrent to even the most well-funded hackers.
The self-destruct mechanism also makes it harder for supply chain attacks to succeed given that they would have to figure out how to open the device without visibly defacing the product on top of figuring out how to defeat Web Authentication. We will soon publish an article explaining how our mandatory Web Authentication process counters side-channel attacks.