AsicVault hardware wallet security and teardown
I was about to begin writing the teardown and security review of Trezor Model T, to validate their passphrase cracking cost claims, when I received an offer from AsicVault to review their new device as well. So today, I am going to do the teardown of two touchscreen hardware wallets side by side and this makes it much more interesting.
TL; DR
We must have proper metrics to compare the security of different hardware wallets. You really should demand SRAM PUF and at least one million rounds of PBKDF2 SHA-512 or better algorithm from any hardware wallet in year 2020. Seven years old technology is not acceptable today. If you are looking for the passphrase cracking cost table, skip to the very last page.
INTRODUCTION
Let’s just take a quick look at Trezor and AsicVault devices before we open them up and address the security differences.
Looking outside, the size of these two devices is similar. I would say that wider device is easier to hold in hand, but that is just my personal preference.
Screen area 760mm2 vs 960mm2 is quite similar, 25% bigger on AsicVault device. AsicVault has Corning Gorilla Glass protection while Trezor T has just bare LCD display without any extra glass cover.
Screen resolution 240x240 vs 400x400 is significantly different. AsicVault has 2.7 times higher screen pixel resolution and higher PPI.
Color quality — there is simply no comparison in real life. And contrast ratio of AsicVault AMOLED display is just superb.
And finally, AMOLED vs LCD viewing angles. As expected AMOLED screen looks good from all viewing angles without any noticeable color changes while Trezor LCD colors are only visible from very narrow viewpoint.
Now the more interesting part — what is inside?
TEARDOWN
Opening Trezor T plastic case is straight forward — even easier than previous Trezor One. Just cut it carefully with a sharp knife or razor blade using moderate force. I have done it a dozen times. After doing so, the edges are almost clean and you can easily glue it back together if needed.
The same can’t be said about AsicVault. It is purposefully designed so that there is no way of opening it nicely. First of all, it is made from 6mm thick Aluminum and potted. The Aluminum parts are pressed together using high friction force, the connecting surface is about 9mm deep and so opening it requires complete destruction of the enclosure.
And secondly, it contains anti-tamper circuit. This circuit operates from supercapacitor power even when the device is not connected to your computer and actively monitors any tampering attempts. Thanks to very low power consumption it can last for several weeks or months before requiring a fast 15-minute recharge. According to the datasheet, MSP430 chip idle power is just 350 nano-Amperes, so yes, it can last a long time. Upon detection of malicious hacking into the device, it self-destructs within milliseconds by “bricking” the electronics inside and destroying your private keys to keep them safe. I will try to test that in my future reviews.
For this review I received AsicVault device without potting, also anti-tamper circuit disabled, to be able to show you what is inside and keep it running.
Both have USB Type C connectors. ARM chip implements USB2.0 at 480Mbps. AsicVault US3380 chip provides USB3.0 with the theoretical speed of 5Gbps.
AsicVault has rather interesting shape. It turns out that there is a reason why this shape has been used. Four of these outer plugs hold supercapacitors and two are used for mechanical buttons/switches.
The PCB inside AsicVault device is even smaller than Trezor T PCB, measuring only 39mm on the longest side, compared to Trezor 59mm. While Trezor has about 100 components soldered on the top side of the 4-layer PCB and bottom is empty, AsicVault has managed to fit 400 components into a smaller 8-layer PCB using both top and bottom sides. All main chips on AsicVault device come in very fine-pitch BGA (ball-grid-array) packages so that no pins are visible — instead, all 300 pins are hidden under the main chip. The massive amount of connections and routing on this small PCB means that cutting edge PCB production technologies had to be used. According to the markings on the PCB, it was manufactured by AT&S using HD any-layer microvia technology. More information about the brilliant design that Chief Architect Hando Eilsen has accomplished can be found on his medium page.
I have desoldered the supercapacitors to see what is under the main PCB and to show you the other side as well. Notice that AsicVault has avoided routing signals on top and bottom layers to make all the important connections invisible. I can imagine that many routes are entirely vertical, based solely on microvias on top of each other. But now, lets take closer look at Trezor T.
Trezor has simplistic hardware design that centers around a single unsecure old chip — STM32F427VI, released in 2011. It has never been their goal to make hardware, their goal is open source software.
The choice of using this kind of unsecure chip has bitten Trezor more than once. Remember when I called this chip “doomed” for hardware wallet purposes back in August 2017? I told that different hardware design would be far better directly to their CTO as well, but he wasn’t interested.
After that, an actual Flash memory protection flaw in the ST chip design was found again 6 and 12 months later. Luckily, one of the flaws enabled Trezor to upgrade bootloader code, that was supposed to reside in locked-down read-only Flash area. But there was little hope that the unsecure chip would magically become secure after so many flaws. Did you know that all key chips inside Ledger, Trezor and Keepkey are manufactured by ST? Perhaps this alone is a good reason to choose a hardware wallet that is using something different?
And then in 2019 Ledger Donjon discovered a flaw so serious that it was not even made public. After all, unsecure chip memory is protected only by a single anti-fuse, single wire. Flash memory buffers are another easy to find spot. Ledger Donjon supposedly used a clever side-channel or EMFI attack since they are talking about $100 device to hack it — most likely FPGA-based signal processing board like ChipWhisperer. This lines up well with the Kraken Labs $75 attack on the same unsecure chip. After all, STM32F4 is one of the default targets for ChipWhisperer.
Anyway, one can assume that extracting the Flash memory content from unsecure chip is not rocket science.
So, why not encrypt the Flash memory, you ask? The problem is that there is no place where to store the encryption keys — this is simply unsecure chip! I fully appreciate all the efforts that Trezor has made developing the open source software for this chip, but there is only so much they can do without hardware support.
As a last resort they have used PIN based encryption of Flash memory. On their own GitHub site they say that this is not sufficient to slow down any serious hacking attempts: “ For an attacker that would be able to read the flash storage and obtain the salt, the PBKDF2 with 20000 iterations and a 4- to 9-digit PIN would not pose an obstacle.” Indeed, the cost of brute-forcing 9-digit PIN is 10 cents according to my calculations. The main purpose of encrypting Flash memory should be that you couldn’t decrypt it when you can extract the content. So this kind of PIN-based encryption is quite useless.
Now, lets examine AsicVault. You can check out AsicVault Github here. What are all those chips on the AsicVault PCB? Here is explanation:
Closer look reveals tiny 0201 components and grand complexity of AsicVault PCB design. On the bottom side there is main secure chip that contains two separate RISC-V processors, embedded SRAM, embedded Flash memory, SRAM-PUF based encryption key storage, true random number generator and also anti-tamper features. Since the main chip gets somewhat hot, it is connected to the heatsink by using thermal adhesive. Heatsink is actually the bottom Aluminium part of the AsicVault enclosure and by connection the whole enclosure. When the device is turned on the heatsink temperature reaches approximately human body temperature, so it does not get anywhere near disturbingly warm.
While Trezor unsecure chip does not provide any good solutions where to store Flash encryption keys, AsicVault secure chip has the perfect solution — SRAM Physically Unclonable Function. When power is removed from the SRAM, the secret effectively disappears. There is no known technology to detect the start-up behavior of an SRAM without actually powering it up since the start-up behavior is determined by virtually undetectable atomic-scale manufacturing differences in each SRAM transistor such as the thickness of the gate dielectric, the number of atoms diffused into the channel region, and other random process-related factors. Since each unique device’s power-up state is independent and unpredictable, with no two devices ever being the same, the function is deemed unclonable, and is analogous in many ways to a biometric identifier such as human fingerprints or iris patterns, which are also considered unclonable. This way of deriving a key from the SRAM properties has great security advantages compared to traditional key storage in non-volatile memory. Because the key is not permanently stored, it is not present when the device is not active (no key at rest), and hence cannot be found by an attacker who opens up the device and compromises the memory contents (source: Intrinsic ID). This is truly cutting edge technology that Hando Eilsen has incorporated into the AsicVault device.
Between main chip and USB connector is application DRAM. I can confirm that it is a 64MByte chip.
On the top side of the PCB we have MSP430-based anti-tamper circuit with various sensors, USB3380-based USB3.1 Gen1, USB muxes and 128MByte encrypted application Flash memory chip. Four redundant supercapacitors are connected to the sides of this PCB and one soldered to the bottom side.
This is not the only PCB inside AsicVault device! In fact, AsicVault is using a stack of two PCBs connected by board-to-board connectors.
The second PCB implements protective multi-layer mesh around the electronic circuit. And finally, after removing this mesh PCB we can see the back side of display unit.
As you remember there have now been several side-channel attacks against hardware wallets measuring the power consumption from outside. In addition to traditional DPA countermeasures, AsicVault has also implemented an extra layer of protection by using supercapacitor power while performing various cryptographic operations. This means that the external power used by the main chip will be zero during these crucial operations. I will take a closer look at this in the future.
To be extra safe, AsicVault has implemented fancy seed word display using different colors that have exactly the same power draw.
As explained, AMOLED red, green and blue colors consume different amount of power. By mixing them together there is a large number of colors that consume the same amount power but look totally different. Not only does the entire screen, but also each line and each pixel draw the same amount of power irrespective of the information displayed. By adding random pattern to the entire screen this completely eliminates any side channel power analysis possibility. Plus, the whole device initialization and wallet setup process can be done without PC connection, any dumb power source is suitable.
AsicVault has made bold performance and security claims, how does it stack up against Trezor in real life? Does it work?
PERFORMANCE
Trezor T ARM CPU delivers 1.25DMIPS/MHz (and runs at 180MHz). There is an incremental slight frequency upgrade from Trezor One. AsicVault features two CPUs each providing 1.34DMIPS/MHz. It uses dynamic clock frequency. AsicVault hardware architecture is described by Hando Eilsen here.
All cryptographic work is offloaded to dedicated accelerators. I will take closer look at SHA-512 during this review and examine other accelerators in my next reviews.
Checking compatibility with Trezor, just for fun!
Does AsicVault really do 2,000,000 iterations of SHA-512 within seconds? Let’s find out! AsicVault has posted a video about their SHA-512 performance. I took the test code from video description and modified it to display the results after every 100,000 and 10,000 rounds respectively. I compiled the PBKDF2 SHA-512 code for both devices and ran them side by side. AsicVault got over 2 million rounds done while Trezor was still at the startup screen and I didn’t even have time to turn my photo light on. Here are the pictures, results are printed in byte order showing first 16 bytes on screen:
I can also confirm that Trezor and AsicVault devices calculated identical SHA-512 values during the test. Albeit, it took Trezor 17 minutes to complete two million rounds of SHA-512. By that time AsicVault completed more than 690 million rounds.
SECURITY
This particular AsicVault Standard model device is approximately 344 times faster than Trezor “gold standard”. I didn’t test other models in the lineup. While the SHA-512 performance may not be 1000 times faster than Trezor, the number of SHA-512 rounds performed for key stretching is exactly 1000 times higher than other BIP-39 wallets and it takes just a few seconds to do it. Furthermore, top of line AsicVault model is set to perform even greater number — 3 million rounds — that makes it 1,500 times more expensive to crack compared to Trezor T. I would like to see more advances like this in the hardware wallet space.
Even Ledger agrees that the current BIP-39 standard, written by Trezor so that their slow device could cope with it, is very out of date. BIP-39 page Comments-Summary says: “Unanimously Discourage for implementation”. More than 4 years ago NIST already recommended minimum 10,000 rounds — 5 times more than Trezor is currently using. According to Moore’s law, in year 2020, the minimum number of SHA-512 rounds should be above 100,000. That would mean several minutes waiting time when performing any actions on current Trezor devices.
Large number of people already have FPGA mining boards well suited for hardware wallet SHA-512 passphrase cracking. Using commonly available password database of 4 billion passwords, Trezor could be cracked within 6 minutes while it would take 4 days for AsicVault, assuming that you can find a way how to access their key storage. So, please, don’t use a passphrase that you have previously used anywhere online. Even combining it with a few extra characters doesn’t help at all. In this case Trezor could be cracked in 6 hours and AsicVault within 1 year using a single FPGA. To select appropriate passphrase please use the table at the end of this article.
There is always a trade-off between the length of password and how easy it is to remember. Human memory requires refresh just like DRAM chips — you must use the password frequently so that you don’t forget it. If you choose a complex password or PIN code, and never use it, you will forget it. Look what happened to Mark Frauenfelder, read the epic WIRED article. Most likely, you too have forgotten one of your 4-digit bank card PIN codes. And it is even worse in case of the rarely used passphrases…
Therefore, it is the job of the hardware wallet to make it easier for you to remember the passwords and to protect you from loosing the crypto assets by forgetting a complex password that no one can remember. It is also the job of the hardware wallet to make it as hard and time-consuming as possible to crack the key storage.
Now, extracting the flash memory content from Trezor can be done by using a $100 device in 5 minutes as described in this Ledger Donjon document.
Extracting memory content from AsicVault device is totally different undertaking. These are the obstacles that we would have to overcome before we can even start hacking the code:
1) Active anti-tamper. It provides at least 1-month protection to the device after charging. Since other hardware wallets don’t have this, it is infinitely more than they provide. We could try to circumvent the anti-tamper circuit, but this is highly risky since we can’t damage the protective mesh nor alert any sensors and if something goes wrong the device is bricked within milliseconds. This leaves us with dead chips and private keys erased — nothing to hack. Safer option is to wait until supercapacitors are discharged and proceed with hacking after that.
2) We can’t just take the chip and extract flash memory while it is powered down, since the flash content is encrypted using strong encryption and keys are protected by SRAM-PUF. Nanometer scale manufacturing differences are the source for the keys. Fantastic technology.
3) Since it is a secure chip, there is also a metal mesh layer protecting it. Ion-beam based attacks are much harder and must take that into account.
4) As soon as we power up the chip, we must make sure that all the other circuits are also functional since it would self-destruct otherwise. We can’t just hack a single chip, we have to hack the whole system.
Even if we somehow overcome all these obstacles, we have just arrived at the starting point. Compared to Ledger, it is not a dual chip design where we could easily replace one of the unsecure chips. AsicVault is based on a single secure chip that handles all transactions, secure input and secure display.
COST TO CRACK
Trezor has posted a table claiming that it is very expensive to crack their passphrases. As they say, 620 million passphrase checks for $1 is the correct number when assuming 2160MH/s on Amazon V100 GPU at $3 per hour.
Calculation: 2160MH/s * 3600s / 4096 iterations / $3 per hour.
However, Amazon is known for their high on-demand prices. Reserved instance and spot instance prices are several times better. And GPU is not even the best hardware readily available today for this kind of job. Check out Virtex FPGA board by Bittware: CVP-13. People are happily mining using these boards for less than $200 profit per month. It is therefore 10 times cheaper to rent this FPGA board compared to Amazon GPUs. And the rented hardware is again approximately 7–14 times more powerful than Amazon V100 GPUs, depending on the SHA-512 implementation efficiency!
Therefore, the calculations on Trezor blog are 100 times off! Cracking costs are 100 times exaggerated!
In case you want to stick with Amazon, the same Virtex UltraScale+ VU9P FPGA instances are available at $0.76 per hour when reserved.
Here is the correct hardware wallet passphrase cracking cost table, showing highlighted lines for minimum safe length for Trezor and AsicVault:
Passphrase is Trezor’s last line of defense. And not particularly good one. For this metric alone AsicVault provides thousand times better resistance to passphrase cracking.
If you want old hardware with minimal incremental updates, get Trezor T. It reminds me of a good old Nokia phone. AsicVault devices are sold out at the moment but if you really want this inconceivably better and truly innovative device made by Hando Eilsen, reserve your spot in the queue now!
