An introduction to BitBoxTep. Our new tamper-evident packaging.
Some of us at Shift have become obsessed with how to equip you with truly secure packaging for physical products. A design that raises the potential attack cost significantly. A process that makes tampering evident during shipping or storage.
Finding a satisfactory answer to this multi-layered and complex challenge is the motivator behind the development of BitBoxTep. We expect that many of you in the Bitcoin community care about this too. This isn’t just about hardware wallets. The lack of tamper-evident packaging is potentially a massive problem for many products.
Since the launch of BitBox01 our hardware wallets ship in a sealed vacuum bag. While this solution is a pragmatic moisture protection alternative to shrink wrap, it’s not a strong solution against supply chain attacks. We measure tamper evidence safety by complexity and cost of attack. To replicate our customized vacuum bag probably costs around $1000.
Others in our industry put their trust in holographic seals, which are meant to self-destruct when peeled off. Our trust in them is low for two reasons. One, we believe they can be released with hot steam or chemicals. Two, like our vacuum bags, they can be copied and replaced. Other solutions such as mechanical plastic or metal security straps might be difficult to open if well designed. However, they can also be replicated at cost.
Even sophisticated mechanical safety enclosures don’t pass the tamper-proofing required by some organisations. The most famous example being the Berlinger Special urine flasks used by the international doping association. They appear to have been hacked by the Russian secret service during the 2014 Olympic Games. You can read about it in this New York Times article or watch the documentary, Icarus, which includes the amazing story of tampering explained by Grigory Rodchenkov, the then head of the Russian anti-doping laboratory.
Inspired by Mullvad, the VPN service provider and their glitter-nail polish approach, we started bootstrap-experimenting with exploring temporary locked particles in 2018. We borrowed our local butcher’s chamber vacuum machine to lock multiple spheric homeopathic sugar balls in a transparent pouch. The result was encouraging. The idea of a “temporary locked fingerprint” sealed in the pouch which mixes immediately when the bag is opened and the vacuum released was born. To prevent an attacker from mechanically keeping the fingerprint in place by pushing on the pouch with a foam-like aid, we attach the bag to the enclosure of a casing. This creates the physics dilemma that it’s hard to push and pull at the same time. To open the casing, you have to pull the pouch away.
To verify that the package hasn’t been tampered with, a QR code directs our customer to the reference image taken before shipping. For now you have to compare the images manually. Our goal is to develop an algorithm and secure database that enables customers to verify the “fingerprint” in an automated way. The smartphone scan-app will compare the received packaging with the fingerprint before shipping against a defined accuracy threshold, say 99%.
After dozens of both promising and failed material combination and design tests, we believe that we now have a solution we can build upon. We’re ready to transform our prototype version into a digital/physical mixed media solution suitable for production.
Though before we commit to tooling, we’d like the chance of harnessing the collective intelligence of our community to see if we can improve upon the crucial hardware security of our solution. Our goal is to make it extremely difficult to hack.
If you feel up to the challenge to try to crack this nut or just love the idea of getting our fairly James Bond-esque reusable packaging solution in an early prototype stage then please apply here before December 2, 2019: tep.shiftcrypto.ch.
We’ll select a limited number of alpha testers for this phase, with a potentially extended program of follow-up design iterations at the beginning of 2020.
If you are selected as a BitBoxTep alpha tester, you’ll receive a reusable system and will be invited to perform multiple attempts to bypass the security mechanism. If you think you’ve found a way to hack open the hardware without detection then you’re invited to send us a video of your attack. To verify your claim, we will send a second package with a box of candies (or sweets if you’re English) as content. If you send back the probe with the empty candy box inside and the BitBoxTep packaging intact, we’ll honor your successful, responsible disclosure with a reward. The details will be announced to the alpha testers once selected.
We’re excited to hear from you and look forward to ‘breaking the mould’.
You can read more about the BitBoxTep at tep.shiftcrypto.ch.
Your Shift Team.