BitBoxTep alpha program: what we have learned.
From December 2019 to January 2020 we selected a limited number of alpha testers to give us feedback on BitBoxTep. The participants were invited to perform various attempts to bypass the security mechanism of our first prototypes.
We have received valuable inputs on how to possibly iterate the design, what potential attacks to consider and where our community sees market potential. Despite offering a bounty for successful attacks, none of the alpha testers have managed to break in and reseal BitBoxTep with the fingerprint intact.
The digital database
During the alpha program we used a QR code directing to a weblink that contained an image of the temporary locked particle fingerprint: this way the users could verify that the fingerprint of the packaging they received matched with the reference image. The majority of the alpha users consider this QR code an unnecessary phishing danger. We agree with that, as an attacker can change or leave out single characters of the link in a way that is almost impossible to detect for the user. https://tep.shiftcypto.ch is an example where the “r” in “crypto” is missing, and considering all the unicode characters, it can be even worse. Just have a look at https://tep.shíftcrypto.ch, where the “i” is replaced with an “í” (U+00ED).
We were aware of phishing challenges prior to the alpha program. Using a QR code web link was the simplest way to give our alpha participants a feeling of how verification of the fingerprint could one day be implemented on a smartphone.
Until we develop a native mobile app the most straightforward and secure way to go is to send both the instructions and the reference image via email in the form of a shipping confirmation. We keep on evaluating alternative options to find the right balance between security and convenience when the users access the reference image and the instructions.
The hardware design
We assumed that very skilled participants would manage to get the plastic case with the attached particle pouch out of the vacuum bag without moving the particles. That’s what 30% of our alpha participants achieved. The hard part is to detach the pouch, open the case, put the pouch back on and reseal the system with a strong vacuum while reproducing the original fingerprint. We have not received any reports of testers claiming they achieved that up until now.
To increase the difficulty of a hardware hack, we plan to make the particle pouch more non-airtight in the next iteration and to add holes to the lower velcro side of the pouch.
Another design suggestion we received is to look into different color concepts. The proposal is to use a white plastic box to make it more difficult to manipulate with a hot wire cutter without the receiver noticing burnt areas or cosmetic repairs of the plastic box.
With regards to reusability, the participants were divided. The experimental resealable vacuum bags that we provided did not prove to be reliable enough. It’s more likely that users would reseal BitBoxTep with a professional vacuum machine and disposable high quality vacuum bags.
Freezing BitBoxTep to minus 196°C
Last but not least, we mythbusted some cryonic guesses of fellow Twitter and Telegram users. People asked if it wouldn’t be possible to freeze the particles to the pouch at very low temperatures by using liquid nitrogen or dry ice.
A first test with liquid nitrogen (-196°C) performed in Zurich together with an alpha tester has revealed that the particles could not be frozen to the pouch easily.
The pouch contains a dry lubricant that prevents the particles from sticking to the pouch material when the vacuum bag is cut open after verification of the fingerprint. Injecting humidity into the pouch might make it possible to freeze the particles to the pouch temporarily. But how would one get the humidity out again and restore the original properties of the dry lubricant without moving the particles?
What we did find out thanks to this liquid nitrogen test is that the velcro’s adhesive fails at those harsh minus temperatures. As a consequence we are now looking into a weldable velcro which does not involve any adhesive.
We thank the alpha testers for their feedback and development suggestions, and will keep you updated towards a beta stage on tep.shiftcrypto.ch.
Your Shift Team
