Air-Gapped Hardware Wallets and FUD - 1

Is an air-gapped Bitcoin hardware wallet more secure than non-air-gapped? Or is it just inconvenient security theater? A discussion of the claims of the article “Does airgap make Bitcoin Hardware wallets more secure?” (Bakkum, Shift Crypto AG, 2021-10-27) (a provider of a fine Bitcoin non-airgapped hardware wallet: BitBox02).

précis:

• part 1 ☜ you are here
  • Is an air-gapped Bitcoin hardware wallet more secure than non-air-gapped? Or is it just inconvenient security theater?
• part 2
  • Did the successful and notorious Stuxnet attack succeed because of insufficient inspection of the data being exchanged?
  • Is converting an existing desktoip computer to a dedicated air-gapped device inherently flawed because it is “open to many attack vectors”?
• part 3
  • “The Myth Of The Unbeatable Airgap Security”: A takedown of a strawman?
  • Glossed Over: Perils of the USB Interface
• part 4
  • “Usability is a cornerstone of security” - especially for a HODL’r
  • Consolation Prize: “Still, Airgap can be useful”
• part 5
  • Summary: Useful reminder that threats to all hardware wallets exist; but no support at all for claim that air-gap provides “little-to-no” added security", and is full of unwarranted scary FUD besides…
  • Acknowledgements

Is an air-gapped Bitcoin hardware wallet more secure than non-air-gapped? Or is it just inconvenient security theater?

A discussion of “Does airgap make Bitcoin Hardware wallets more secure?” (Bakkum, 2021-10-27) happened on the SeedSigner Telegram channel. (SeedSigner is a DIY air-gapped hardware wallet that transfers PSBTs and signed transactions via QR code only, also, it has no persistent storage and is initialized on each use (after the first use, when you create your wallet) by reading your seedwords from a QR code.)

The article itself is reporting the author’s ¹ investigation into the “actual security benefits” of air-gapped devices when signing Bitcoin transactions. The author is associated with Shift Crypto AG, a fine company specializing in cryptosecurity and Bitcoin development and with a product, BitBox02, that just happens to be a hardware wallet that does not support air-gapped operation. Their blog has quite a few interesting articles in the cryptosecurity space, including several reporting discovered vulnerabilities in various hardware wallets, which lends authority to their argument.

The specific claim in the first paragraph (with emphasis added) is:

Our conclusion is that air-gapped communication offers little-to-no added hardware wallet security while degrading the user experience.

I have no quarrel with the last bit of that ² but “little-to-no added … security”? That seemed to me not simply hyperbole, but downright wrong (if not actually FUD). I have not problems whatsoever with the product BitBox02 (or Shift Crypto AG either): My sole concern is discovering whether the claim that air-gapped wallets offer “little-to-no added hardware wallet security” is true, or not.

So I was very interested to read the article and see the claims and understand his argument. And, … here’s my take on it …

Wait a sec - before proceeding - I’d like to point out there there are currently two different kinds of air-gapped hardware wallets:

1. That which uses a storage device to transfer data to and from the (internet connected) software wallet

2. That which uses an optical path to transfer data to and from the (internet connected) software wallet.

A Coinkite Coldcard is an example of the first kind, using a MicroSD card. The SeedSigner is an example of the second kind, using cameras at both end to display and capture QR codes. ³

OK, now on to the previously promised “my take on it”: part 2