David Bakin’s programming blog.


Air-Gapped Hardware Wallets and FUD - 1

Is an air-gapped Bitcoin hardware wallet more secure than non-air-gapped? Or is it just inconvenient security theater? A discussion of the claims of the article “Does airgap make Bitcoin Hardware wallets more secure?" (Bakkum, Shift Crypto AG, 2021-10-27) (a provider of a fine Bitcoin non-airgapped hardware wallet: BitBox02).

précis:

Is an air-gapped Bitcoin hardware wallet more secure than non-air-gapped? Or is it just inconvenient security theater?

A discussion of “Does airgap make Bitcoin Hardware wallets more secure?" (Bakkum, 2021-10-27) happened on the SeedSigner Telegram channel. (SeedSigner is a DIY air-gapped hardware wallet that transfers PSBTs and signed transactions via QR code only, also, it has no persistent storage and is initialized on each use (after the first use, when you create your wallet) by reading your seedwords from a QR code.)

The article itself is reporting the author’s 1 investigation into the “actual security benefits” of air-gapped devices when signing Bitcoin transactions. The author is associated with Shift Crypto AG, a fine company specializing in cryptosecurity and Bitcoin development and with a product, BitBox02, that just happens to be a hardware wallet that does not support air-gapped operation. Their blog has quite a few interesting articles in the cryptosecurity space, including several reporting discovered vulnerabilities in various hardware wallets, which lends authority to their argument.

The specific claim in the first paragraph (with emphasis added) is:

Our conclusion is that air-gapped communication offers little-to-no added hardware wallet security while degrading the user experience.

I have no quarrel with the last bit of that 2 but “little-to-no added … security”? That seemed to me not simply hyperbole, but downright wrong (if not actually FUD). I have not problems whatsoever with the product BitBox02 (or Shift Crypto AG either): My sole concern is discovering whether the claim that air-gapped wallets offer “little-to-no added hardware wallet security” is true, or not.

So I was very interested to read the article and see the claims and understand his argument. And, … here’s my take on it …

Wait a sec - before proceeding - I’d like to point out there there are currently two different kinds of air-gapped hardware wallets:

  1. That which uses a storage device to transfer data to and from the (internet connected) software wallet

  2. That which uses an optical path to transfer data to and from the (internet connected) software wallet.

A Coinkite Coldcard is an example of the first kind, using a MicroSD card. The SeedSigner is an example of the second kind, using cameras at both end to display and capture QR codes. 3

OK, now on to the previously promised “my take on it”: part 2


  1. I can’t tell whether he’s speaking using the “editorial we” or if the investigation was done by his company/group. ↩︎

  2. I personally find that the “degradation” of the air-gapped hardware wallet user experience is reasonable in general, and very small indeed for the newer generation of hardware wallets which talk optically (QR-codes + camera). ↩︎

  3. I have used both but I personally prefer the optical path. ↩︎