Perhaps you have heard similar comments before and it does seem that teenagers have a talent for technology. They seem able to find problems and flaws faster than others. Whatever the reason for this ability, a 15-year-old security researcher (that sounds like a white hat hacker to this writer) from the UK found a flaw in a popular hardware-based crypto wallet, the Nano-S from the French company, Ledger.
The Nano-S product concept is that the user carries their cryptocurrencies with them in the Nano-S, which resembles a USB stick with a digital display. The device uses a secure chip to generate encryption keys and when it is connected to a PC, the crypto transaction takes place without the keys ever leaving the Nano-S. A non-secure chip handles other administrative and management tasks.
It is a very good technical approach that was compromised by a business mistake; demand was so high for the product that Ledger allowed third parties to resell them. They advertised their security model as so strong that users could feel secure buying from third parties. This was the mistake mentioned above; because the device was no longer in Ledger’s control and that created the potential for it to be compromised.
According to a report published by the KrebsonSecurity blog, the teenager discovered that a third party reseller could update the firmware with malicious code. By writing a piece of code that was then installed on the non-secure chip, the teenager was able to fool the user into believing they were receiving encryption keys from the secure processor when in fact the malicious code was providing predetermined keys. The bad guys could then intercept and decrypt the transactions, stealing the currencies and other data.
CRIP.TO firmly believes the security adage stated in the report, “#1 rule of security — namely, if an attacker has physical access to your device, then it is not your device anymore.” For this reason, CRIP.TO maintains control over the design, manufacturing, assembly, and coding of its hardware-based, crypto wallet capable, pocket device, the CRIP.TO Black.
The Black is more than just a crypto wallet. It is a robust encryption device that handles all forms of communication encryption whether voice, data, or cryptocurrency. The Black uses a custom chip based on a field programmable gate array (FPGA) architecture. It uses true random number generation (TRNG – only possible in hardware) to create the encryption keys. When connected to the internet via its companion Android app Shield, communications flow over the CRIP.TO network fully end-to-end encrypted. All encryption keys and cryptocurrency information are stored on the Black, never leaving the device.
There is no code on the FPGA processor until the complete device has been assembled under the watchful eyes of CRIP.TO employees. When a Black is ordered, the latest code is installed, and the device is shipped directly to the customer. Should the device be intercepted, and attempts made to alter the CRIP.TO code or add malicious content, sophisticated security built into the hardware and firmware essentially shut the device down, rendering it inoperable.
CRIP.TO offers the highest level of encryption available to individuals, companies, and organizations with the objective of providing complete personal anonymity, privacy of communications, and security of content. As a company we believe everyone deserves the right to communicate fearlessly and are committed to providing products that provide that capability. It appears we will be adding teenage hackers to our testing process soon.
Find out how to communicate fearlessly with CRIP.TO products and services today.