pull down to refresh

Dark Skippy Disclosure - A Powerful Method For Key Exfil Attacksdarkskippy.com
23.3k sats \ 11 comments \ @utxoclub 5 Aug 2024 security
write
preview
related posts
420 sats \ 0 replies \ @Fabs 5 Aug 2024
This is severely fucked up, be wary when updating your hardware, peeps!
reply
20 sats \ 0 replies \ @grayruby 5 Aug 2024
I saw this discussed on twitter. Thanks for sharing on SN.
reply
10 sats \ 0 replies \ @Arceris 5 Aug 2024
“Well, heh heh… you’re very much not going to like this.”
reply
33 sats \ 2 replies \ @petertodd 6 Aug 2024
Note that this is not relevant to hardware wallet using multisig between the host computer and the hardware wallet.
IMO, basically all hardware wallet usage should be with multisig. Otherwise you're just replacing one type of supply chain risk with another.
reply
10 sats \ 0 replies \ @Bell_curve 6 Aug 2024
1000 percent
I use Casa Keys co-founded by Jameson Lopp
reply
0 sats \ 0 replies \ @028559d218 7 Aug 2024
in other words... use multisig to not have to trust one hardware wallet manufacturer?
reply
0 sats \ 0 replies \ @_stacktoshi 6 Aug 2024
Seems like Seedsigner could mitigate this using the rPi's secure boot feature, and maybe some sort of pin challenge that the user entered during initial configuration, but I'm not sure if that requires a network connection or not.
This issue seems relevant: https://github.com/SeedSigner/seedsigner/issues/390
reply
0 sats \ 1 reply \ @itsMoro 5 Aug 2024
would it exfiltrate a passphrase too?
reply
0 sats \ 0 replies \ @03a8ac13db 6 Aug 2024
See https://darkskippy.com/faq.html
reply
0 sats \ 1 reply \ @ZezzebbulTheMysterious 5 Aug 2024
Generally, it should be very difficult to install modified firmware to a security device, usually via a signature check. There is trust extended to the hw vendor to not make a malicious firmware.
reply
0 sats \ 0 replies \ @028559d218 7 Aug 2024
it's my understanding that all the major vendors... design their products and firmware in ways where it is difficult to impossible to install 'bad' firmware. it can still be done (ie 'custom' firmware) but warnings and notifications are provided to the user.
reply