AMA - Blockstream Jade Team Enables Air-Gapped Transactions
13.6k sats \ 10k boost \ 46 comments \ @blockstream_official 14 Nov 2022 bitcoin freebie
Hey everyone! This is the Blockstream Jade team and we’re here to answer questions about the latest firmware upgrade that brings air-gapped transaction capability to Jade.
Blockstream Jade’s camera has been dormant since its release in early 2021, but firmware version 0.1.41 brings some powerful new functionality to Jade by fully enabling the camera for use. Jade users can now access their device and communicate with companion apps solely using QR codes - no USB or Bluetooth required. This includes importing a wallet, verifying receive addresses, and signing bitcoin transactions.
Jade has become even more versatile with this upgrade, specifically by allowing for additional compatibility with mobile wallet apps such as BlueWallet and Nunchuk. However Jade can also now be used in an air-gapped manner with popular desktop apps, such as Sparrow and Specter.
We hope everyone enjoys this feature as much as we’ve enjoyed building it. AMA!
Get a Jade here (coupon code “wencamera” for 10% off): https://store.blockstream.com/product/blockstream-jade-hardware-wallet/
write
preview
related
521 sats \ 1 reply \ @adam3us 14 Nov 2022 freebie
demo video of jade QR code and seed QR https://twitter.com/Blockstream/status/1591831525418573824?s=20&t=GJ5_HQ5m7KXQOElIyJ6Xug
reply
11 sats \ 0 replies \ @kr 14 Nov 2022
welcome to SN!
reply
239 sats \ 1 reply \ @theinstagibbs 14 Nov 2022 freebie
What is the biggest attack vector for QR code based communication?
Is the firmware for camera open source? Audited?
reply
12 sats \ 0 replies \ @blockstream_official OP 14 Nov 2022
Probably the bcur and qrparsing libraries. We have done some level and review and modifications to ensure security, however we do not have a third party auditing that we commissioned. The libraries are indeed open source, as well as the esp32 camera library (however the esp32 doesn't load the camera firmware)
reply
238 sats \ 1 reply \ @trdr4 14 Nov 2022 freebie
Are there any plans for a second (upgraded) version of Jade??
reply
0 sats \ 0 replies \ @blockstream_official OP 14 Nov 2022
We have a couple ideas of what this could look like, but probably not coming any time soon
reply
321 sats \ 4 replies \ @kr 14 Nov 2022
if you had to rank the security of the various connection methods that hardware wallets use today, how would you rank the following?
  • bluetooth
  • nfc
  • usb
  • microSD
  • camera
reply
187 sats \ 3 replies \ @blockstream_official OP 14 Nov 2022
  1. MicroSD
  2. Camera
  3. USB
  4. NFC
  5. Bluetooth
reply
7 sats \ 0 replies \ @dtonon 15 Nov 2022
Why is the MicroSD safer than the Camera? Isn't the autorun* ability of the card an attack vector?
[*] Is it still a thing on Windows?
reply
18 sats \ 1 reply \ @blockstream_official OP 14 Nov 2022
It's debatable if the USB driver is worse than QR and bcur decoders
reply
94 sats \ 0 replies \ @blockstream_official OP 14 Nov 2022
Camera is likely better - since it allows you to communicate with your companion app only when you choose for it to. Less likely to be attacked
reply
202 sats \ 1 reply \ @ncryppt 14 Nov 2022
Curious, is the blocklstream jade compatible with chrome os (chromebooks?). Looking to buy a friend a hardware wallet but he only has chromebook and an iphone. Cheers.
reply
1 sat \ 0 replies \ @blockstream_official OP 14 Nov 2022
We haven't tested specifically with Chrome OS, however Jade can be used with three different mobile apps on iOS including Blockstream Green, BlueWallet, and Nunchuk if you'd like to recommend he try Jade with one of those
reply
201 sats \ 1 reply \ @litago 14 Nov 2022
How does the wallet protect ageinst qr codes containing malicious payloads in the case where there is a vulnerability in the hardware?
Is there any difference in the way you need to protect ageinst these when using qr compared to other solutions?
reply
2 sats \ 0 replies \ @blockstream_official OP 14 Nov 2022
We only accept a very small list of certain UR messages and other specific payload types (eg. SeedQR). We then apply strict checks to the format of that payload to ensure it is valid and is what we think it is (for example our PSBT parser can be quite strict in what it accepts). Then after that, we still have the checks and validations we run on the payload (eg. the txn data) regardless of which transport it was received from.
reply
201 sats \ 2 replies \ @shyfire 14 Nov 2022
What are the primary differentiators of the Jade when compared to the Foundation Passport?
reply
101 sats \ 1 reply \ @blockstream_official OP 14 Nov 2022
Jade doesn't have an SD card option, although it is offered for a much lower price
reply
40 sats \ 0 replies \ @joko 14 Nov 2022
I think there's a good bit more. Passport has/is: -physical secure element -much bigger screen -removable battery -much higher price
While Jade has: -Anti-Klepto -way lower price
reply
201 sats \ 1 reply \ @chris 14 Nov 2022
Hi Blockstream Jade team!
I just wondered, how does the security of air-gap transaction by QR code compare to the other forms of air-gapped transactions? For example, the Coldcard using a microSD, or Ledger Nano X or Jade using Bluetooth, or using NFC methods (does that count as air-gapped)?
I guess there are pros and cons to each method, but how would you say QR stands up overall, compared to the other ways?
Love your work at Blockstream, by the way! :-)
reply
1 sat \ 0 replies \ @blockstream_official OP 14 Nov 2022
Thanks for the kind words! SD cards should be safe. NFC depends on the stack/security of each part. Bluetooth also depends on stack/security of each part. QR relies on the QR parsers and all the bcur dependencies, as well as PSBT parsing dependencies.
reply
201 sats \ 1 reply \ @Randomguy 14 Nov 2022
Since jade supports seedQR, is it on the roadmap to operate stateless similar to how seedsigner works?
reply
1 sat \ 0 replies \ @blockstream_official OP 14 Nov 2022
This is actually exactly how a fully air-gapped workflow with Jade works today. Users simply scan a SeedQR with Recovery Phrase Login, and the wallet is forgotten as soon as the device is rebooted. Users can also use Jade as a "stateless" device for USB and Bluetooth communications as well.
reply
201 sats \ 1 reply \ @kr 14 Nov 2022
what were the most difficult design trade-offs you had to consider when building Jade?
reply
142 sats \ 0 replies \ @blockstream_official OP 14 Nov 2022
One of the most difficult tradeoffs was the choice between using a remote PIN server and a secure element. We decided to choose the PIN server route to maintain DIY possibilities, and also to keep the design fully open-source
reply
185 sats \ 6 replies \ @bitcoingraffiti 14 Nov 2022
Favy Sci-Fi novel?
reply
2 sats \ 5 replies \ @blockstream_official OP 14 Nov 2022
Foundation
reply
2 sats \ 1 reply \ @blockstream_official OP 14 Nov 2022
From another team member:
(At least some of) Ian M. Banks 'Culture' novels. Peter F. Hamilton's 'Night's Dawn' trilogy. Stephen Donaldson's 'The Gap'. Dune, of course. Anything by Larry Niven.
reply
0 sats \ 0 replies \ @bitcoingraffiti 14 Nov 2022
Thanks. That's a lot of author's I don't know yet.
reply
0 sats \ 2 replies \ @bitcoingraffiti 14 Nov 2022
@adam3us what's yours? You read cyberpunk?
reply
32 sats \ 1 reply \ @adam3us 14 Nov 2022
snow crash by neal stephenson
reply
0 sats \ 0 replies \ @bitcoingraffiti 14 Nov 2022
Mr. Lee's Hong Kong Citadels ;)
reply
185 sats \ 1 reply \ @trdr4 14 Nov 2022 freebie
Are we able to do air-gapped transactions for Liquid assets?
reply
0 sats \ 0 replies \ @blockstream_official OP 14 Nov 2022
This will not currently work for Liquid txs (PSET) however it is something we are exploring
reply
185 sats \ 1 reply \ @liquid 14 Nov 2022 freebie
Is the new air-gapped feature compatible with Liquid? If not, are there plans to?
reply
0 sats \ 0 replies \ @blockstream_official OP 14 Nov 2022
This will not currently work for Liquid txs (PSET) however it is something we are exploring
reply
0 sats \ 1 reply \ @TheBTCManual 15 Nov 2022
I've really been enjoying using my Jade, I really only picked one up because I wanted to use L-BTC but it's really become a favourite wallet of mine and with these new firmware upgrades its only getting better.
Definitely considering picking up a few more for friends and family
reply
0 sats \ 0 replies \ @blockstream_official OP 15 Nov 2022
Love to hear it, thanks for the feedback!
reply
0 sats \ 0 replies \ @BlokchainB 15 Nov 2022
Big fan happy customer here thank for the AMA
reply
0 sats \ 1 reply \ @gd 14 Nov 2022
Weird boring question— What is the current delivery lead time to the UK for a Jade?
reply
3 sats \ 0 replies \ @blockstream_official OP 14 Nov 2022
Hard to give an exact answer, typically under two weeks
reply
0 sats \ 1 reply \ @k00b 14 Nov 2022
Under what circumstance would you recommend someone switch to Jade walllet from another hardware wallet?
reply
306 sats \ 0 replies \ @blockstream_official OP 14 Nov 2022
Makes sense to switch if your manufacturer has a poor security track record and/or stops providing support/upgrades for a device.
Speaking of Jade specifically: Jade is highly versatile device with three communication methods and you can use both with remote PIN server or statelessly. Jade is supported by a large range of apps, a libwally stack with no external dependencies, and we still have a lot more planned.
Also offers some unique security features you can't find many other places, such as anti-exfil
reply
0 sats \ 0 replies \ @rijndael 14 Nov 2022
very cool! love to see new features come to jade!
reply
0 sats \ 0 replies \ @lpop4254 14 Nov 2022
What is ur hardware wallet spac
reply
0 sats \ 1 reply \ @0335225260 14 Nov 2022
What are the principles that guide the building of your products?
reply
10 sats \ 0 replies \ @blockstream_official OP 14 Nov 2022
Security, privacy, FOSS, ease-of-use
reply