S4 E2: ShiftCrypto’s Douglas Bakkum & Jonas Schnelli on the BitBox02 Hardware Wallet

ShiftCrypto’s BitBox02 is one of the most pleasant surprises on the hardware wallet market. It takes the best elements from Trezor (open source audited software) and Ledger (secure element chip), then adds an extra layer of good op-sec by making use of a male connector which eliminates the need for a potentially compromised cable.

From a software perspective, the BitBoxApp allows users to connect to their full node (thus greatly increasing privacy and security) and enables coin control (great for UTXO management).

Furthermore, the research team behind ShiftCrypto has made multiple responsible disclosures about vulnerabilities that they found in their competitors’ devices (for more information, check out The Charlatan’s article on the Coldcard ransom attack, Benma’s report on the Trezor Model T theft attack, and Kaspar Etter’s breakdown of multisig configuration issues). This competitive yet collaborative environment creates better security premises for everybody involved.

ShiftCrypto is one of the actors who definitely improve the greater state of the hardware wallet market. Correspondingly, having co-founders Douglas Bakkum and Jonas Schnelli on this second episode is a privilege and a great opportunity to learn.

For an in-depth analysis of the BitBox02 and other significant devices, read the three-part review that I published in Bitcoin Magazine: Part OnePart TwoPart Three.

Some questions asked to Douglas Bakkum and Jonas Schnelli during the interview:

1. Why should bitcoiners buy a hardware wallet? In which ways is it better than cold storage methods like the paper wallet or the steel plate?


2. Why should that wallet be a BitBox02? What is special about the ShiftCrypto devices, compared to the competition?


3. Can you say something that you like and something that you don’t like about your competition? (this includes Trezor, KeepKey, Coldcard, and Ledger)


4. What is the story of the original BitBox and why was it discontinued so quickly? Do you think that the flaws have been fixed in the 02?


5. What do you think about the fact that Coldcard and Ledger also use the secure element chip design?


6. What is the general feedback that you’ve received for the BitBox02 since launch and what are the features that get most praise?


7. In the experience that I’ve had, the BitBox02 is less friendly with multisig setups than the Trezor Model T and the Coldcard Mk3. Are you planning to make any improvements in this regard?


8. Do you have any kind of recommendations for people who choose not to use your BitBoxApp software and go for Electrum and Wasabi?


9. In the last couple of weeks your researchers have discovered vulnerabilities in the Trezor Model T and the Coldcard Mk3. What was the response you got from your competitors?


10. What are ShiftCrypto’s upcoming plans in the hardware wallet market?

11. Is there backwards compatibility between the BitBox01 and the BitBox02?

12. What are your takes on QR codes? Do you think this is a future step for hardware developers? (asked by EnkiTek on Twitter)

13. Where’s the inspiration come from? What’s behind BitBoxBase and Tep, and what might we expect down the road? (asked by Track Bender on Twitter)

… and many more, the interview was longer and more in-depth than expected.

You may listen to the episode on iTunes or Spotify!

If you haven’t signed up to either service, you may try the direct RSS feed.

Special thanks to LXMI and Bottle Pay for sponsoring this episode!

LXMI Ad:

“LXMI is a European Cryptocurrency exchange whose name is inspired by Lakshmi, the Hindu Goddess of Wealth, Good Fortune and Prosperity. It’s one of the regulated and legal Cryptocurrency exchange.

On LXMI you can buy bitcoins with most fiat currencies and you can also do the trading for top Altcoins. 

They follow the “Not your keys not your bitcoins” philosophy with their integrated non-custodial wallet which helps you manage your own private keys. So if you’re into trading, then you don’t have to worry about having your Crypto frozen by whatever political decisions, since you’re empowered to hold and move your coins around whenever you wish. 

It’s great to have new players like LXMI that respect your financial sovereignty.

LXMI is launching in 2020 for more information please check out – www.LXMI.IO/

If you’re not trading, it’s recommended to move your coins to a hardware wallet or some other form of cold storage, and in this episode, you’re about to find why.

Please keep in mind that this is just an ad for a sponsor of this show. It’s not meant to serve as financial advice, and you’re responsible to do your own research before buying anything and act according to your own decisions. Embrace your financial sovereignty with agency and precaution.

Bottle Pay Ad:

Hey you! Looking for the simplest way to get started sending satoshis on the Lightning Network? Then sign up with your social account on Bottle Pay now.

Bottle Pay is your premium Lightning service for unfairly cheap and effortless bitcoin payments. It is powerful enough to offer all of the payment features you need, while also being simple enough for no-coiners to understand.

No more confusion and headaches! Send satoshis instantly to anyone on a supported social network in a couple of clicks.

Login today at bottle.li, and receive 1000 free satoshis to get you started sending and receiving bitcoin. Follow the steps to become a Power User and earn even more.

Head over to bottle.li and get started now.

Full Transcript:

Vlad Costea (00:00:11):

Hello and welcome to Season 4 Episode 2 of the Bitcoin Takeover Podcast. I am Vlad and today I have two guests who work and have developed Shift Cryptosecurity, one of the rising companies in the hardware wallet market, and just in case you didn’t get accustomed to the format by now the whole season is going to be about hardware wallet makers and their breakers and the names of my guests are Douglas Bakkum and Jonas Schnelli, who is also a Bitcoin core developer. And this is going to be very interesting. So hello gentleman.

Douglas Bakkum (00:04:34):

Thanks for this opportunity.

Jonas Schnelli (00:04:34):

Yes thanks.

Vlad Costea (00:04:35):

No thank you. Because there’s a lot going on and I noticed that the BitBox02 is getting some traction. It’s not quite the holiday season but on Black Friday I saw that Blockstream had some sort of offer with the BitBox02, the Ledger and the Trezor. So you’re basically positioned on their podium. And also there was this video of somebody who tried to order more than four devices and was not able. So if you have this kind of limitation in place, I presume that you’re starting to have a demand for the product.

Douglas Bakkum (00:05:17):

Yeah, it’s slowly picking up. So we just released our BitBox02 hardware wallet, which is our second version device, just a couple of months ago. We spent a lot of time in the last years developing it and we’re quite happy with the response we’ve gotten so far. And we’re looking forward to keep promoting it, keep hearing feedback and keep trying to improve on it.

Vlad Costea (00:05:44):

And Douglas, as far as I know, you’re the creator and designer of the original BitBox, right?

Douglas Bakkum (00:05:51):

Yes. So again, the BitBox02’s our second version. The first one I created and designed myself about four years ago now. And so I do have quite a bit of technical background to be able to do that, of course. But right now my role is the CEO. So, fortunately and unfortunately I don’t get so much chance to do the technical work anymore.

Vlad Costea (00:06:17):

Okay. That’s useful to know. So my first question for both of you is why should Bitcoiners buy a hardware wallet? Because when you ask some security specialists, they’re going to say that it’s better to just use a paper wallet or some other cold storage method. And some people even say that it’s better to get a general purpose item that you cannot distinguish by manufacturer.

Jonas Schnelli (00:06:45):

Yeah, there’s different layers or different thoughts about what’s most secure. In general if you’re going to use the paper wallet, so where do you generate your entropy? Do you going to roll dices, which is really complicated, or do you going to use a computer and generate the paper wallet, which, during the moment of your generation of that actual seed, you may be compromised at that point. So that’s A the critical moment. And then B, what if you want to spend your coins, assume you have created a secure paper wallet. And at some point you want to sell the coins or send them forward, what do you going to do with the paper wallet? So you need to enter the seed again into your computer or eventually in a secure device. And if that device is compromised, the funds may be redirected to the attacker.

New Speaker (00:07:41):

And hardware wallets, they come with very limited attack surface. They have almost no iOS, so it’s like secure on the hardware, and it’s also having usually a non-Linux, dedicated operating system, which is like super small amounts of lines of codes compared to Android with probably 10 millions of lines of code, just for the kernel. And by limiting that our hardware wallets can make sure it’s the least amount of attack vectors possibly.

Vlad Costea (00:08:20):

Okay. I know that generally hardware wallets tend to be very secure unless you have some sort of physical access to them. And maybe this applies to any security device. It’s safe until somebody who is very skilled and knows exactly what to do gets their hands on them. And possibly that’s where the compromise can happen.

Jonas Schnelli (00:08:45):

I see. Yeah. It’s always, the more money you willing to spend to compromise the device, the more likely is it that you’re going to access the secrets on it. There is nothing unhackable—that’s just not possible. So it’s like how secure you make things. So you can take one hardware wallet, but then you can reuse multiple hardware wallets, kind of a split portfolio situation or a Multisig. But at the end everything is hackable, it’s just very complicated. And the BitBox02 also protects from physical thefts, so it’s like, we’re trying to make it impossible for physical theft to access the funds.

Vlad Costea (00:09:33):

So if a user wants to buy a hardware wallet and they’re not quite decided, they don’t know what to do, why should they go for the BitBox02? What is special about it as compared to the competition?

Douglas Bakkum (00:09:51):

Yeah, I can try to answer this one. There are a number of options and more options coming out to the market. And I think in general that’s a good thing. They’re solid competition. I think it’s a good thing to have. If you have a lot of funds, it’s probably a good idea to have a couple of different hardware wallets just in order to reduce some of the manufacturer risk if a problem happens in one of them. But for our hardware wallet in particular, we do think it has some advantages over the competition, some strong advantages, both in terms of usability, also in terms of security, which I can touch on very quickly. So usability—when we designed the BitBox02, we tried to take a lot of lessons from our BitBox01 and apply them to the BitBox02.

New Speaker (00:10:48):

In terms of usability, one of the most popular features of our first hardware wallet was the microSD card. And so we focused a lot on simplicity and the microSD card is one of the best ways to do that. What that refers to specifically is when you first create a hardware wallet, you need to handle the backup safely. And the common way to do that is with this mnemonic word list, and so you write down 12 or 24 words onto a piece of paper, then you have to reenter it into the device in order to check it and so on. And the feedback we got from new users and our resellers is that this is a quite complicated process. They call it mnemonic anxiety, where users especially new users, they don’t really understand the concept.

New Speaker (00:11:38):

And so it’s really stressful during this whole process, that could take 20-30 minutes to write down each letter correctly. And so with the microSD card we eliminate the need for that where the backup is created instantly on the SD card. The concept of a backup is really easy to understand and just saves a lot of stress during the whole process. And so you can set it up. You can also recover a wallet very quickly with the BitBox02. For more expert users or the people more comfortable handling mnemonics, we also do offer the option to display the mnemonic on the screen and to record it down onto paper. So that’s one way.

New Speaker (00:12:26):

In terms of usability, one of the unique things with our second hardware wallet also is the user input. And so we have touch sliders on the sides of the device and those things allow different types of gestures. So a tap, slide, hold, things like that, allows a lot of flexibility there. And we think we can do a lot of really interesting UX with that. And also having the sliders on the side of the device instead of over the screen. Your finger is not in the way of the screen, so it’s a bit better usability experience that way. We’ve gotten a lot of good feedback on the uniqueness and we think also in terms of the different things you need to do on a device such as password entry or scrolling through data, that we can do this in a much more efficient and even fun way. So we’re quite happy about the response to that from the initial users so far.

New Speaker (00:13:21):

In terms of security, when we had our small meeting in Berlin, we talked about it a little bit. I’ll try to summarize very quickly. Looking at Ledger and Trezor, I think they’re the main market leaders at the moment. Their security architecture is a bit different extremes. And we tried to take the best of both worlds. So Trezor for example is open source, which is a really great thing. But these are general purpose microcontroller, which is not designed for security. That’s okay, but it makes it a bit easier for an attacker to access secrets or data on the device if they do physical theft.

New Speaker (00:14:17):

Ledger on the other hand does use a secure element, which is specifically designed to prevent physical access when someone steals a device, that’s a very great thing. But the issue there is, in order to run code on the secure element, they have to sign an NDA with the manufacturer. And so the code is closed source. Important parts of the code are closed source. The problem with this is that in order for a secure element to be labeled a secure element, the manufacturer has to go through a certification process where it can take a year or more in time, it can take $1 million to go through this, so it’s a very costly kind of set up. And in the past it’s been recorded that manufacturers do not have the incentive to fix bugs that happen and it’s inevitable that bugs will happen. And so if these things are used in ATM cards and stuff like that, where it’s probably okay, it’s probably an acceptable level, but when it comes to cryptocurrencies where one small bug could cause your transaction to fly away into the ether and not be recoverable, we think this is just a no-go.

New Speaker (00:15:35):

And the reason that the manufacturers aren’t incentivized to fixed bugs is, in order to change the code—which is oftentimes at the hardware level—they would need to do a chip redesign. They need to redo the certification process so another year to market, another million dollars. And so they have a tendency to just ignore these problems. And it’s to a point now where the quality of the chips are good, but even if you have a one in a million possibility of a bug happening in some side case or edge case, that still means irreversible loss of funds to people. And in my opinion, that’s just a no-go. And so the BitBox02, we tried to take the best of both worlds. So we do use a general purpose microcontroller where all of the code on it is run open source and we use only the most well vetted cryptographic libraries to do that. But we also combine that with the secure chip and the secure chip we use purely for securing the physical access to the device. And so this is also why the threat scenario of theft is also something we protect against.

Vlad Costea (00:16:57):

Okay. Because when I tested it for my Bitcoin Magazine review, which you should also be reading if you’re getting informed. What I liked about it was that within the user interface you were able to connect your full node and also enable a function which allowed you to have UTXO control. I think it’s called Coin Control, in the interface. So these two options, even though they might sound banal or something that should be there, they’re not actually in the interfaces of Trezor and Ledger. So that’s something that I really appreciated.

Jonas Schnelli (00:17:40):

Good point. And since it’s purely on the software layer, it has not too much to do with the hardware itself, but it’s part of our user experience cycle. And I think especially Coin Control to control to control the UTXO I consider that very essential because I don’t A want to link with change. So what Coin Control allows you is forwarding a single received amount to let’s say an exchange. If you don’t want to have a change address, which could be bad for privacy or if there is taint UTXOs. There’s a lot of taint going on with people sending small amounts to larger addresses so they can track you better. And usually normal wallets also take those UTXOs and spend those coins as well. So that manual coin control, I think this is really how it should have been from the beginning. And ultimately coin selection is something that people should have been enabled intentionally.

Vlad Costea (00:18:56):

Yeah. And you also had the Bech32 support from day one, which is something that took other manufacturers a long time to implement. But in regards to coin control, I think it manages to fix and address one of the design issues of Bitcoin. Because when you send somebody any amount, they can see everything even in terms of how much you have and how much people who sent you their Bitcoins had. And they can track all of this information all the way to whoever they want to identify. So if you have, for example, 50 Bitcoins and you want to send 0.1 to somebody, you don’t want them to see that you have 50. Because nowadays that’s a lot of money and you could have just the small UTXO which enables you to send that amount. For example you have a 0.2 UTXO, you’re only going to see that and that’s very useful.

Jonas Schnelli (00:19:53):

Yeah, I mean it’s not a mixer. So there’s still a linkage to your former receiving. But you can choose which ones you want to use, which is a huge benefit in terms of where you have received funds and which ones of those you’re going to spend. Because otherwise your wallet doesn’t make any difference between where you got the money from. And this could be hurtful for your privacy.

Vlad Costea (00:20:23):

Okay. I think the next part of the interview is going to be the toughest one because I want to hear something nice about your competition. And we are going to break this down by manufacturer. So we begin with Trezor because they were the first players on the market.

Douglas Bakkum (00:20:42):

Yeah. So just to take one step back. So I appreciate you also listing some of the other features of the wallet. I just wanted to mention, one other thing is that our desktop app is now also a mobile app. So for Android we released a beta version, which I think is quite cool. So our device itself has a USB-C connector, so you can plug it directly into modern Android phones and we’d be really happy if our existing users can go check that out and give us some feedback so we can get it out of beta.

New Speaker (00:21:16):

Sorry for the quick plug and then to come into the next question, say something nice about our competitors. This is not so hard of a thing to do. And I think in any young field, and cryptocurrencies, hardware wallets especially are a young field, it’s a very important thing for the competitors to look out for each other because in the sense, what’s the saying where, “A rising tide lifts all boats.” I think that really applies in this current field. And so we’re also quite happy to make good relationships with our competitors and try to improve our offerings in all ways for everyone.

New Speaker (00:22:05):

With respect to Trezor, we’ve had a lot of great relationships with them. One really great thing of course is their open source nature. They really stick to the ideals around that. A really great community interaction. We’ve done some responsible disclosures with them and it’s been a really great process. So I’d say they’re quite professional on that end. And so again, I think we share the ideals of keeping everything open source, really contributing to the community. Of course we have business models that compete where we try to sell hardware to customers. But in the end, we think improving the whole ecosystem will just be a benefit for everyone, including both of ourselves and the users in the community.

Vlad Costea (00:23:01):

Can you also say something that you don’t like about Trezor?

Douglas Bakkum (00:23:06):

So this is the hard part. If forced, I think they do a really great job. The hardware they build is really nice. The app is really nice. One of the negatives is that theft is not part of their security model for the hardware. And I hope that they’re working on solutions to that in the future.

Vlad Costea (00:23:41):

Okay. Well let’s move on to Ledger. You’ll have to say something nice about them and something that you don’t like.

Douglas Bakkum (00:23:51):

Sure. So, Ledger, quite respectable company. The market leaders in the field, so they’re really driving a lot of adoption and consumer pickup. I think one of the best things about them is their Ledger. DonJon. Charles, who’s leading that, he’s really a great guy. And again, I think he shares these ideals of, “The rising tide lifts all ships.” So he’s also very interested in our communication to support each other to improve things. And the Ledger DonJon if people don’t know is a specialized white hat hacker enclave that’s an independent part of Ledger. They do a lot of really great work, have a lot of great experts, in order to look at the security of themselves, of course, but also their competitors and related fields. And I think that’s a really great asset for the whole ecosystem.

New Speaker (00:25:03):

As far as things we don’t like, that’s a bit easier. Can use the stereotypical one that they’re using the secure element, which means part of their code has to be closed source, which I talked about a bit earlier.

Vlad Costea (00:25:21):

Okay. That was easy. And talking about it, I think the people on Twitter who buy products and then compare are a lot more toxic and a lot meaner than actually you people, who are the executives and the creators of the devices. I feel like there is some sort of spirit of camraderie maybe, but before I jump to conclusions about that—some people would say it’s a Trezor clone of sorts. I had the first interview of the season with the CTO of Shapeshift. So what do you think about the KeepKey something good and something bad?

Douglas Bakkum (00:26:02):

Yeah, so KeepKey. Originally they were a Trezor clone a number of years ago and I think they weren’t shy about advertising that and talking about it and really trying to take the Trezor model. And again, I think Trezor is okay with it. They’re all open, that’s why their code is open source so other people can improve on it. And they took that code to try to make a better UX in terms of hardware. But naturally in time things do diverge. And so I wouldn’t necessarily call them a Trezor clone anymore. In time, as you have your own hardware platform, your own thoughts, things will diverge and you’ll end up making different design decisions. The KeepKey, I would say in that sense, the positives and negatives are similar to Trezor. So the negative in the sense that they don’t have the secure chip inside, so the threat model doesn’t include theft. The positive is, since they got bought by Shapeshift, they have quite nice usability in terms of the integration with Shapeshift, which is quite a nice thing and something that we’re also interested in exploring.

Vlad Costea (00:27:29):

Okay. Now comes the harder part. What do you think about the ColdCard? Because they don’t like you as far as—

Douglas Bakkum (00:27:35):

They used to like us. I think they still like us, but we’ll see. You’ll have an interview with Rudolfo later, I’m assuming. So Coldcard. I think they have a really well defined target market, which is the people who care mostly about security, and willing to sacrifice usability. And so that brings up immediately one of the negatives. So usability is a challenge when using their device just because you need to have a more expert level knowledge and that’s due to their design choices. They did that on purpose.

New Speaker (00:28:26):

On the other hand, it’s really optimized for security in a lot of ways, which is a great thing. The issues with why you say they don’t like us, I’m not sure if we’ll get into this later or not, but it has to do with a responsible disclosure that we made to them. Probably there was some miscommunication along the lines of what responsible disclosure actually really meant in the end. And how that process would play out. They’re a newer player on the market. So the protocols in place for what steps to go through maybe were not completely in place. And so when we did make our responsible disclosure, there was some kickback from them about whether or not the severity level was really what we think it is and so on and so on.

New Speaker (00:29:22):

And these are all things that we’ve gone through in the past also. And Trezor and Ledger have gone through in the past when first dealing with security reports and things like that. I think it’s just a natural part of the game and having a good bug bounty program in place and getting high quality feedback from—I know there’s some really excellent brains in the field, which you’ll have on your interview of course in the future, that really know ways to hack stuff. And like Jonas said earlier, nothing’s unhackable. And so the thing that we need to do as hardware wallet manufacturers is be really receptive to that and fast, responsive. And they were, they were receptive and responded really fast and put out a fix really fast, and really be receptive to that and take that and improve the products.

Vlad Costea (00:30:25):

So how do you comment on the fact that the BitBox02 and the ColdCard Mk3 use the same secure chip?

Douglas Bakkum (00:30:34):

So I can’t say what their full design decisions are. So the idea of how—we call this a dual chip approach—so having both a general purpose microcontroller and a secure chip, we’re the first ones to do that about four years ago with our first BitBox. You can argue about the way we implemented it was maybe not ideal. But we started that, and then with the second version BitBox and the Coldcard, they use the same architecture, the same chip sets. In our opinion, it made the most sense as far as the security architecture. And I think if you research the different chips that are available and things like that, it’s not too hard to come to your own conclusion that this is a good approach. And so I think that both of us using the same approach with the chip side, maybe co-validates our design choices, and so I’m quite quite happy that they’re doing that.

Vlad Costea (00:31:51):

Okay. Is there any other hardware wallet manufacturer that you think should be mentioned in this section before we move on with another question?

Douglas Bakkum (00:32:02):

Now this is the hard question. You put me on the spot because I don’t want to make anyone left out and feel bad. So I’ll say probably it makes sense to not list anyone in particular, but there are a number of other hardware wallet vendors on the market, a lot of newer ones that came out in the last years. I don’t want to say too much about them. There’s some interesting and quite intriguing design choices. But in terms of promoting them or not, I’d prefer to wait and see how they do on the market and how they do with hacks and so on.

Jonas Schnelli (00:32:49):

Yeah. I think it also needs a lot of time that people analyze the code, people analyze the potential vulnerabilities. All new players, I think they just need to go through 1, 2, 3 years of experience before you realistically can judge them in any ways.

Vlad Costea (00:33:10):

That’s fair. So sometimes I feel like this is the golden age of hardware wallets because there are so many manufacturers that just take the GitHub repository, they fork it, they create their own devices and sometimes they bring some interesting designs. And what I appreciate mostly about hardware wallets is when they look like regular household devices. And something that I like about the BitBox02 by the way, is that it has a male connector. And I don’t know why a lot of manufacturers don’t do that because it looks like a USB flash drive when it’s not turned on and makes sense for it to have that male connector. Plus some people who are very security minded will say that the cable that you’re using can be compromised, so if you’re cutting the cable in the middle, then that’s an extra good security step.

Douglas Bakkum (00:34:10):

Yeah. So the original BitBox01 also had a male connector, USB-A, and the BitBox02 has a USB-C male connector. So originally a lot of what you say is exactly what we were thinking about before. First of all cables, they’re annoying to carry around, but they could also be compromised by people sticking in some spy microchips inside with some kind of wireless output, which has been done in the past. And so we wanted to not need to use a cable and we also thought just a cable-free approach is also a lot easier for usability, so you can just plug it directly into your computer or plug it directly into your phone. And so those are some of the design considerations we were thinking about.

Jonas Schnelli (00:35:07):

We should not forget that we also ship it with the cable. So people who want to use a cable, there’s nothing that stops you even with the male connectors. So we have a female to male cable for extension, so it’s possible to use a cable but we made this decision because it’s just way more natural to use your computer or smartphone.

Vlad Costea (00:35:30):

Yeah. And that looks legit. It looks like a USB flash drive.

Jonas Schnelli (00:35:35):

Yeah. That’s also a feature because we think when you travel with a such device, you don’t want that it looks like a hardware wallet in the first place, because it can also be problematic if you cross borders and anything like this. So we made not that you will see our logo or Bitcoin or BitBox on top of that in first sight.

Vlad Costea (00:36:10):

Yeah. And I think the Ledger has a very good design because it looks like lots of USB flash drives. But when you look at the connector you’re going to notice that it’s female and I think that can give it away as a hardware wallet. I actually had an entire article where I commented on what the devices look like. And for example, on the Coldcard I said that it looks like a calculator, but anyone who takes a closer look will know notice that the screen is way too small. When you’re using a calculator, you want to have more digits for input. And also you don’t have the buttons for mathematical operations. So if it doesn’t have a plus, a minus, a divide, a multiply, then what kind of calculator is it? And that’s very noticeable.

Douglas Bakkum (00:37:08):

Yeah, that’d be pretty cool if they come out with a new model with a calculator plausible deniability feature. I’d like to see that.

Jonas Schnelli (00:37:16):

Yeah. But in the end—any border control officer—you can provide them a list of maybe six devices in case they should seize those devices and look after them. So I think it’s even with the most stealth device, trained people will recognize this as a hardware wallet. But I think it’s great that novice people will maybe have a harder time to figure out what it is.

Vlad Costea (00:37:49):

Yeah. You don’t want to show off. And I think from that perspective the Trezor has the worst of the designs as it looks like some kind of remote control for your car. But unless you have a car and you’re known to actually use that kind of device, then people will be suspicious.

Jonas Schnelli (00:38:15):

Yeah, that’s true.

Vlad Costea (00:38:16):

Anyway, let’s move on with another question. I feel like this dirty part was so graceful—you said everything that was nice to say. And now let me ask you about the original BitBox and why it was discontinued and what kind of issues that you think it had and have been fixed in the 02 model?

Douglas Bakkum (00:38:43):

So yeah, the original BitBox, we talked about it a little bit—it was originally called Digital BitBox when it first came out. That’s been on the market for over three and a half years. I should say we didn’t discontinue support but we stopped selling it last month. And we will continue support officially for one more year, possibly longer than that. And I’d say one of the misconceptions that we realized after the fact is we use the term, “end of life.” And that’s a very technical term in retail hardware products. It doesn’t mean that after one year from now, the device is just going to die and go away, it just means that there’s no guaranteed updates for it after a year from now. You’ll still be able to use it. And so you can still use it with our older apps, or you can still use it with Electrum. It works with Electrum for a number of years now. Just to clarify that.

New Speaker (00:39:56):

And so then the question is Why did we choose to discontinue it? Just like every other hardware wallet, vulnerabilities have been reported on it, but all the vulnerabilities reported on it have been fixed. And so it’s not an issue that there is something that’s not fixed on it. Let’s say the issue is more so, we felt that in the long run, it wouldn’t be competitive on the market because mainly it doesn’t have a screen.

New Speaker (00:40:28):

In addition, not having a screen makes it a bit harder to do the security maintenance. What we did without the screen was we had a secure connection to a mobile app. And so using a mobile app, we phrased it as basically a secure large remote screen. And that worked, but then this introduces another communication channel where people can attack and getting that right takes some effort. And so it’s also a maintenance issue—like a dev resources issue on our end—in order to continue to maintain it. Right now all the vulnerabilities are fixed, but there could be more vulnerabilities found in the future somewhere with that channel. And so those are the main reasons for discontinuing it.

New Speaker (00:41:29):

Again, we don’t want to leave our existing users out in the blue. We will continue support. And if you have issues with it, do contact us at our own support channels and we’ll try to take care of you like we would any of our other customers. So that’s the reason it was discontinued. An additional benefit to that is—time and dev resources are limited—and so if we can put more time into the BitBox02, which we think is a much stronger competitor in the field, and also into our app, trying to make that more usable, try to add features that the users want, we see this as a long run win in the end for our customers.

Vlad Costea (00:42:28):

Maybe this will be a stupid question, but is there any kind of backwards compatibility when you backup on a BitBox01 with the SD card to insert it into the 02 and have it work?

Douglas Bakkum (00:42:44):

It’s not a stupid question at all. We definitely wanted to do that, but unfortunately it’s not the case. The reason for that is, for the BitBox01, the standards for backups and mnemonics like BIP 32, BIP 44 were just coming out. And when we decided what kind of format we were going to make for the backups they weren’t following the exact standards. We tried to do something we thought made more sense, was more secure. But in the end the market hardware wallets and software wallets adopted these other standards. And so when we made the BitBox02 we decided it’d make more sense to have compatibility with the industry standard. And so the backups are different—they’re not going to be forward compatible or backward compatible.

New Speaker (00:43:43):

That said, if you switch wallets, I think it’s good practice to make a fresh wallet. By that I mean sweeping the funds from your old seed—your old hardware wallet, your old software wallet—into a new hardware wallet. And then you can be confident that if you throw away or misplace your old hardware wallet because you’re not using it anymore—you forget about it—someone doesn’t come along and just take it and guess your password or social-engineer you to figure out the password and then access the funds without you being aware.

Vlad Costea (00:44:26):

Okay. So we previously established that the Coldcard and the BitBox02 have the same secure chip, but how would you compare that chip with the one that’s inside the Ledger?

Douglas Bakkum (00:44:40):

I touched on this a little bit earlier talking about our security architecture versus the Ledger. So just to go into that a little bit more: the Coldcard and us are very similar, and we are quite different than the Ledger approach. The Ledger approach uses a secure element where they actually run a lot of the hardware wallet code inside of that secure element. And this is why, again, with the NDAs and so on, that some of their code is closed source. And so the Coldcard and us, we use the secure chip for a different purpose. We don’t run the actual hardware wallet code on it, we’re more using it as the gateway to authenticate your device or log into your device.

New Speaker (00:45:34):

In that sense we can use open source well-vetted cryptographic libraries. For example, we’re using the libsecp library that’s used in Bitcoin Core, which we think is by far the best and safest cryptographic library. Just to talk about bugs in libraries—OpenSSH, OpenSSL is a very common or well-used library, but during the development of libsecp, during a sanity test they found a difference in what the libsecp library produced versus these OpenSSH libraries, the cryptographic libraries. And it turned out that there is a bug in an edge case in the other OpenSSH library. So many people have looked at this, so much testing has gone into this particular library that we think, to do our users justice, we should be using this and we think other hardware wallets should adopt it also.

Vlad Costea (00:46:51):

Also, you mentioned the design similarities between the Coldcard and the BitBox02. This might be another dumb question, but is there a compatibility with backups? So you take the SD card from the BitBox and put it in the Coldcard and it just works?

Douglas Bakkum (00:47:12):

As far as I’m aware, no. I’m not exactly familiar with how they’re doing wallet recovery at the moment. But I believe with the Coldcard you have to enter the mnemonics through the user interface in the screen, not via the backup, but I’m not sure exactly on that point where they’re at right now. So in that sense, the SD card wouldn’t just work, but since we’re using the BIP standards, then if you export the word list from the BitBox02, then you would be able to import that into Coldcard.

Vlad Costea (00:47:54):

At the time right now when we record this, the BitBox02 has been launched on the market for a couple of months. What is the feature that got most praise from your users when you got feedback?

Douglas Bakkum (00:48:11):

We’ve been quite happy with the reviews. We’re making a list on our website if other people are interested in getting some third party opinions on our device. What I’m most happy about is a lot of great feedback about the user experience being both simple and even recommended for new users. But then also having the expert features still available, so that some of the things like Coin Control or connecting your own node to our app for example being possible. In general, it’s maybe not a good idea to try to make a one-size-fits-all solution, but I think we were able to do that with our device, which is quite nice.

New Speaker (00:49:11):

So it’s approachable for new users that don’t have a deep crypto knowledge, but it still offers some advanced expert features that people appreciate. The hardware design is also a general point that users appreciate. Its aesthetics and also, as you mentioned before, it’s discreet appearance so that you wouldn’t recognize it as a hardware wallet per se. It’s also important to note we have two versions of our hardware wallet out. The hardware itself is the same, but the firmware on it is different. We have a Bitcoin-only version, which has gotten a lot of positive feedback. And we also have a BitBox Multi edition which also has some support for different altcoins and also U2F second factor authentication.

Vlad Costea (00:50:11):

All right. So the next two questions are for power users. The first one is what kind of advice would you give to people who decide not to use the BitBox app and go for Electrum or Wasabi?

Jonas Schnelli (00:50:27):

Yeah. Right now on the BitBox02 we’re working on an Electrum plugin. At the very beginning, we identified the plugin landscape as one of the problems in the hardware wallet space, because there’s a lack of a standard, how an existing hot or software wallet can interact with the hardware wallet. So what we right now have is a plugin infrastructure—like Electrum has a bunch of plugins where the plugins are maintained within the code base of Electrum. So that makes it almost impossible for a hardware wallet manager to control the release cycles.

New Speaker (00:51:11):

Imagine there’s a critical bug that makes us knock on the door of Electrum and beg them to do a release, which they could refuse for political reasons or whatever. So the whole plugin infrastructure is not ideal for security in general and especially in our case, with the hardware wallet plugins that have potential problems. Back in 2015, I started to write on the standards, how software wallets could interact with hardware wallets. There hasn’t been a lot of progress in that sense. But there is the HWI library that has been created by a bunch of developers. That seems to be the future GUI element that could make it easy and possible for software wallets and hardware wallets. Right now we strongly recommend to use our software for BitBox02.

Douglas Bakkum (00:52:19):

Yeah. So that said, we look quite positively at Electrum and Thomas who’s running it. It’s a really great project. I think they’re doing things the right way. At the moment our original BitBox does have support. The BitBox02 does not have support yet, but we’re working on making that available in the very near future, and also, for Electrum, for the HWI library that Jonas mentioned.

Vlad Costea (00:52:55):

Now this goes back to that discussion that you had on the Stephan Livera Podcast and I don’t want to reiterate that, but maybe we can make a short summary—Why is a BitBox02 not as friendly with Multisig configurations as, for example, the Trezor model T?

Jonas Schnelli (00:53:15):

Yes, that’s a good point. Multisig has been very much proven on the on-chain side. So it works, the cryptographic assumptions are absolutely bulletproof, but the problem in Multisig is the whole user experience and the security assumption a hardware wallet makes. As an example, when you create a receiving address you need to have your co-signers’ xpubs or at least the public key. So if the concept or the implementation in the hardware wallet firmware has not been made correctly, it could be possible for an attacker to create a fake receiving address. And in the worst case, your coins are locked up with an attacker’s pub key or you eventually send your coins to the new owner.

New Speaker (00:54:17):

Also one of our employees Kaspar Etter has just released a vulnerability for Trezor and Ledger that actually can make these funds really [INAUDIBLE]. So Multisig—the concept in the Bitcoin chain—is absolutely sane, but the concept of how the hardware wallet has to deal with Multisig hasn’t been really worked out yet. So that’s why we haven’t implemented and served it to the users right now, and all the work on conceptual layers—that’s also why we have discovered those vulnerabilities.

Douglas Bakkum (00:54:57):

And just to add on that—Kaspar did really great work on that—and just a day or two ago, we actually released a blog post titled “The Pitfalls of Multisig on Hardware Wallets.” And so there’s a lot of material there that goes into further depth about why it’s not so straightforward to do security with Multisig.

Jonas Schnelli (00:55:22):

And it’s a simple conclusion: it could be more harmful to use Multisig currently than using Singlesig in certain situations. So before that [INAUDIBLE] out on the conceptual layer, I think using Singlesig is still—or maybe split your funds onto multiple hardware wallets—it’s maybe the better option right now, especially for users without a lot of experience.

Vlad Costea (00:55:52):

I was about to mention your research team, because in the last few weeks you have made a lot of disclosures and you have found vulnerabilities and Coldcard and the Trezor and in the Ledger, which is impressive.

Douglas Bakkum (00:56:10):

Yeah, just to give some context there. So it’s not that we actively sought out to find vulnerabilities in our competitors. It was more so, we really want to put Multisig into production for our products, and one of the first things we did was look and see how the others did it. And when we did that, we ended up finding a number of vulnerabilities that we responsibly disclosed to each of them. And that’s where this came out. That’s also why all of these responses came out at the same time, it’s because they were found at the same time. Again, if you check out our blogs you can find a link in our website shiftcrypto.ch it’ll give you a lot more details about each of these situations.

Vlad Costea (00:57:07):

So would you say that the responses that you got were positive?

Douglas Bakkum (00:57:13):

The responses from the community, the vast majority were positive. The interaction with Trezor again was really, really great, really amazing. Ledger in the end they said that the stuff we disclosed was expected behavior. You can read more about it, but the conversation with them was very good also. Coldcard, you had mentioned before, they weren’t so happy with the severity level that we labeled with some of their vulnerabilities, which led to a little bit of a heated Twitter discussion. In the end I should say that, Coldcard—especially with Multisig—probably did do the best job of all of them. It’s unfortunate it became too heated because in the end it probably wasn’t such a big deal.

Vlad Costea (00:58:29):

So the final question that I have for you, and this isn’t the final question of the interview because there are two more on Twitter that people have asked, but the final one that I have for you is about your future plans and what are you planning to do on this hardware wallet market in the future? And how will the BitBox02 evolve in time?

Jonas Schnelli (00:58:54):

First we can tap into the BitBox Base project we have started longer than a year ago, which is a full node, including a hardware wallet that we call the secure element, which is a complete open source project. Also the hardware might be open to build it on your own. It’s just a thing we think would be more interesting for all of our users. And if you haven’t read about the BitBox Base project, it’s only worth to go to the shiftcrypto.ch website and read up. We are in the process of shipping the first batch of devices to a bunch of people.

Douglas Bakkum (00:59:46):

Just to expand on that. Of course we’re interested in developing the BitBox02 further, we’re also interested in expanding our product offerings. And so the Base is a full Bitcoin node, eventually Lightning will be added also. We think this addresses a lot of the privacy concerns that are still an issue in Bitcoin especially. Whereas hardware wallets solve the security issue. What that means is if you use a hardware wallet, unless you can connect your own full node—which we offer that option in our app—but the vast majority of people don’t. So when you need to check out how many coins you have in your hardware wallet, you have to use a third party service.

New Speaker (01:00:39):

It could be us, it could be Trezor or Ledger—I’m not saying any of us would actually spy on people. But in the future we could be forced to if a government forces us to check out someone’s specific address. So if you’re using our service to probe the blockchain, basically your whole financial history is exposed and that’s something that people tend to not want to expose. I know there’s all this talk about “people don’t care about privacy anymore, people post everything on Facebook” and so on. But one thing they don’t really post on Facebook every week is their bank statements, for example. And so I think there are certain things that people do want to have private and BitBox Base addresses that. As far as the hardware wallet itself, we have a lot of ideas.

New Speaker (01:01:29):

Multisig of course as we mentioned before is something we want to add on. We want to continue to improve the usability. We’re quite happy that people like the usability already, but there’s always ways we can continue to improve that. We have the mobile app coming, which a lot of people have given us pretty good feedback on, multi-language support, things like that. But really continuing to improve on the overall user experience, the usability. Also try to give different types of services that people need such as fiat onramps and things like that.

Vlad Costea (01:02:06):

All right, so [INAUDIBLE] from Twitter, he wants to know where the inspiration came from for your devices, what’s behind the BitBox Base and tech projects, what we might expect down the road? So similar to my question, but more specific to the product.

Douglas Bakkum (01:02:26):

Okay. We answered some of the Base stuff already, but maybe Jonas you want to jump in?

Jonas Schnelli (01:02:33):

Yeah, I think the Base project, it’s probably worth to read up further on our website. There’s a lot of possibilities people can build with it. Maybe a mixer that automatically mixes coins. It could be Lightning situations which are HSM, it could be pool services that you get information that you received coins in a secure way.

New Speaker (01:02:59):

But in general for a lot of people privacy is equally or even more important than the funds themselves because if you are in a regime where disclosing your financial information can bring you in prison, that could be a situation where privacy is more valuable than the wealth itself. So I think having privacy as an option is super important. And it’s also combined with trust. So if you’re using a third party service, it’s not only about privacy, it’s also about trust. If you have received coins, it could [INAUDIBLE] those, it could not show you those. Or they could even show you fake coins in terms of unconfirmed, incoming UTXOs.

Douglas Bakkum (01:03:53):

At a higher level, all of us in our team, Jonas especially, but our whole team is quite motivated by just the whole cryptocurrency revolution, where we think it’s really early right now. A lot of the infrastructure, a lot of the tools still need to be put in place so that it’s easier for the whole world to take advantage of the opportunities that cryptocurrencies and Bitcoin present. And so from a company point of view we really want to give these tools and we think hardware especially will play a crucial role. and we think self-sovereign hardware is the best solution available.

New Speaker (01:04:51):

So that includes solving the security needs with hardware wallets, solving the privacy needs with the BitBox Base and full nodes, solving usability issues with our BitBox app. If you look at what makes cryptocurrency special, it’s these great properties like being decentralized, being permissionless, censorship resistant and so on. And we think if you don’t have self-custody, self-sovereign solutions, if you don’t hold your own keys, of course, “Not your keys, not your funds.” There can be problems in the long run, in the sense that, if everyone just puts their funds on centralized exchanges—can ignore all the hacking risks—this is a slippery slope back into the traditional way of doing things in the financial world.

New Speaker (01:05:51):

It’s also a slippery slope in the traditional way that governments can exert control. For example, if you’re a crypto company trying to open a bank account there’s a whole bunch of hurdles you have to go through in order to do that. And the government’s really paying attention to everything. So these properties that make crypto special slowly fade away. And we think that the only way to prevent that from happening is self-sovereign solutions and decentralized hardware. So that’s a bigger-picture motivation. One of the things in the question also is something we called TEP. what TEP stands for is Tamper Evident Packaging. It is a physical object, but it’s not electronic circuits. It’s a quite simple thing.

New Speaker (01:06:47):

And one of the biggest issues in the hardware wallet field but also in a number of other fields is, how do you secure the supply chain? How do you protect against someone tampering or replacing your device on the way from being shipped to the user? A really great example that came out a year or two ago was with one of Ledgers’ resellers where the reseller opened the box, they programmed the device, set up a wallet on it, changed the instruction manual. So when the device got to the user the instruction manual, said, you’re all set, your wallet is ready, have fun, go at it. But of course the reseller then had the private key. So if you put any coins on it the reseller could just steal it.

New Speaker (01:07:39):

So the device has to station things like that. They help, but they don’t solve this particular situation. So we tried to think of a solution that can solve that. And this is tamper evident packaging. We just launched an alpha, so we’re shipping some alpha devices for early testers, and on our website you can read more about it. The [TEP] concept is hard to explain in words, but it’s easy if you watch the video, but the concept is: we a little pouch with some small beads in it. You shake it up. And so you get a lot of entropy in the random pattern of these small beads inside this pouch. And then you vacuum seal this whole thing together with the enclosure and whatever you want to protect inside.

New Speaker (01:08:32):

That locks into place what we call a temporary fingerprint—this pattern. We take a photo of that before it leaves our warehouses. And when the user gets it, there’s a QR code, they can go scan that in. They can see what the picture looks like through our website. And they can compare this temporary fingerprint—this pattern of the beads in the pouch—and they can see whether or not the device was opened along the way, because in order to tamper with the device, you have to break the vacuum. And once you break the vacuum, the pattern will disappear.

Vlad Costea (01:09:15):

All right. So I don’t think the TEP was around the last time I checked your website, but it’s definitely interesting. And [INAUDIBLE] wants to know what your take is on QR codes. And if you think this is a future step for hardware developers—I’m not sure what he means—but you possibly know better?

Jonas Schnelli (01:09:37):

Yeah. I think I know what he means. Usually the problem is how you get unsigned transactions into your hardware wallet. Most hardware wallet vendors currently use the USB port, so you connect to your computer through USB and our hardware wallet considers that an insecure port. So whatever comes in there will be verified on the device with the onscreen approach. Or you can use the SD card approach as mainly Coldcard users with the PSBTs. And the third approach would be using QR codes. So imagine your wallet in the desktop could display a bunch of QR codes. You read those QR codes with your hardware wallet and this would bypass the whole need for a cable or even connecting to your computer.

New Speaker (01:10:34):

This is a nice approach but also has problems. There were [INAUDIBLE] secure code libraries where actually reading a QR code could produce a buffer overflow. Maybe could collude your device in the worst case. I think QR code is not safe from any types of vulnerabilities, but it will be a cool way how you could air gap your device.

Douglas Bakkum (01:11:05):

So just to expand on that, I think psychologically air gapping your device by only reading QR codes and displaying QR codes is a nice concept. But I think in the end it’s just a different way to transmit data from your computer to a device. You still need to transfer the same types of data, which is: what is a transaction, how much do you want to send and things like that. So a lot of the attack factors—having a QR code modality—it doesn’t really change these attack factors. It’s still the same data—it’s how the microcontroller on the hardware wallet interprets that data, which is where the attack would come in. That would be the same if you’re using a USB cable or a QR code reader. Of course a big difference then is the bandwidth. A QR code reader has a lot lower bandwidth than USB. You don’t need too much bandwidth for hardware wallet transactions. Sometimes you do, but usually that’s not really an issue. So one of the advantages there would be, time wise, a bit less time to actually perform an attack. In the end, a lot of the attacks are similar.

Vlad Costea (01:12:33):

So I know that—I’m not going to name any names—but a very important person for a very important hardware wallet manufacturer said that users can basically just go on eBay and buy used hardware wallets. And they’re going to be safe. Are you going to make any recommendations like that?

Douglas Bakkum (01:12:56):

Never. You want to go into depth?

Jonas Schnelli (01:13:02):

Yeah. I think the supply chain risk is just too high. It’s very complicated. But I would definitely not recommend to buy second-hand hardware wallets.

Douglas Bakkum (01:13:17):

It brings up the concept again that, given enough time and money, anything can be hacked. Also, things can be forged and so you can make imitations of different hardware wallets. I think that happened to Trezor in the past. Buying a used hardware wallet on eBay or whatever, all of these different types of attacks are possible. A forged device, some kind of modified device or pre-setup wallet with different seeds. A reprogrammed device is quite—I wouldn’t risk it. I mean for small amounts of funds it’s probably okay. But I just wouldn’t trust that for holding any significant amount of funds.

Vlad Costea (01:14:14):

I just love the skepticism in this space.

Jonas Schnelli (01:14:20):

Yeah, it’s crazy. It also brings up the question, What means second-hand? Obviously you think somebody has used it before, but it’s also the question, what if you buy it from a reseller? So it’s like getting into the same direction. Obviously it’s not because the product is still sealed in some ways, but what means sealed—easy to reseal or not? But I think we’ve did the max we could to make sure the product cannot be spoofed in any ways in terms of loading different firmwares. It’s impossible in our hardware wallets and it should be very easy to visually inspect that it is okay. But again, it’s just impossible.

Douglas Bakkum (01:15:05):

We can’t say impossible. Just try to make it very, very hard.

Vlad Costea (01:15:11):

All right, so we mentioned purchasing the BitBox02. Where can people listening to this get the device?

Douglas Bakkum (01:15:19):

So go to our website shiftcrypto.ch. You’ll see a a shop link and you can buy our device there along with some interesting little accessories. Also that link will bring you to a different list of resellers we have around the world. An advantage of a reseller is a bit cheaper shipping costs if you can find one in your own area. But yeah, check out our website, shiftcrypto.ch.

Vlad Costea (01:15:47):

You also sell devices at conferences that you attend or in places where people can buy without signing up with their address and full name or the delivery?

Douglas Bakkum (01:16:00):

Yes. At the conferences we attend we do sell a limited number of devices. If you’re in Switzerland, one of our resellers has set up an anonymous way to purchase devices. So you can check that out through our reseller links.

Vlad Costea (01:16:23):

All right. I think the last question belongs to Stadicus. He posted a GIF on Twitter and asked if this is a tag team or versus podcast mode.

Douglas Bakkum (01:16:44):

I didn’t see the GIF so I can’t comment. Stadicus is one of our team members, for those not aware.

Vlad Costea (01:16:54):

Yeah he works on the BitBox—

Douglas Bakkum (01:16:56):

BitBox Base. He’s the project lead on that. So I’m sorry Stadicus, I don’t get the question.

Vlad Costea (01:17:08):

I’m going to show it to you, because he also asked, “The winner gets the Lambo?” and I’m not sure if you saw the title card, but it has a retro 1980’s Lambo in the middle. You probably don’t spend much time on Twitter, which is possibly for the best.

Douglas Bakkum (01:17:35):

Jonas is on there a lot.

Vlad Costea (01:17:35):

All right. I don’t have any more questions for you. If you have anything to add before we wrap up this interview?

Douglas Bakkum (01:17:41):

No, it was a pleasure talking to you Vlad, it was great getting to know you at the last conference. And so thank you very much for this opportunity. I look forward to talking with you a lot in the future also.

Jonas Schnelli (01:17:55):

Yeah, thank you very much Vlad for doing this. Appreciate it.

Vlad Costea (01:18:00):

I mean, we said it at the same time, so it must be mutual, so thank you.

Vlad Costea

I'm here for the freedom, censorship-resistance, and unconfiscatability. What about you?

So, what do you think?

Follow Me