S8 E6: Lazy Ninja on Hacking Hardware Wallets

You definitely don’t want to mess with Lazy Ninja, the legendary hardware wallet hacker who found vulnerabilities in the Coldcard and BitBox02 that other security experts didn’t think about. He’s smooth, he’s creative, and he’s resourceful – but most importantly, he lives up to the expectations of his name and doesn’t make too many disclosures. It’s not like researching hardware wallets is his full-time job either, but he’s proven to be very good at this task.

Lazy Ninja and I have previously recorded an episode in late December 2019, when the times were simpler and the hardware wallets were fewer. But in the meantime, we have seen the rise of the Cobo Vault, the Foundation Devices Passport, and the Blockstream Jade. Also, the new open source chip by Tropic Square is expected to get released with a new Trezor hardware wallet in the fall of 2022, and that’s one of the most exciting developments in the Bitcoin security space.

Throughout this rather long interview, we talk about multisig setups and why Lazy Ninja is not a fan, the importance of using metal plates for mnemonic backups, the role of money in the development and improvement of free open source projects, and the significance of the passphrase as an extra layer of security (regardless of the presence or absence of a security chip).

Naturally, the pseudonymous security expert also explains what kind of security vulnerability he has discovered in the Coldcard Mk3 and how the ATEC 608 chip works (the chip can be found in the Coldcard, the BitBox02, and the Foundation Devices Passport).

Lazy Ninja also takes a few subtle and somewhat friendly jabs at JW Weatherman by offering a brief review of Yeti Cold and suggesting that it may not be such a brilliant idea. The reaction comes as a response to an ongoing Twitter exchange in which Lazy Ninja is the advocate of hardware wallets, while JW suggests that setting up your multisig cold storage is better.

Another important topic concerns the differences between the Coldcard Wallet and the newly-launched Foundation Devices Passport, as the latter is an improved clone which uses a faster processor, a camera for QR code scanning, but also adds some form factor and user interface refinements. Lazy Ninja argues that the market should welcome all attempts to improve on existing open source projects, and the argument leads to a debate on financing and incentives.

Last but not least, we talk about the current state of the world and how wearing masks is wonderful, empowering, and masculine. There is no greater joy than walking outside and driving around with a layer of cotton which covers our mouths and noses. We’re absolutely ecstatic about this imposed layer of privacy that we must wear on our faces and we spend longer than 10 minutes praising our governments and appealing to our great sense of servitude. /s

Listen to Lazy Ninja on Apple Podcasts and Spotify!

And if you don’t have an account on Spotify or Apple Podcasts, or simply prefer a more privacy-centric and download-friendly way of listening to the episode, then you can use my RSS feed.

Your privacy is much more important than my clicks and ratings on centralized platforms (however, if you can leave a feedback on those I’d be really grateful, as it helps more people discover my work). And if you can, I recommend you to use the Tor browser to boost your privacy and plausible deniability – nobody will know who you are and where you’re based, which is definitely the cypherpunk way of enjoying this episode.

This Episode is Sponsored by Vaultoro and Wasabi Wallet!

Want to learn more about the values of the two companies? I have recorded episodes with both Joshua Scigala (Vaultoro CEO) and Nopara73 (Wasabi Wallet creator).

If you would like to support the show and you’re into trading hard money like bitcoin, gold, and silver, then sign up to Vaultoro using my referral link. Vaultoro will help you forget about shitcoins and focus on sound money. They also allow you topick up your gold bars or have them shipped to your address, so you don’t have to trust any custodian with your money. Keep in mind that you are responsible for your own decisions and I am not providing you financial advice.

And if you would like to increase your network and transaction privacy, you should download Wasabi Wallet on your computer. It routes your connection through the Tor network to hide your IP, it downloads block filters so you validate your own transactions locally without appealing to a trusted third party, and it also connects to your own full node to boost your financial sovereignty. Wasabi is best known for its link-breaking CoinJoins, which are giving a hard time even to the EuroPol. Use the wallet to increase your financial sovereignty, but don’t do any illegal stuff – use your financial sovereignty with responsibility (also read the Wasabi terms of service).

Time Stamps for my second interview with Lazy Ninja:

1:40 – Intro

03:37 – Tropic Square’s open source chips

04:25 – Malicious supply chain attacks on the firmware

07:04 – Cobo Vault anti-interception packaging

09:33 – Are passphrases useful? 

11:31 – “A single sig device that’s effectively a multisig device”

13:19 – How open source and auditable is the ATEC 608 chip that you find in the Coldcard, the BitBox02, and the Foundation Devices Passport?

20:10 – What did Coldcard change after Lazy Ninja’s disclosure?

27:20 – Airgap PC vs hardware wallet

39:52 – Security through obscurity (aka buying hardware that very few people use, so it has fewer known vulnerabilities; for example, RISC V and Apple M1 computers)

41:54 – Trezor and why money matters in open source projects

43:30 – Should average users do multisigs?

53:53 – Looking into Yeti Cold

58:01 – Why CDs are still great

1:00:26 – The story about cypherpunks still storing ecash on CDs

1:01:25 – Storing the Bitcoin UTXOs in time capsules, potentially sending them in space

1:03:14 – The CoinJoin rabbit hole 

1:16:53 – Lazy Ninja’s recommendation for securely storing bitcoins

1:23:44 – Considering your own death and inheritance

1:26:30 – Metal plates and good geographic distribution

1:30:00 – Bitcoin and wives

1:36:36 – Hardware wallet microcontrollers 

1:41:26 – Verifying open source hardware 

1:44:20 – Foundation Devices Passport vs Coldcard wallet

1:50:41 – Why open source software matters and why bounties are important incentives

2:00:54 – The Lazy Ninja Academy and bull market concerns

2:03:55 – This feels like 2017 all over again

2:08:02 – Freedom Isn’t Safe (@Freedomisntsafe on Twitter)

2:18:23 – Planning next year’s interview to hopefully explain more issues in hardware wallets

Vlad Costea

I'm here for the freedom, censorship-resistance, and unconfiscatability. What about you?

So, what do you think?

Follow Me