Learn: Open source: Buzzword or real security for crypto wallets?

Open-sourcing crypto wallet designs offers some benefits, but there are trade-offs as well.

Last month, hardware crypto wallet manufacturer Ledger announced its “Ledger Recover” program designed to allow customers to back up their seed phrases to the cloud and link it with their real-world identity.

The announcement was met with heavy pushback from the crypto community, as many saw it as opposing the ideals of blockchain security and the decade-old mantra of keeping custody over one’s own keys.

Ledger responded swiftly, assuring customers that their seed phrases were safe and that the Ledger Recover program was opt-in. But the entire saga has led to a growing demand for open-source hardware wallets, which could enable the community to rule out any hardware or software backdoors.

Just a week later, Ledger announced that it was accelerating its open-source roadmap. But what does an open-source hardware wallet mean? What are the benefits? And crucially, are they actually securer than their closed-source counterparts?

What your hardware wallet isn’t

First, it’ll help to clear up some misconceptions surrounding hardware wallets.

Your wallet doesn't store crypto.

A lot of people think hardware wallets are used to store cryptocurrencies, but in reality, they’re used to store your private keys. All cryptocurrencies exist on the blockchain, and your private keys prove you own your tokens. This is why it’s important to keep your private key, well, private.

Your spare phone isn't a hardware wallet.

Hardware wallet manufacturing is complicated — and for good reason. People use these devices to secure millions of dollars worth of digital assets, and ensuring the safety of customer funds is crucial to building and maintaining a successful hardware wallet brand.

For this reason, various hardware wallet components are typically proprietary, meaning they cannot be purchased or inspected outside of buying a device and tearing it down. Some wallets even have built-in tamper protection to prevent this. Phones use far more accessible parts, making it a lot easier for an attacker to study and break.

Hardware wallets are not 100% secure

No device or software is completely invulnerable to attack. Accidentally interacting with a malicious smart contract can be catastrophic, and even the most secure wallet can’t protect you from rug pulls or phishing attacks. Hardware wallets are not digital bank vaults — they’re more like keys to a secure public lockbox. They’re a tool to help you store and access your assets securely and are only ever as safe as you are.

Will going open-source help?

If wallets were built with publicly available source code, mass individual audits could prevent malicious actors from getting their way — or at least that’s the claim. But manufacturing hardware wallets requires a lot more trust than one may think, and not just for the manufacturer.

Other businesses in the supply chain have reasonable opportunities to insert their own backdoors, and these devices have complex supply chains. Most hardware wallet companies rely on contract manufacturers, which tend to rely on supply chains originating in China.

Another supposed advantage of open-source hardware wallets is increased compatibility and greater community involvement in development. However, making code publicly available makes it easier for hackers to scour it for vulnerabilities. And since the wallet would be made using publicly available components, it would be easier for scammers to create fake wallets that can steal your funds.

Nicolas Bacca, co-founder and vice president of Innovation Lab at Ledger, told Cointelegraph that the biggest challenge facing open-source hardware wallets is creating a way for users to easily verify whether their device is genuine with strong guarantees. Most reputable manufacturers allow you to check the device serial number on their website to confirm its legitimacy. Would you trust every business in an open-source hardware wallet’s supply chain?

“It’s important to remember that an open-source hardware wallet will almost always rely on closed-source components,” said Bacca. “The only way to really know how secure it is is to try to break it and reverse engineer it.” With closed-source wallets, this isn’t possible.

“Until now no wallet has ever released firmware with a proven backdoor. If the firmware is open, it is scrutinized around the world. In closed-source wallets, that is never possible,” Vipul Saini, co-founder and chief technology officer of hardware wallet firm Cypherock, told Cointelegraph.

He believes that operations involving the generation and utilization of private keys should be made open-source. “That is where major backdoors, like kleptographic attacks and predictive random numbers, can be easily established,” he said.

In April 2022, a white hat hacker from Ledger’s security team caught a vulnerability similar to a backdoor in the seed generation of Trust Wallet, a Binance-owned open-source software wallet. With off-the-shelf chips, any party in the supply chain could modify the code that loads the bootloader, a critical part of ensuring the customer receives a device with genuine firmware.

This wouldn’t be noticed by code auditors since the backdoor could be inserted, while the code is being loaded onto the device.

“Given this limitation, it’s not possible to build a robust chain of trust for open-source hardware wallets, which considerably limits their distribution and safe use by the largest number of users,” he added. “The ‘many eyes’ paradigm doesn’t really work for security code, with the best example of this being the Heartbleed OpenSSL exploit.”

Are open-source wallets the future?

As centralized exchanges continue their efforts to rebuild trust with the crypto community, people are being encouraged to store their coins in hardware wallets more than ever before. If the open-source movement gains more traction, the ability to verify that your device hasn’t been tampered with is critical, and this isn’t easy without an intermediary.

One solution is encouraging open-source hardware wallet producers to comply with the Open Source Hardware Association (OSHWA) criteria and obtain CERN’s Open Hardware Licence. But as examples like the 2008 global financial crisis showed, licenses and certifications can only guarantee so much.

“OSHWA helps provide proper labels, define and certify what is open hardware,” said Bacca, stating that it doesn’t help secure against attacks, but it’s useful to avoid dubious marketing claims. Bacca also mentioned a few existing vendors that claimed to be open-source without having an open-source license, or with proprietary code mixed in with their open-source codebase.

From unclear incentive structures to restricted testing in predefined circumstances, it’s important to address the limitations of certification organizations. The movement could also lead to a stampede of companies capitalizing on the “open-source” buzzword, hiding their proprietary elements behind sub-standard certifications.

Closed-source manufacturers use proprietary chips to enforce strong root-of-trust guarantees, but what would a pure open-source wallet employ? The reality of the market is that security evaluations are more nuanced than a simple dichotomy of open source vs. closed source.

At the end of the day, consumers want the securest option that requires them to trust the least number of people.

This article first appeared in Cointelegraph, by Anupam Varshney