Why Square’s Block Hardware Wallet Is Going to Suck
In March 2022, we’ve received two major updates from Square’s hardware wallet project – which is still in development under the name of “Block”. While I’m uncertain about the product name’s finality, some of the features described seem to be part of the definitive design: a 2 of 3 multisig default setup, with two user-owned devices (phone + Block hardware wallet) and a central server which holds the 3rd key.
Conceptually speaking, it’s not very different from what Blockstream has been doing with GreenAddress (rebranded in early 2019 as Blockstream Green), which makes use of a 2 of 2 multisig setup (phone + 2FA e-mail sent by Blockstream) to provide an extra layer of security when spending the bitcoins. Square only adds another device into the mix to make the interaction with their server optional and only a matter of recovering lost keys.
However, it’s not always about what a company is doing – it’s also about how. First of all, the decision to not include a screen on the hardware wallet is a terrible mistake which proves that Square didn’t do their homework. Secondly, the use of biometrics is a bad design in spite of its apparent convenience – you can change a PIN or passphrase, but the fingerprint always stays the same and can be easily copied or used against your will (for example, when someone grabs your hand).
Thirdly, using a multisig before Taproot wallets and addresses gain large-scale adoption is premature and will only make users pay higher transaction fees (assuming that the device will be launched soon). This will also result in compatibility issues between the Block and several hardware wallets – such as the privacy-centric Wasabi, which has no support for multisig but is excellent for hiding your IP address, using your own full node, and enabling you to spend the right UTXO for the right transaction.
Based on these observations, I feel pretty confident in saying that Square’s Block hardware wallet is going to suck. Not just for power users who have great expectations from their devices, but also for the newbies who want sovereignty and control under a simple user experience. It might be the best option for existing Square users thanks to expected native integrations, but otherwise there’s no reason to get a Block instead of a BitBox02, Blockstream Jade, or Ledger Nano X – all of which enable connectivity via mobile phone while providing better security.
Mục lục bài viết
Vlad, why are you such a hater?
I’m generally excited when new companies decide to enter the Bitcoin hardware market. When HTC launched their Bitcoin full node phone and internet router, I’ve actually been supportive and hoped we’d step into a new era of accessible sovereignty. I was also ecstatic when Blockstream stepped into the hardware wallet arena with the affordable and feature-packed Jade.
Heck, I’ve even given the KeepKey (a Trezor clone) the benefit of the doubt. Twice! And when Lixin Liu decided to launch an affordable Cobo Vault for the Western markets and later rebranded the product as KeyStone, I was the first podcaster to interview him. I’ve appreciated the simple smartphone-like input, the excellent multi-layered anti-tampering packaging, and the extra features on the Bitcoin-only version.
Likewise, I’m a big fan of Foundation Devices’ more refined take on the Coldcard. With Passport, they took the best features, put them in a nicer enclosure, and also provided a snappier user experience with a better-organized menu. Most importantly, Foundation Devices kept the code open source.
And when it comes to DIY devices, I’ve been supportive of everything from PiTrezor to SeedSigner, Specter DIY, and Bowser. I love them all and you can even find an entire article dedicated to building them in the 2022 edition of the BTCTKVR magazine, volume 1.
I have two entire podcast seasons which focus on hardware wallets, I’ve spoken with every major name in the space, and I appreciate every device for the unique features that it offers. Likewise, I don’t care if the hardware wallet comes from the Czech Republic, France, USA, Canada, or China. This is about providing an honest and reasonable degree of security with acceptable tradeoffs.
But in Square’s case, the design for Block is bad from the get-go. In the next section, I’m going to explain why. Though I don’t expect anyone from Square to read this or care about my analysis, I hope that it will help you understand some basic principles of good security.
No screen, no secure verification
When you’re signing a transaction, how do you know that you are sending the bitcoins to the address you want and in the amount that you desire? How do you know that there is no malevolent piece of software in the middle to insert somebody else’s address and sweep your wallet when you think you’re buying alpaca socks (or, shameless plug, making a small donation to the Bitcoin Takeover project)?
If your connection between the signing device (computer, phone, or hardware wallet) and the monitor is wired directly, then you have a certainty that there is no third party interference. You can take simple steps to verify that the communication between the two parts is honest, and in most cases you have the same data displayed in both places.
Case in point, Trezor: the original hardware wallet displays the amount and address on the device’s screen. You connect it to your computer via USB, you insert your PIN and passphrase, you verify if the amount and recipient correspond with the ones on your computer screen, and then you press a button to validate the transaction. It may sound complicated, but it’s a lot simpler in practice.
What’s that you’re saying, Square’s Block is going to work with mobile phones? Well, the BitBox02 connects directly to your Android smartphone through a male USB-C input. And if you’re on iOS, you can use the Ledger Nano X to pair with your iPhone via bluetooth. Both of these designs offer security on the go while featuring on-device screens for verification.
Learning from the past: BTChip/Ledger Nano and Digital BitBox
The cases of BitBox02 and Ledger weren’t picked randomly, though. They represent the two lessons from which Square should have learned instead of approaching the issue with a Silicon Valley-specific “disrupt” approach. It’s not like the information about the issues found in the Digital BitBox and Ledger Nano aren’t known and most of their designs wasn’t open sourced. The problem is that Square sought to attain simplicity at all costs, even if serious security design flaws emerge.
Launched in January 2013, the BTChip HW1 was Nicolas Bacca’s attempt to create a USB device which comes with all the security benefits of a smartcard. When he first posted about it, he announced compatibility with Electrum and GreenAddress, and was very honest about the drawbacks of the design (not open source). Bitcoin Core developers Mike Hearn and Luke Dash-Jr were among the first people to ask questions about how the HW1 works and what kind of attack vectors it might have (Luke even suggested a social engineering trick to sweep one’s wallet, which is completely plausible in the absence of a screen).
Image source: Coin Telegraph
A year later, the HW1 was upgraded and rebranded: thanks to the fusion of BTChip, French start-up Maison du Bitcoin and exchange platform Chronocoin, the Ledger Nano was born. The new device retained the same closed-source smartcard architecture, but added a better user experience and more native integrations. However, it still didn’t have a screen.
In S5 E8 of the Bitcoin Takeover podcast, Libbitcoin developer and Cryptoeconomics author Eric Voskuil explains why the screen is an essential part of the hardware wallet’s security and also suggests that the first Ledger had serious attack vectors that one could identify by reading the documentation. At the same time, Voskuil suggested that Trezor has the better design specifically because it’s always honest about what it does and the user can verify it.
When I interviewed him in early 2020, Nicolas Bacca (Mr. BTChip himself) indirectly suggested that verification via screen is important, as skilled and resourceful developers could theoretically hack the hardware wallet’s microcontroller unit (MCU) to make it display arbitrary information and fake inputs on the Ledger Nano S. He said it in the context of fixing the issue on the Nano X hardware wallet and also patching the vulnerability with a software update on the Nano S.
So even though he did not acknowledge that the “f00dbabe” attack presented by the wallet.fail team at 35C3 2018 was legit, BTChip did suggest that double-checking the transaction data using the screen is important.
But the biggest confirmation that the screen matters came in June 2016, when Ledger introduced to the world the Nano S: a hardware wallet which follows Trezor’s classic design with a screen, two buttons and a MCU chip. Of course, the French company kept using their own secure element chip.
Furthermore, if it was truly possible to create a hardware wallet which doesn’t feature a screen and comes with reasonable security guarantees, Ledger would either keep on selling the original Nano or else redesign it with modern features in mind. It would be very affordable and probably become a best seller. However, verification is more important than shaving $15 off the device’s retail cost.
Then there’s the case of the Digital BitBox: designed by ShiftCrypto CEO Douglas Bakkum and former Bitcoin Core developer and maintainer Jonas Schnelli, the minimalistic hardware wallet was launched in 2016. The reception was mostly positive and the form factor definitely helped the device benefit from an extra layer of plausible deniability. It even established a secondary password system which opened a “hidden” honeypot wallet.
Compared to the BTChip HW1 and the original Ledger Nano, the Digital BitBox actually offered users a way to verify transaction information (addresses and amounts) through a mobile app. For its time, the DBB offered unique and innovative features such as SD card backup, a LED which provided visual information about the device’s status, and libsecp256k1 elliptic curve parameters (also used in Schnorr signatures). According to Bitcoin Core developer Andrew Chow, the Digital BitBox was also the first hardware wallet which only acted as a transaction signer – as opposed to the Trezor and the Ledger, which do some on-device preparations.
However, remotely monitoring the hardware wallet with a phone relies on the assumption that the phone isn’t compromised and the communication between the two devices also works as designed. As admitted by Douglas Bakkum in 2020, “not having a screen makes it a bit harder to do security maintenance” and permanently relying on a remote screen “introduces another communication channel where people can attack, and getting that right takes some effort”. In other words, it’s an uphill battle of patching new issues that hackers may find, while the solution to include a native screen is simpler and more reliable.
As the ShiftCrypto CEO phrased it, “let’s say the issue is more so, we felt that in the long run, it wouldn’t be competitive on the market because mainly it doesn’t have a screen”.
To conclude this section, both Ledger and ShiftCrypto have attempted to create hardware wallets that don’t require a screen. They did it for purposes which concern both cost efficiency and minimalism. But if you want to buy one of their hardware wallets today, you will find that the only ones available are the BitBox02, the Ledger Nano S, and the Ledger Nano X – all of which have on-device screens.
Square’s Block hardware wallet vs Digital BitBox
Of the two obsolete and replaced hardware wallet designs presented, the one which bears the closest resemblance to Square’s efforts with the Block is the Digital BitBox. The reliance on a mobile phone as an external screen, the one-button design for transaction validation, as well as the focus on software innovation over hardware complexity make the two projects look very similar in ambitions and scope.
However, it should be noted that the default private key security is handled differently: while the Digital BitBox relied on the tried and tested single signature BIP39 seed phrase setup, Square aims to offer a native 2 of 3 multisig setup which turns every device involved into a signatory.
Many people consider multisig to be the silver bullet for bitcoin security, as spending requires a certain number of signatures and losing one of the keys is not always the end of the world. As a matter of fact, Block’s blog post from March 24th includes a special section which explains the game theory of losing the hardware wallet, the phone, or both. It’s no different from Casa’s Gold multisig plan, which now costs $120/year.
The main practical difference between the Digital BitBox’s BIP39 setup and the Block’s 2 of 3 multisig isn’t so significant when a hacker compromises the phone to send the bitcoins to another address. Since the hardware wallet signs the transactions blindly, there is no extra security benefit from the multisig setup. While it theoretically makes the coins harder to spend, the lack of verification through a native screen adds a dangerous attack vector.
Sure, the danger can be mitigated through a user interface that integrates address books and launches warnings when coins are about to get sent to a foreign address. The software wallet can also identify suspicious address changes that happen within a certain time frame (for example, if the remote hacker pastes his own address about a second after the Block’s user chooses the recipient, an anti-changing system can be set in place). But these workarounds can be exploited by anyone who reads the documentation/open source code, and Square’s programmers will fight an uphill battle.
Also, should we really expect a user who purchases a Block instead of a BitBox02 (and therefore chooses convenience over verification) to pay extra attention when signing transactions? The target audience is clearly non-technical – and in the long run, the decision to not add a screen which encourages users to pay extra attention will cost Square a lot more time and money.
The fingerprint issue
When the fingerprint scanning feature was first announced on March 11th 2022, many bitcoiners have expressed their concern about the use of biometrics – especially in the case of a service which communicates with an internet-connected phone.
On the other hand, some suggested that we already give our fingerprints to Google and Apple when we use smartphones. An easy counter-argument to this anti-privacy statement would be that mobile phones and laptops generally manage and store files related to our work and travels, but not data related to our generational wealth. Even when we access our bank accounts, all sorts of time-sensitive 2FA codes (from login apps to text messages) minimize the amount of data you leak to whoever is watching your phone while somewhat protecting the money against compromised devices. Why should we use our permanent fingerprints to get access to our bitcoin?
Sure, Square has explained in their blog post that fingerprints don’t leave the device and are never sent to the phone through the NFC connection. But the biggest problem isn’t privacy, but the permanent nature of biometrics – we simply can’t change them.
A password shouldn’t remain the same for the rest of our lives, especially when it unlocks access to the hardest money known to man. Whenever we feel in danger or have suspicions about being followed, we should have the option to change our passwords to protect ourselves from unwanted attacks. We should also get the option to open a honeypot wallet whose funds we are comfortable losing in an attack.
Fingerprints are easy to copy, replicate, and multiply. Not only that, but fingerprint scanners can be abused more easily by thieves and corrupt government officials – all they have to do is grab your hand and make you touch a sensor, or else tie your hands and take advantage of your biometrics to gain access to your money. In more extreme cases, chopping off the index finger also works. In comparison, changeable passwords are a lot more convenient because they provide more options to create your own security system.
To the Block team’s credit, they did decide to include a PIN input system as an alternative to the fingerprint scanning. However, since they’re given the option, it’s likely that most of their users will choose convenience over security. Once again, just like in the case of the screen, the trade-off between security and simplicity isn’t really justified.
Block Improvement Proposal: add screen for verification, remove fingerprint sensor
In security, the most tried and tested design is always the best. And while revolutionizing standards sounds heroic, there are cases when the costs outweigh the benefits. In the absence of a screen which provides transaction verification and in the presence of a default fingerprint scanning setup, Square’s Block hardware is doomed to suck and ultimately fail.
The only way in which such a device can succeed would involve a very attractive price point and an aggressive marketing campaign which targets Square’s users. However, more sales won’t improve the hardware wallet’s security in any way and the cost of tech support will only go up as more users transact from compromised phones and blindly sign transactions from the Block.
Part of the mission of every piece of Bitcoin-specific hardware is to also educate and provide a reasonable starting point which mixes convenience with a requirement to learn. By making everything too simple and discouraging verification, Square makes no contribution to this mission. Adoption at all costs isn’t really adoption if the user experience is dumbed-down to the point where security gets compromised – the people who use bitcoin from an interface which resembles their familiar bank account won’t stick around for too long if they make mistakes with their transactions and later find out that there is nothing that anyone can do to recover their funds.
So please, wallet.build team: take a few lessons from Bitcoin’s history, understand the scope of the mission, and redesign the Block hardware wallet to include a screen for verification and teach users how to create unbreakable PINs themselves. In the long run, it’s going to foster the right kind of adoption in which users have the correct mindset and expectations to become financially sovereign individuals.
