CVE-2023-25758: Our Response to Recent Security Fix Reports - OneKey

We would like to take this opportunity to address, clarify and respond to some of the arguments made about OneKey.

TLDR,

• No one is affected.
• All disclosed vulnerabilities have been or are being fixed.
• We have set the gold standard for security collaboration on open source projects.
• Be transparent, keep building, and ignore the FUD.

The Gold Standard for Secure Collaboration on Open Source Projects

Earlier this year, we received a responsible disclosure from cybersecurity startup Unciphered that validated a potential vulnerability in the OneKey firmware, and our hardware team has updated the security patch without anyone being affected.

We want to highlight the fact that these attacks cannot be exploited remotely. It would require disassembly of the device and physical access through a dedicated FPGA device in the lab to be possible to execute.

Interestingly, in the process of communicating with each other, Unciphered told us that several other world-renowned hardware vendors had similar issues, while we were the most responsive team and immediately fix the issue. We also paid Unciphered bounties to thank them for their contributions to OneKey’s security.

We put ourselves in the sun and choose to face and solve problems honestly.

OneKey, one of the few thoroughly open-source hardware wallets in the world, has come under the scrutiny of white-hat engineers while clearing its name. It’s a good thing that someone is correcting our mistakes, giving us the incentive to write world-class, high-quality code. If you’re interested, you can our bug bounty program to learn more.

No one can write perfect code, and even Apple and Google release numerous security patches each year to ensure the security of their devices.

We do the same, and OneKey’s focus has always been on protecting users from remote attacks. That said, with password phrases and basic security practices, even physical attacks disclosed by Unciphered will not affect OneKey users. We regularly release several security patches each year to harden the hardware wallet, keeping progress and transparency in the sun.

OneKey prioritized open source from the beginning of our hardware architecture selection because we wanted all of our own actions to be verifiable by the community.

We open-sourced the design and basic code of the secure components, allowing users to verify all important cryptographic operations.

• How recovery phrases and master private keys are generated from entropy
• How sub-private and public keys are generated/derived
• The signing process occurs entirely within the secure element
• Your private key never leaves the secure element
• Random Number Generation (TRNG)
• Cryptographic algorithms such as ECDSA
• How it protects against physical attacks (bypass attacks)

You can also verify TRNG by running tests such as FIPS 140–2.

However, this choice makes us drop some other security components that are also applicable, and we are thinking about what is best for users and striking a better balance between open source and security, and we will have future plans at the end of this article.

Minimize Trust

The main purpose of hardware wallets has always been to protect users’ money from malware attacks, computer viruses and various other remote dangers.

For example, earlier Trezor revealed the method by which a developer stole all the funds from Ledger through Stealth Change Address.

While we would like to achieve perfect physical security, we can only theoretically come infinitely close to doing so, not 100 percent. When we look at the entire hardware wallet manufacturing process, from silicon crystals to chip code, from firmware to software, it’s safe to say that with enough money, time and resources, any hardware barrier can be breached, even if it’s a nuclear weapon control system.

So, back to reality.

What the hardware wallet does is effectively increase the cost to the attacker by adding protection.

To be precise, the hardware wallet isolates your private key from the Internet, thus cutting off the means of remote attacks such as Trojan horses, phishing, computer viruses, etc. In the real world, the vast majority of attacks are done by remote means.

OneKey has made many efforts to prevent supply chain attacks.

- The majority of our supply chain service providers are from Apple, which allows us to deliver products to the highest standards in the consumer technology industry and ensures that stringent supply chain security management is implemented.
- We’ve added secure components to our hardware wallets and will soon add onboard authentication, which minimizes the risk of supply chain attacks.
- More secure, tamper-proof packaging.

Security education is part of the OneKey team’s role as a hardware wallet provider, and we continue to provide solutions to the community so they can secure their crypto assets from any threat.

About the Future

We look forward to making the following iterations for future hardware wallets.

• Defend against potential physical attacks by introducing EAL6+ or higher level security components with core business logic to them.
• Shrink the trust area and expand transparency through innovative cross-code, zero-knowledge proof, and PSBT.

Created in 2019, OneKey is one of the most trusted hardware wallet. It offers unparalleled security for cryptocurrencies, two-factor authentication and so on. These features are combined with an easy-to-use interface, whether you are a security expert or a new user.