Is “Banking-grade Security” Good Enough for Your Bitcoins?

5 Reasons Why There Is No Secure Element in TREZOR

When we started our development research on TREZOR back in late 2012, we have evaluated many options: open-source, closed source, online connectivity, offline device, battery, no battery, fingerprint scanners, USB ports, bluetooth… You name it.

Naturally, we have also considered using secure elements (SE), as that’s what European banks use for their Chip & PIN cards for a few years already. And although SE are generally promoted as the holy grail for end-user security in banking, we have chosen to use standard micro-controllers and open-source architecture instead. And here is why.

1. Closed Source Is a Security Risk

As Secure Element is not open-source, its inclusion dims the transparency of a product. This means that while the surrounding software using the SE might be open-sourced, a malicious code may have already been implemented at the core of the chip without any verification possible.

Government agencies do pressure chip producers to include backdoors to their products, so why should one suppose it would be different with SE, especially knowing that these are being used for financial transactions? The user would never learn about this, because of the nature of the SE.

It was clear that the only way for Bitcoin security and TREZOR is open-source. Everyone is welcome to review TREZOR’s full stack, and some world-class hackers are already doing that. This is impossible to do with Secure Elements.

2. The Real Risk for Bitcoin Is ONLINE

Secure elements are geared towards physical security, by fortifying data inside the chip. But physical security for Bitcoin is not as relevant, as the prevalent threat for bitcoin comes from the digital world, in form of viruses and hackers. That is NOT to say that *offline* protections are not important.

3. Physical Security IS Important,…

But does it really warrant for the use of Secure Elements? No matter what kind of physical security measures are implemented, any wallet and any valuable assets will always be susceptible to the $5-wrench-attack.

Physically stealing your hardware wallet represents a high risk for the criminals. And then, sending your wallet to a laboratory to examine your chip with expensive technology might cost more than what the thieves might gain. In the end, the easiest way for this type of people is, simply, to force you to give up your passwords.

We know we can’t protect TREZOR users against encountering evil criminals. But we can give them a strong physical shield against hacking into a TREZOR stolen from them, in the form of a PIN and a passphrase.

A PIN protects your TREZOR wallet against unauthorized access.

A passphrase or more passphrases can be used with the same TREZOR device to create the so-called “hidden wallets,” giving you great advantage in situations such as being held at a gunpoint. Using different passphrases creates “decoy” wallets with a low balance next to your main wallet.

Read our post about PIN and passphrase or watch Andreas Antonopoulos explaining TREZOR’s physical security on Joe Rogan’s show.

4. “Secure” Does Not Always Equal Well Protected

Despite of its name, using a Secure Element does not automatically mean that your money is safe. There have been successful thefts from chip-and-pin cards using the SE technology demonstrated recently at Black Hat USA 2016 conference in Las Vegas.

5. The Bandwagon Risk

Granted, SE is widely used in the banking sector. But just because it is widely used, it does not necessarily mean that it is the best, or sufficiently secure for bitcoin. On the contrary, because SE is widely used, it will increasingly attract the attention of hackers.

Instead of jumping on a promise of smart card security, TREZOR has focused on bringing an overall smart security design instead.