Passport Prime: Repeating Leger's mistakes?

The new Passport device will send supposedly encrypted metadata to Foundation’s servers. You tell us that it’s only metadata and seed words never leave the device, but how can we be sure that this is the case?

The best way to reassure your users that you won’t steal their seed words is to not implement a feature that allows the exporting of information, instead of implementing one that does and then pinky promising that you will never be a malicious actor.

I was looking forward to this device until you guys started talking about all these pointless power+data usbc port, bluetooth and cloud backup features which, being supposed bitcoiners yourselves, you knew would turn off any serious bitcoiner from buying your product. Have I also mentioned that your attack surface is now 3x what it was on the original Passport? :man_facepalming:t3:

Hey @magicinternetmoney, thank you for taking the time to write the post! I’m sorry to hear you were disappointed by the new device. However, let me break down some of the points you touched:

Unlike ledger, that runs closed sourced software on closed sourced hardware, ours will be 100% Free and Open Source Software (FOSS) and Free and Open Sourced Hardware (FOSH). This means that you won’t have to believe us, you will be able to audit the code and review the hardware implementation yourself. Unlike Ledger, our promises are bounded by transparency, and all our claims can be cross-referenced by anyone, anytime.

Besides that however, the way the system was designed is also radically different than that of ledger. In their design, they claim you can 100% lose your device and they will recover it for you, meaning they MUST exfiltrate your seed out of the device. In our design, the seed never leaves the device. We will offer you two options:

Option 1) Manual backup: We provide three NFC cards in the box, you can do 2of3 shamir shard using all three cards and completely ignore Magic Backups and Envoy+.

Option 2) Magic backup: Of the three cards you will be using two, and the third shard will be saved in Envoy, that will encrypt it with Envoy’s hot wallet seed and submit it encrypted to our servers.

So for starters, this is an opt in service. If you want magic backups you can opt in, if you don’t want Magic backups, you can go full manual. In any case, even if the universe collided and our CEO went rogue overnight, the only thing anyone would be able to steal from Foundation’s end would be one encrypted shard, shich is useless without physical access to the rest of your cards. And I insisit, this shard would be encrytped with the seed of your Envoy’s hot wallet, so even if we decided to steal one shard it would be useless without the seed of your Envoy’s hot wallet Seed (which is used to encrypt the shard). And if foundation servers get seized or whatever, you can alawys use the other two cards you have to restore the seed in a new device. Again - all these claims will be verifyiable when we release the code, no need to trust us at all.

As explained above, everything can be validated independently without pinky promises, and even with malicious actors nothing would be compromised because the design is resilient to this type of attacks.

If you still don’t like our product that’s alright! We will never be able to satisfy everyone, even if we try and keep all feedback present for our product line. That is why we will keep producing our batch 2 device, and supporting it softwarewise for the foreseeable future. We know there will be people that still prefere batch 2, and that is ok.

Look at this as a personal security device, not exclusively as a HWW. Do you want an encrypted flash drive that hides files on demand when plugging them into a computer? Do you want to be able to keep your 2FA codes offline? Do you want to save your seeds offline? Do you want to use a nostr signing device without the friction of having to scan qr codes for every like, retweet or comment? Do you want a bitcoin hww on top of this? Prime is your device. Heck you could even use it without the bitcoin wallet app at all, just as a security device and keep batch 2 alongisde it as your dedicated bitcoin HWW if you wanted to. Don’t look at Prime as batch3, look at it as a brand new concept of device.

I hope I addressed all your concerns! And by all means, if you still have more questions or you think something of what I said needs more explaining, please feel free to reply back. Thank you!

3 Likes

Will your resellers around the world be getting their hands on the passport prime eventually to better distribute around the world?

Can’t promise that will be the case from day 1, we’ll have to see how each reseller decides to fulfill their stock, but yes, the idea is that this device is available from any distributor as well

2 Likes

Insane how many bitcoiners think this is just another hww. Dudes, this is not where you store your life’s savings stack. This device is for daily use security across domains. Because it’s daily use, you can also use it for your bitcoin spending wallet instead of storing your spending wallet seed on a phone. At least that’s how I’ll be using it. Huge step forward in digital security.

4 Likes

Stay with your current passport if you’re concerned about security.

1 Like

Why would you consider the prime not a wallet that you would use for large amounts of bitcoin or your life savings is it not as safe as batch two. I’m just wondering because I have already ordered mine.

It depends on your security model, but Prime carries a lot more code and doesn’t have the same airgap that a batch 2 has. Or, I should say it isn’t specifically designed for that airgap. I think it’s awesome and has a very important role to play in digital security, but Prime and Batch 2 are different products with different purposes in my mind.

2 Likes

Personally I disagree with that sentiment (saying that it’s not for long term stack storage). It’s like saying don’t use a Ledger Stax/Flex, or Blockstream Jade (and now Jade Plus) because they have bluetooth. Or to not use a Bitkey because it requires a phone to use.

Based on what I’ve read, the Passport Prime is a pretty solid device, even if not used with an airgap. If you install proper firmware on the device, you have very low risk of issues. Because the code is open source, vulnerabilities can be found, and odds are any major issues will be identified early on in the product’s lifecycle.

As these companies release new products, new best practices will arise, and new standards will be created. Is this wallet comparable to a Coldcard? Kinda, if you use it airgapped. Is there potentially more room for vulnerabilities? Probably. But if you use it for BTC only, and only basic functionalities developed by foundation, you’re probably fine. There will be pros and cons to every wallet, but you’re still better off than 90% of people considering 1) you’re using a hardware wallet (and one that is open source), 2) you’re concerned and conscious about your opsec, 3) you’re actively looking out for scams, malicious actions/firmware, double checking addresses before signing, etc.

EDIT: does this mean move all your BTC over on day 1? No. Maybe start with a few thousand, and it depends what you’re moving from. Are you moving from a coldcard/keystone? Maybe consider making a multisig with the Prime. Either way, consider waiting a couple months to allow the firmware to go through a few release cycles before considering to move huge amounts of BTC over.

2 Likes

My one gripe is that Foundation bashed Ledger for years for using Bluetooth, yet here we are. Eventually, they’ll need to stop bashing them and acknowledge that Bluetooth is a necessary evil for mass adoption and ease of use.

I honestly cringe when I hear NVK acting like a spoiled brat and vice versa. I’ve yet to hear anyone at Ledger bash any of their competitors, I’ll give them that.

Sticking with my Passport 2, for now.

I can understand that sentiment — I’m a fairly new customer. I haven’t been around for years, but have almost every reputable hardware wallet on the market, and was previously unimpressed by the original passport. I think you’re right in that the original passport is a different sort of product, specifically for those who are overly security conscious.

Personally, I think we can’t be so risk-averse forever, and by putting out products to the market that at least try to innovate (such as an encrypted Bluetooth connection), that might push the market to respond accordingly, and improve their own offerings to match. With open source software, there has to be a way to be able to prove that the device and firmware you’re running is not compromised. Assuming it isn’t, then Bluetooth isn’t and shouldn’t become an issue.

To be clear, we still think Ledger’s implementation of bluetooth, and all other bluetooth implementations so far, are unsafe and reckless. Let me try and clarify this:

Any HWW that uses bluetooth will need to use closed source code, that’s just how Bluetooth chips work. There just isn’t anything out there like a FOSS bluetooth chip. What Ledger and all other bluetooth implementations have done is use the main processor where the OS runs as the processor that has the bluetooth and is in charge of comms. This means your seed is handled in the same chip that has some obscure unknown code. And, on top of that, the bluetooth connection is unencrypted so anyone can read the traffic going in and coming out.

Our implementation is VERY different. In order to avoid shady code that’s outside of our reach living alongside the main OS, we use two processors: one without any bluetooth (where the OS runs, all the sensitive stuff happens and where all the code is 100% FOSS), and one that is exclusively used for the bluetooth communication. In order to make sure that the shady bluetooth chip never touches any sensitive information, we encrypt the data to be broadcasted in the first processor (with some keys exchanged fully airgapped via QR code with your Envoy). After the data is encrypted in the non-bluetooth chip, it is sent to the bluetooth chip. So regardless of what the closed source code in the bluetooth chip does, it cannot read the info, and it can only broadcast it blindly. This encryption also makes it impossible for anyone in the range of your Prime to read any information coming in or out, as this would be as hard as trying to decrypt PGP encrypted emails - you just can’t. Also, for good measure, we will be using post-quantum encryption. Only your Envoy, with the key exchanged via airgapped QR code can decrypt this info.

So while it is understandable that at first glance “we just added bluetooth like all the others”, you will understand now that we went to great lengths to make sure that no closed sourced code ever touches sensitive information and any bluetooth communication is fully, end to end encrypted (being the original end one step before the bluetooth chip). This makes our bluetooth implementation essentially have the benefits of a bluetooth connected device with the same security of an air gapped device (that’s how you exchanged the decryption key after all).

PS: To make matters worse, Ledger is fully closed source, so besides the bluetooth chip having code outside their knowledge, you also don’t know what they are doing with that chip, so yeah, I think it’s safe to say we are still not big fans of how Ledger handles their security

5 Likes

Ya I’m not trying to say that this device couldn’t be used as your primary keystore for your whole bitcoin stack, just that it’s not my preferred use-case for the Prime. I think the Prime will fit my use best as a daily carry, multi-purpose keystore device. I don’t want to be carrying my primary bitcoin stack keys. The signing device(s) for that stack are stored somewhere safe and don’t get touched all that often.

The Prime, on the other hand, because I’m not going to store the keys for large amounts of money, can go with me anywhere. It will fill the function that my phone currently fills for key storage of various types, but much more securely. I love this concept.

2 Likes

That’s the beauty of this thing! End state it will be so diverse that there will be so many different ways in which people utilize it.

3 Likes