Regarding device security due to open source nature

It was mentioned in another thread that both the software and hardware are fully open source.

If that is the case, I am assuming the Prime does not use a secure element? If that assumption is correct, how does the device ensure protection against physical attacks, meaning, if a thief is able to get hands on the device and attempts to exfiltrate the seed, would be less protected compared to a Ledger, or Trezor (one of the models with a SE)? I know the Blockstream Jade uses a blind oracle to ensure the device data remains useless/encrypted without the pin — this allows them to not have a secure element.

How does protection work while data is at rest on the Prime?

Passport Prime does use a secure element. A microchip 608c I believe, but will need to double check on the specific model number.

2 Likes

When we say Open Source we mean all the code that is executed is Open Source.

To your point, there are extremely conservative people that claim that any proprietary elements automatically invalidate the Open Source claim. Most people on the other hand, understand that it depends on how this is implemented.

Let me use a metaphor to better understand what I mean by this, it’s gonna be fun.

Say you want to go from Paris to New York. You’d ideally want to take a plane, cause it’s the safest and fastest route there. Let’s say using a secure element is like taking a plane. When you take a plane however, you don’t really know what happens to your luggage. You drop it off, you fly, then you pick it up in your destination, but you don’t really know what happened to it during the flight - you have no way of verifying what happened in the cargo hold after all. Maybe there were people opening the lugagge during the flight, taking photos of it and then repacking everything. Maybe they swapped your luggage and handed you a very similar but different one. You just don’t know, and the concern is valid. If you don’t take a plane however, going from Paris to New York becomes a real challenge…

So what was our approach? We decided to be smart about it, and get the benefits of the plane without exposing ourselves to the risk of dropping luggage in the cargo hold. In Passports, you board the plane without any checked luggage. This way your backpack stays with you the entire flight. Is there a cargo hold where you don’t know what’s going on? Sure, yes. Does it affect you? Not at all, because you never dropped off any luggage so it doesn’t really have an impact on your stuff.

Should the fact that a plane has a shady cargo hold mean you should never fly one? Well, we think it’s better to fly on an airplane and just not use the cargo hold, than refusing to fly at all. We get the benfit of flying, without the dangers of a cargo hold.

Trezor decided that cargo holds were too dangerous so at first they bought a kayak and used it to cross the Atlantic. Three generations later they gave up because they realized it’s far too dangerous, and all the new models now use an airplane without checking in any luggage.

Blockstream was also anti-airplanes, but seeing that trezor’s kayak didn’t quite work they used another approach. They decided to go by ferry, but imagine the ferry only runs if you have an internet connection, and even then you rely on the captain’s memory to see you and say “ah yeah you were going to New York, right?”. So if the captain gets Alzheimer and doesn’t recognize you, you’ll never get to New York, if you don’t have an internet connection you can never leave Paris, and if the captain decides that you are going to Sao Paulo, Brazil, instead, there’s nothing you can really do about it so you better speak portuguese. Is this safer than a plane where you don’t use the cargo hold? I mean, I don’t know. I wouldn’t say so.

All this to say, Passport Prime uses a secure element, and despite that, we consider it to be fully open sourced because no code is executed in the shady parts of the secure element (and you can verify this is the case because the code is free and open source).

PS: Ledger uses a plane but they blindfold you in the airpot as soon as you arrive, they put you somewhere, you feel movement, they drop you somewhere, they remove the blindfold and give you “your luggage”, and tell you you have arrived to New York.

3 Likes

Thanks for the detailed reply. So to my understanding, Passport Prime uses a secure element (SE), but what do you mean that no code runs through it? Does that mean that, in effect, the app(s) that are interacting with the secure element are essentially calling an API using transaction metadata (account, to address, amount) requesting for the SE to write/sign a transaction/PSTB, with it only returning a response of a signed PSTB, rather than any magic “secure” code being executed without the user’s knowledge? Like the data flow is fully traceable other than reading the what’s happening on the secure element - but based on what you said, since everything is open source, you can validate that it is not taking advantage or transmitting unwanted data via Bluetooth, NFC, etc?

2 Likes

Correct, no code is executed in the SE. And the rest of you assumptions are also correct to the best of my understanding, yes

1 Like

Thank you! Looking forward to them shipping :slight_smile:

2 Likes

Since we’re on this topic, can you explain what data gets stored in the SE and what gets stored elsewhere?

You can see all that sort of info on our GitHub doc here.

2 Likes