This is an opinion editorial by Shinobi, a self-taught educator in the Bitcoin space and tech-oriented Bitcoin podcast host.
On December 15, 2021, Bitcoin Magazine announced that every attendee of the Bitcoin 2022 conference would receive a free hardware wallet from Arculus.
Arculus advertises itself as the “Arculus Secure Crypto Cold Storage Wallet,” and engages in quite a bit of hand waving in comparing itself to existing hardware key management devices in the space, touting “three-factor authentication,” freedom from reliance on “cords or Bluetooth” and calling itself the “safer way to store your crypto.” If I’m being honest, this sets off every red flag that is possible to set off for me in terms of insecure devices. Its website provides no proper explanation of architecture, makes vague comparisons to other devices that are not accurate and there is no actual open-source code for the product to be verified anywhere (in a request for comments for this article, Arculus responded that it is working to make the software app used in this device open source).
As a Bitcoin Magazine contributor I have a great many issues with this entire situation, from the nature of the partnership, to the device itself and how it has been handled in terms of the public perception after the announcement. To his credit, David Bailey (the BTC Inc CEO, who operates Bitcoin Magazine and Bitcoin 2022) has been very up front about acknowledging his responsibility for partnering with the provider before conducting proper “diligence.”
“Bitcoin Magazine makes thorough efforts to verify that its partners and sponsors are good faith actors who are genuine in their intent to build in the Bitcoin community,” a Bitcoin Magazine representative said in response to questions submitted for this article.” Bitcoin Magazine provided product feedback related to the security and design aspects of the hardware wallet experience — privacy concerns were considered to the extent that they’re considered in any partnership decision Bitcoin Magazine makes.”
This said, I believe there are still massive issues with the entire situation.
Don’t Trust, Verify
One of the core tenants of this space is “don’t trust, verify,” but the reality is that the more time goes on and the more this space grows, the more difficult following that tenant becomes. There are many Bitcoin tools, products and services out there that users must evaluate and verify the details for, so inevitably a lot of this verification is being outsourced to reputable figures and publications in the space. As much as I hate to say it, to some degree the bigger this ecosystem grows, the more inescapable that reality will become. Everyone can, in principle, verify everything themselves, but the time and effort required to do so is not practical for literally everyone. People have lives, obligations and gaps in knowledge that would have to be filled in to do so. Most people will inevitably have to outsource this to some degree.
This is what bothers me so much about this arrangement between Arculus and Bitcoin Magazine. I do not think enough was done to verify claims made by Arculus regarding its security, and how those claims were incorporated into its advertising, before arriving at a deal where every attendee of Bitcoin 2022 would be given the opportunity to take home an Arculus card for free. In an ecosystem built on verifying things yourself, where doing that is becoming more and more untenable, people and brands with large reaches and a lot of trust placed in them have a serious responsibility to actually conduct due diligence before recommending people in this space use things, let alone put their stamps of approval on them by giving them away for free at an event.
The hardware architecture of the Arculus device is very vaguely described in its white paper. It establishes the use of a “secure element,” but only describes the security rating of the device (EAL6+), not the actual model of chip.
This is not verifiable with the information on the site, but it seems to be of a similar design as Ledger hardware wallets, where 100% of the key handling, signing and other operations are done on the secure element (in response to questions for this article, Arculus verified that this is the case). This would mean that the entire security model is built around a closed-source chip. Now, obviously many people in this ecosystem take issue simply with the fact that something is closed source, but the reality is that using such a product is a choice for individual users to make for themselves. The popularity of products such as Ledger, entirely reliant on a closed-source, secure element and nothing else, make it clear that at least some Bitcoin users find that to be an acceptable tradeoff to make. However, that is not the only problematic aspect of the architecture of the Arculus, or rather, with the total lack of clarity on its architecture.
There are numerous security checks that are done by hardware-signing devices before they actually conduct the signing operation. These are automated safety checks managed by the hardware device to make sure that malicious transactions are not being signed that could result in the user losing money. Nothing on the Arculus website or any advertising material I’ve seen makes any mention of important checks that a device should engage in before actually signing a transaction, such as:
- Verifying that the change address used is actually generated from the user’s mnemonic seed
- Verifying that any change address that is multisignature is composed of the proper keys (and not a malicious address with an attackers keys able to spend coins, or a non-standard derivation path you won’t be able to recover on your own)
- If the device is capable of storing other XPUBs used in a multisignature wallet to be able to perform the above check
- Safety checks to make sure that the appropriate key is being used to sign a transaction (for instance, there have been attacks that could trick a wallet into signing a transaction it thinks is for bitcoin cash with bitcoin keys)
In a request for comment for this article, Arculus was asked what type of security checks the device does before signing a transaction. Specifically, I asked whether change addresses are verifying to ensure they are valid and part of the user’s wallet. This was the Arculus response:
“First off, the card has to have been previously linked with the phone that is generating the transaction. Change addresses, like all of the addresses, are generated based on the private keys on the card itself. Signing any transaction requires three factors of authentication:
- Something you know: your six digit card PIN
- Something you are: your biometrics
- Something you have: your physical Arculus Key Card
“The card will not sign a transaction without all three authentication factors. It’s worth noting that the six-digit card pin is stored on the card itself and the counter for failed PIN attempts is also stored on the card itself. After three failed PIN attempts, the card is reset and the user must restore via their recovery phrase.”
Based on this response, I have to conclude that none of the previously-listed types of security and address checks are performed on the device at all. This is shocking, given that such security checks are pretty standard across most hardware wallets in the ecosystem. It is especially shocking given the advertising claims of this Arculus device being the “safer way” tp store crypto.
The lack of transparency on architecture is a major red flag to me, but my biggest concerns are aspects of the architecture that are actually explained very well on the website. In reality these two design choices billed as a massive improvement in security versus other competitors are nothing more than security theater, and are effectively negated if the smartphone being used to interact with the device is compromised by malware.
The first problematic design decision is in the process of generating the actual mnemonic phrase and private keys on the device. Based on the white paper, this process does not seem to allow user-provided entropy, and although a large number of other well-known wallets in the space do not either, this is a lacking feature that makes Arculus’ blanket assessments of its product suggesting it is more secure than others, as outlined above, very problematic.
Additionally, per the white paper, the mnemonic seed is actually displayed on the smartphone for the back-up process. It is unclear whether the seed is generated by the Arculus card itself, or on the user’s smartphone, but the fact is that it really doesn’t matter. Displaying the mnemonic seed on the smartphone app means that, regardless of where it is generated, it is present on the smartphone at the time of generation during the initialization process. This completely undermines isolating keys on a hardware device for security purposes.
Additionally, according to the white paper, it actually prompts the user to re-enter the entire seed phrase into the app to confirm it. This means that the keyboard application of your phone is also gaining access to the seed phrase during the key generation. If the phone is compromised during the initialization process, your keys are compromised.
The second problematic aspect of the design is in the user entering their authentication pin on their smartphone itself. This is billed as an additional layer of security: “All transactions require you to enter your PIN and tap your card to authenticate,” reads the white paper. “The app verifies that the card’s GGUID (Globally unique identifier) and Account public keys match its stored information.”
But the reality is that being entered on the smartphone means that if your phone is compromised, the pin can be acquired by the actor that compromised your phone, giving them access to the second authentication mechanism. Hardware wallets have traditionally had the pin entered on the device itself, or used a scheme where a scrambled number pad is shown on the device screen so that when you enter the pin on a computer, it is not revealing what the pin is to that computer.
So, given the problems in architecture and communication of security models to the users, why on Earth are hand-waving comparisons like the above published on its website? The above chart claims superior security to other “cold storages.” But that is a demonstrably false claim, as articulated above.
Many other hardware wallets, regardless of the specifics of their hardware security architecture, are infinitely more secure than the Arculus simply by the virtue of only displaying your mnemonic seed on the device itself, and not sending it to and displaying it on a general computing device like your smartphone.
Additionally, the trend of battery-powered hardware wallets is very new, and most of the devices that have been sold in this space for years draw power when plugged in through a cable, having no internal battery. What is the purpose of making a “no charge required” comparison? The claim around it is inaccurate in suggesting that other cold storage solutions require a “charge,” and it serves no useful purpose except to create a meaningless category to add to the perception of this being a superior product.
The above image is another example of completely unfounded claims that amount to nothing more than incoherent gibberish in the attempt to paint Arculus favorably through its marketing.
Look at the “Leading-Edge Privacy” section of the above graphic from the Arculus website. What does “ultra-protection for your sensitive personal financial data” even mean? The entire wallet is built around a smartphone app. The wallet app has to fetch balance data about your bitcoin from somewhere — which, according to Arculus’s response to my questions, is a cloud-based environment relying on third-party partners for blockchain data. This makes the claim of providing leading-edge privacy completely false. You are leaking all of your asset balance data to Arculus, as well as potentially its third-party partners if it makes individual balance queries to those partners instead of downloading all of the data itself to process users’ balance queries.
As a last example of the irresponsible, inaccurate and misleading marketing of this product, Arculus posted this with a link to Econoalchemist’s thorough write up on verifiably-generating keys from your own entropy-using dice and splitting your mnemonic phrase into multiple pieces using Coldcard’s XOR protocol.
This is probably one of the most secure ways to generate private keys and set up a plausibly deniable back up for them without ever exposing them to a networked computer. Arculus claims that its device, which exposes your mnemonic seed to your smartphone during the initialization process, is more secure than the above method of generating keys from manual dice rolls on an air-gapped device that Econoalchemist documented in his write up.
That is factually not true, and a completely unethical and irresponsible claim to make. The process that Arculus uses to generate keys and provide the mnemonic phrase to the user to back them up is objectively less secure than the process documented by Econoalchemist. One exposes the user’s mnemonic to their smartphone, the other does not.
A Bitcoin Cornerstone
The phrase “don’t trust, verify” is a cornerstone of this ecosystem, but as discussed above, it is not practical for many, if not most, in this space to take that advice all the way to the root of everything they do relating to Bitcoin. This, in my opinion, places a serious ethical responsibility on educators, content creators and public figures in this space to actually do their homework when stepping into the public light and making recommendations regarding products and practices to the wider population of Bitcoiners.
It is hard enough as it is to gain a good understanding of Bitcoin and the tools available to interact with it and to make an informed decision about the safest tools to use to accomplish your goals. Content creators not taking the responsibility to inform people accurately makes it even harder.
I think that, to have any kind of positive impact or presence in this ecosystem, Arculus needs to fundamentally change its communication and marketing strategy and rethink some of the architecture of its product. Hardware solutions for cold storage should not at any point be exposing the mnemonic seed to a smartphone or computer — this undermines the entire purpose of managing private keys with a hardware device in the first place. Additionally, given such a glaring hole in the entire security model, they should not be engaging in marketing with such cavalier and inaccurate statements of the superiority of their security compared to other devices on the market today.
Until these two things are addressed in a serious and material way, I do not personally think that Bitcoin Magazine should be associating with such a company. I think it is both irresponsible and unethical to associate with a company engaging in such deceptive marketing and poor security practices given Bitcoin Magazine‘s role in this ecosystem.
This is a guest post by Shinobi. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.