Ledger’s Donjon lab has released a new presentation on Laser Fault Injection against the DS28C36B used in the Coldcard Mk4. We call the specific chip attacked “the SE2” or “second secure element”, because it is one of three chips—from different vendors—that we use to secure your master secret.
TL;DR They didn’t get the master secret out (your Bitcoin seed), because the Mk4 stores that seed in SE1 (not SE2) and encrypts that with a key which requires full compromise three chips: SE1, SE2 and the main processor (MCU).
At Coinkite, we see today’s report as great validation of our multi-vendor secure element approach. The work Donjon lab is funding does help the entire Bitcoin community by validating the security claims made by companies like us.
They revealed they are able to access about half of the memory slots of the chip, by removing it from the Coldcard, melting off the chip case, mounting it to a special circuit board and then using a laser mounted to an X/Y gantry to zap the chip at a specific microscopic point. Doing that at the just right time glitches the chip into doing the wrong thing.
Ledger is a hardware wallet manufacturer, and they have a penetration testing research unit called DonJon, which is tasked with testing and exploiting various crypto hardware wallets. They are the only lab that has ever successfully extracted a private key from a ColdCard Mk3, and they did so by cracking the secure element in the device. The ColdCard Mk4 came out as a response to this incident.
The ColdCard Mk3 had one secure element (SE) and one microcontroller unit (MCU). The ColdCard Mk4 added a second secure element, so it has two secure elements and the MCU. A secure element is a tamper-resistant chip that is responsible for securely storing confidential and cryptographic data.
In this case, this was Ledger DonJon's first attempt at trying to compromise the ColdCard Mk4. They successfully cracked one of the two secure elements. However, because of the way it's designed, in order to extract the private key from the Mk4, you need to compromise all 3 components: the MCU, secure element one, and secure element two.
Ledger DonJon's latest research showed that they could crack only the second secure element on the Mk4. That secure element is just tasked with validating trick PIN codes, so compromising it might only reveal trick PIN combinations that were saved on that device, not the actual seed phrase.
An older penetration test attempt also proved that Ledger DonJon could crack the first (and only) secure element on the ColdCard Mk3, revealing the private key. As a result, Ledger is suggesting that they can "practically" hack the ColdCard Mk4 if they were to combine these 2 exploits, but they haven't actually demonstrated it.
Coinkite is claiming that Ledger's research is presented in a way that could be easily misinterpreted. At first glance, it sounds like Ledger compromised the seed phrase on a ColdCard Mk4, but that isn't the case. They might theoretically know how to do it but haven't yet demonstrated that they have the skill to actually pull it off.
Ultimately, in order to theoretically reveal the seed phrase on a stolen ColdCard Mk4, you would need access to very expensive lab equipment (worth ~$500K-$1M ), sophisticated knowledge of how to use that lab equipment, and lots of luck - you could easily make a mistake and brick the device.
TLDR; everything has tradeoffs. The ColdCard Mk4 remains an extremely difficult device to compromise, and no one has actually demonstrated a successful private key extraction on it. That being said, you should operate under the assumption that any hardware wallet can be cracked if a thief has enough time and resources.
You can also largely protect yourself from this threat by leveraging multi-vender multisignature to secure your bitcoin. Multisignature adds additional private keys that must also be individually extracted from different devices in order to steal funds. If those keys are stored in hardware wallets from different vendors (i.e., a combination of ColdCard, Ledger, Trezor, BitBox, etc.), a potential attacker would need to know how to crack all of those devices.
And as more people use multisignature, the single signature users also benefit from a sort of protection by proxy - compromising any single device might not even be enough to steal funds because that device could just be part of a larger multisig quorum. The attacker might spend a lot of money on expensive equipment, potentially fail to compromise the hardware wallet, or succeed and still not have access to any money.
Bitcoin private keys can be stored in so many different ways that you also gain a lot of plausible deniability if you are ever coerced to hand over the keys. You could potentially separate funds into any number of different custody schemes, including various combinations of singlesig and multisig wallets.