Help for people who forget to remove the SD card before entering their seeds

[misterdna]

I've forgotten to remove the SD card before entering my seed data on multiple occasions, even with the message saying to remove the card. Then I become paranoid about the off chance my seed data could be written to the card (maliciously, or due to a bug). I can think of two things that might be helpful for forgetful, paranoid people like me:

1. Have a larger (maybe full-screen) warning requiring clicking (maybe a few) buttons to make sure users have been throughly reminded to remove the SD card, before being allowed to proceed with entering sensitive data. I am living proof that the small-ish message currently displayed isn't enough for some of us.
2. Add a utility to completely wipe the SD card from the SeedSigner, so you don't have to be paranoid that inserting the card into a computer and wiping it from there gives a chance for seed data to escape, after you mistakenly entered seed data on a SeedSigner with the SD card still in the device.

[BenWestgate]

If removing the SD card is considered an essential step before entering seed data, the software could just refuse to let the user enter seeds until the SD card is removed. The operating system should know whether the card is still inserted or not and also whether the SD card is write protected or not.

Sent with Proton Mail secure email.

------- Original Message ------- On Sunday, September 24th, 2023 at 8:16 PM, misterdna @.***> wrote:

I've forgotten to remove the SD card before entering my seed data on multiple occasions, even with the message saying to remove the card. Then I become paranoid about the off chance my seed data could be written to the card (maliciously, or due to a bug). I can think of two things that might be helpful for forgetful, paranoid people like me:

• Have a larger (maybe full-screen) warning requiring clicking (maybe a few) buttons to make sure users have been throughly reminded to remove the SD card, before being allowed to proceed with entering sensitive data. I am living proof that the small-ish message currently displayed isn't enough for some of us.
• Add a utility to completely wipe the SD card from the SeedSigner, so you don't have to be paranoid that inserting the card into a computer and wiping it from another device gives another chance for seed data to escape, after you entered seed data on a SeedSigner with the SD card still in the device.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>

[misterdna]

Well, I guess "essential" is in the eye of the beholder, and the idea is to keep it flexible as SS currently works? But per your note that the OS knows if the SD card is removed, maybe an additional full screen warning can come up when entering a mode to enter seed material, but only if the card has not been removed when you enter such a mode.

[BenWestgate]

I would say that your SD card or SS is already pwn’ed if there is any possibility of it writing secrets to the SD card if the software you’re supposed to be running doesn’t do that. I understand the damage control, yet it shouldn’t be considered safe to make signatures with a device that’s exfiltrating the seed to removable media.

Maybe just check the signatures on the SD before and after (until they address your issue)?

On Wed, Sep 27, 2023 at 19:32, misterdna @.***(mailto:On Wed, Sep 27, 2023 at 19:32, misterdna < wrote:

Well, I guess "essential" is in the eye of the beholder, and the idea is to keep it flexible as SS currently works? But per your note that the OS knows if the SD card is removed, maybe an additional full screen warning can come up when entering a mode to enter seed material, but only if the card has not been removed when you enter such a mode.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>

[misterdna]

Sorry, I don't quite follow your last message. Already pwn'ed? I'm not technical enough to verify if the SS code is exfiltrating the seed or not - which is why removing the card before entering the seed is the elegant solution (if only I can remember to remove the card - hence this thread). And while I don't think I need to know, you're welcome to explain what threat model is being addressed by checking signatures on the SD before and after something. But I don't think it addresses anything I'm currently worried about.

As for me, I may just destroy my SD card and write the SS download I've already verified to a fresh card. I'm sure it's overkill, but SD cards are cheap, and it just makes sense to cross my Ts and dot my Is while I'm trying to do everything right.

[BenWestgate]

I’m saying if removing the card before entering secrets protected you from something, in that situation, it won’t be safe to sign transactions either.

And there’s probably storage space to write the secret until next time somewhere on the board even without an SD in. In other words if your SS gets compromised it’s not safe to use even if you remove the SD.

You can verify the SD card the same way as the download. Or use write protect mode to keep it the same after flashing.

I’m calling your ritual security theater. Instead of worrying about whether you unplug the SD. Worry that you installed the software yourself to generic hardware and can keep the SD card and signer from being tampered with and your seeds from being accessed.

On Wed, Sep 27, 2023 at 21:22, misterdna @.***(mailto:On Wed, Sep 27, 2023 at 21:22, misterdna < wrote:

Sorry, I don't quite follow your last message. Already pwn'ed? I'm not technical enough to verify if the SS code is exfiltrating the seed or not - which is why removing the card before entering the seed is the elegant solution (if only I can remember to remove the card - hence this thread). And while I don't think I need to know, you're welcome to explain what threat model is being addressed by checking signatures on the SD before and after something. But I don't think it addresses anything I'm currently worried about.

As for me, I may just destroy my SD card and write the SS download I've already verified to a fresh card. I'm sure it's overkill, but SD cards are cheap, and it just makes sense to cross my Ts and dot my Is while I'm trying to do everything right.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>

[misterdna]

Oh, ha, I'm sure much of what I'm doing security theater (if it feels like it adds any level of security, I'm in)! I'm not technical enough to really know what might live on the device beyond removing the SD card, etc., so I'm just doing whatever makes sense from my high-level user perspective. Unsure if your assertion is also that the existing message about removing the SD card is also security theater?

I'm not worried about the SS being compromised, unless the signed SS software is compromised or malicious to begin with. I'm not sure if I'm missing some attack vector that you see? I guess I've totally overlooked write-protecting the SD card, which I will look into.

Note that I currently don't use my SS for transacting, I solely use it as a tool (create checksum words, verify addresses generated on other HW wallets, etc.). So the only thing I can think of that would cause me an issue with SS right now would be my seed can be grabbed in some way after the seed has been on the device.

[newtonick]

This topic has been discussed in other issues and pull requests as well. https://github.com/SeedSigner/seedsigner/issues/344 https://github.com/SeedSigner/seedsigner/pull/410 and https://github.com/SeedSigner/seedsigner/pull/424