Donjon Faults SE2 on Mk4
Ledger’s Donjon lab has released a new presentation on Laser Fault Injection against the DS28C36B used in the Coldcard Mk4. We call the specific chip attacked “the SE2” or “second secure element”, because it is one of three chips—from different vendors—that we use to secure your master secret.
TL;DR They didn’t get the master secret out (your Bitcoin seed), because the Mk4 stores that seed in SE1 (not SE2) and encrypts that with a key which requires full compromise three chips: SE1, SE2 and the main processor (MCU).
At Coinkite, we see today’s report as great validation of our multi-vendor secure element approach. The work Donjon lab is funding does help the entire Bitcoin community by validating the security claims made by companies like us.
They revealed they are able to access about half of the memory slots of the chip, by removing it from the Coldcard, melting off the chip case, mounting it to a special circuit board and then using a laser mounted to an X/Y gantry to zap the chip at a specific microscopic point. Doing that at the just right time glitches the chip into doing the wrong thing.
All of our source code is published on Github and we also document our security design:
- Understanding the Mk4 security mode (intro)
- Multi-vendor Mk4 security model (whitepaper)
- Specific ways we use secure elements in Mk4 (deep dive).
- SE2-specific access and usage source code (the code)
We use the first 13 slots on SE2 to store the “Trick Pins” and duress wallets, if defined. This allows us to activate the trick pins, without knowing the true PIN code. Your True PIN (ie. not a trick) is never stored in SE1, even when using Delta Mode. The Master Seed is not stored in SE2, only a paritial key (AES-256) to decrypt it.
Experimental Setup
Responsible Disclosure
Ledger has been in contact with us and the chip vendor over the last few months as they finalized this disclosure. Again, we’d like to thank them for their hard work.