SatoshiLabs has hired cryptography researcher and Bitcoin ‘white hat’ hacker Jochen Hoenicke, to help the company work on the next generation of its flagship TREZOR hardware wallet devices.
‘Bitcoin Hero’ Johoe
Hoenicke, aka “Johoe,” earned the respect of the Bitcoin community in 2014-15 when he exploited a security flaw in Blockchain’s key-generation algorithm to sweep over 800 BTC from users’ wallets. Other non-Blockchain addresses were also affected by the issue.
He then returned the coins to Blockchain, using a Trezor device to do so. Johoe’s actions earned plenty of praise from the Bitcoin community, leading to him being called a “good samaritan” and “Bitcoin Hero.”
Mostly there was a sense of relief that hundreds of Bitcoin users had dodged a bullet. Plenty of other hackers, virtually guaranteed of anonymity, would not have been so considerate.
His automated script looked for repeated “R values” in private key generation, which allowed Bitcoin private keys to be exposed. Many of the amounts he swept were from private addresses he’d swept before, meaning users were continuing to use compromised wallets.
Impressed by Moral Standards
SatoshiLabs Co-Founder and CEO Alena Vranova told Bitcoin.com the company had first approached Hoenicke in 2014 (around the time he was returning the Blockchain coins), impressed by his attitude and moral standards.
At the time he declined due to his academic commitments. She explained:
We reached back to Jochen again some time ago and were lucky to get a ‘YES.’ Having Johoe on board will help us go faster towards TREZOR 2.0.
Hoenicke will continue his research work at the University of Oldenburg in Germany, where he has a Masters and PhD in computer science, and work remotely unless it is necessary to come to SatoshiLabs HQ in the Czech Republic.
Hoenicke had previously also identified and patched a vulnerability in TREZOR known as a “side-channel attack.” The vulnerability could have allowed him to extract private keys from devices using older-version firmware by measuring the voltage in its USB connector cable.
The Future of TREZOR: Secure Cloud Computing
Vranova added the next generation TREZOR 2.0 “will bring improvements in many areas.”
“We are changing the hardware design and the entire software architecture,” she said. “The goal is to introduce a user-friendly encryption device to secure our digital life and valuables.”
TREZOR’s main selling point is that it is a single purpose device with a trusted display; a piece of hardware that generates and stores cryptographic keys, keeping them completely apart from the internet.
Future versions would see TREZOR devices securing more than just cryptocurrencies, Vranova said, adding:
Without compromising on the safety of bitcoins, TREZOR can secure smart contracts but also securely login to websites and systems or encrypt any documents and data. All in one click.
The software stack will encourage open source development of “TREZOR Apps” – security applications for any service, company or individual dealing with private data online.
SatoshiLabs is preparing to showcase an application for encrypting sensitive user data to the cloud with the new TREZOR Password Manager (TPM) within a few days.
“TPM is an example of how an individual can have an ultimately secure cloud storage in his own hands,” added Vranova. “Also it showcases how a password manager software could address the vulnerability of the master password and the availability of the service beyond users’ usual devices. Finally, TREZOR 2.0 will make the user experience with such an app even better.”
Having Johoe working closely with the team will likely enhance the reputation SatoshiLabs has earned over the past couple of years.
The company has a track record of hiring Bitcoin’s hacking whizzes. Among its team is Marek Palatinus, aka “Slush,” who started the first-ever Bitcoin mining pool Slush’s Pool, and Pavol Rusnak aka “Stick,” a long-time cryptographer and active Bitcoin community participant.
Do you use a TREZOR device? Would SatoshiLabs’ hiring decisions make you more likely to buy or trust one?
Images courtesy of SatoshiLabs