Klon TREZORa za $30 (+recenzja twórcy oryginału)

[McGravier]

Hi Redditors,

maybe you noticed Chinese copy of TREZOR wallet, BWallet. Most likely I should feel flattered, because when others copy you, you're doing it right. However, I still feel that I have something to say to Reddit community about this product.

First of all, I'm quite surprised that BWallet is actually more expensive than TREZOR. Our existing customers can confirm that TREZOR device costs $19, the rest to $119 is cost of research and development, software updates, customer support, development of many surrounding opensource standards etc. It's a shame that BWallet is exact copy, yet it is more expensive, although they didn't spend a dollar to any of above. To anybody who doubt about TREZOR pricing, we'll happily sell them TREZOR units for $19 + shipping, with locked flash memory to prevent uploading of our firmware, which is not included in price of hardware.

I read many comments of people in style "cool, BWallet sell cheap hardware, so I'll upload TREZOR firmware into it and I'll be as safe as with TREZOR, but for cheap".

No. It won't work like this, for more reasons:

They changed keys in bootloader, so using another firmware than BWallet's will display "Unofficial firmware" warning during the bootup. That's pretty OK, you still can upload TREZOR's firmware there, but since then, you will never know if somebody replaced this "official" TREZOR firware by something else, because both SatoshiLabs' and attacker's firmware trigger the same warning on bootup. This affects practical security; Official TREZOR is so secure because everything put together makes sense, and you cannot remove one of security precautions (signed, peer-reviewed firmware in this case) and pretend that it didn't affect overall security.

Also, for some reason they used different wiring for buttons. That means you can load TREZOR firmware to device, BUT it won't work. You simply won't be able to click "Confirm" or "Cancel". Pretty useless, right? So you're sticked to their firwmare.

This leads to another issue with BWallet: We in SatoshiLabs put a lot of engineering effort at design level to ensure your privacy. That means, every TREZOR device looks like each other, and we cannot track your identities (from eshop) with your TREZOR accounts, your transaction history and your balance. Interesting part on BWallet is, that they really did not change much in firmware source codes, except adding tracking supercookie to the API. This particular line should catch your attention: https://github.com/BWallet/bwallet-mcu/ ... fsm.c#L148. This reports processor's serial number to the computer and it means that they track who you are (they know to which name/address they shipped the device) and how much money do you have (because BWallet reports this ID to mybwallet.com).

Originally I though that the button issue mentioned above is just an engineering mistake. Now I tend to the conclusion that it's a purpose, because with different button wiring, you cannot replace their firmware easily, so they can track you. Few years ago, scammers were selling emails for good money. It seems that society is making progress and soon black markets will have lists of wealthy bitcoiners including their real names and residential addresses for few bucks.

If issues mentioned above didn't scare you to death yet, there's still something. They actually don't understand the firmware except they're able to compile it. The proof is that they have fatal error breaking the bootloader, and they didn't noticed it yet. Also their firmware is already one release behind our stable release, and we're a day from releasing yet another version with important changes. This kind of copy&paste development is unacceptable for software where your money are in the game. Or do you get a surgery from a doctor who learn over Youtube videos?

In conclusion I'd like to say that it's perfectly ok for anyone to take our open-source product and make his own one, but at the same time we're working hard on this project, we've established a trusted hardware wallet solution for everyone and we don't want to get this reputation ruined by a potentially hazardous adaptation from someone who approaches it with a copy&paste attitude. There's just more to TREZOR as a service than what is in the source codes.

Edit: They also purposedly disabled stack protector (https://github.com/BWallet/bwallet-mcu/ ... llet.c#L41), which is common security measure which prevents not-yet-discovered buffer overflows.

TL;DR: Nieco niższe bezpieczeństwo, i potencjalnie dużo niższa prywatność.


Moim zdaniem jeśli macie bradzo dużą forsę do zabezpieczenia, to nie róbcie żydowskich oszczędności.

[pm7]

The proof is that they have fatal error breaking the bootloader, and they didn't noticed it yet. Also their firmware is already one release behind our stable release, and we're a day from releasing yet another version with important changes. This kind of copy&paste development is unacceptable for software where your money are in the game. Or do you get a surgery from a doctor who learn over Youtube videos?

Ale gdzie ten dowód?
Klony same w sobie nie są złe (zobaczcie np. Arduino), ale BWallet rzeczywiście nie wygląda dobrze.

[majkel_94]

Czekam na projekt walleta z wykorzystaniem właśnie Arduino, albo chociażby atmegi, choć Arduino lepsze bo masz wszystko razem, nawet USB albo LAN, więc do pudełka, wyświetlacz, przyciski i jazda

[pm7]

https://bitcointalk.org/index.php?topic=78614.0

[rav3n_pl]

@up to chyba martwe, brak aktualizacji od roku.