Can you really call it an air-gap if you're using a BLE radio? I mean, yes, technically the information is transferred over the air rather than through a wire, but you wouldn't call a cell-phone an air-gapped device because it has half a zillion radios inside, many of which you can't even reliably turn off.
Looking at the recent Broadcom wifi vulnerability -- just having a phone sitting there with the radio on is enough to let an attacker gain root on some devices.
I've generally seen the term "air-gap" used to mean "as isolated as possible" -- i.e. take apart a laptop and remove all networking hardware, microphones, speakers, fill all the ports with epoxy, and connect it to an isolated battery / power supply.
If an attacker can poke at your device by sending it custom BLE packets without your knowledge, I'd argue that it doesn't qualify.
From the video:
The firefly is receive only, so it cannot be remotely hacked.
The nRF24L01 is not really a BLE radio, though the modulation is effectively the same. It supports only a very simple protocol that is proprietary to Nordic Semi. In this case it looks like they're abusing it to sniff BLE advertising packets, but it wouldn't be able to do much else.
I still agree that we shouldn't call it air-gapped, though.
A more "air gap"-ish concept would have been a camera on the Firefly. Take a pic of a QR code on the phone, sign on the device, use the phone to take a pic of the output QR.
I'm just critiquing the air gap design/claim. Getting a malicious QR code in front of the camera would either require the attacker to gain physical access to the device, at which point it is game over for any device, or they would have to compromise the app presenting the first QR code. This would be a problem regardless of the air gap design for something like this, even if you had to enter the data by hand into the device.
If I understood correctly, the wireless transmission is one way. So the attacker would ask the wallet to sign a transaction, then the confirm button would be mistakingly pressed... and you have to scan the screen to be able to send that transaction.
Possible problem: The attacker sends a transaction at the same time (or just before) a legit one is sent.
Not a big deal: The user is asked to send a specific quantity to a specific address on the screen. If somehow the user didn't check or the attacker fooled him with the same quantity etc, the picture still has to be taken and check it is the same transaction. Additionally, the wireless communication can have a second authentication factor.
I maybe am not understanding some part of the Ethereum protocol that is important to knowing how this can work...
If the wallet is stored on the device, and the device can only receive payment requests over BLE and nothing else, and the device does not store the block chain, and the device does not have Wi-Fi to go out and ask for information about the block chain state, how can the device know its own balance, or know whether it has sufficient funds to sign a transaction?
(Can it sign transactions that it can not immediately fulfill from the stored balances? Can they be used as IOUs?)
I had the same thought. The presenter takes pains to emphasize that it cannot transmit. Is that a software limitation or a hardware limitation? If it's just software that doesn't transmit during its normal operation, the wallet could still be vulnerable to a malicious payload that turns on the radio and sends data.
A hardware wallet is a device to store cryptocurrency. When you have bitcoins or ether or whatever, you're 100% responsible of its safety, lose the keys, lose the coins. Just like cash or gold, and unlike PayPal or banks (where they owe you the quantity of your balance).
The problem is that holding keys in a PC or a phone is very risky: malware, security holes, etc. A hardware wallet allows very little communication between the key holder and the wallet usage, so the attack surface is several orders of magnitude smaller. You can even use it in a virus-ridden Windows XP machine.
edit: Another problem with crypto coin keys is that they can steal them and you won't notice until they spend the coins. Just like what happened with MtGox: they assumed there was no theft because the thiefs didn't transfer the coins immediately. With a hardware wallet you can be sure nobody else is holding your keys (but it doesn't hurt to transfer them from time to time to a new wallet, which means the coins get new keys).
I wonder why use a screen/QR code to send back the signed transaction. What could an attacker do with a signed transaction you wouldn't want him to do ? It would be more user friendly to send back the transaction to the phone using the customs BLE packets
The firefly certainly can transmit it has a display. I imagine an attacker could get the firefly to display enough information to extract the ether from the wallet.
It's a proof of concept, and at least passively interesting. Of course, I didn't see a "decline" button, and without a power button it could be an issue.. btle could be sufficient with a screen sleep.
Also no idea how to add currency to the wallet... that could be another issue.
I saw another diagram of the device where it has two buttons -- one to accept (pay) and the other appears to be a power cutoff switch. I'm thinking that power cutoff will be the payment rejection button.
> Also no idea how to add currency to the wallet
If you get past the crowdfunding page, you are assigned a *.firefly.eth "ENS" name. This corresponds to a wallet address. So, the same way you add currency to any other wallet. (How does it know that it has an available balance, though...)
Thank you so much for showing me what I am supposed to do with my ETH credits! (Edit: Apparently I came off as astroturfing or something, I don't know why, I wanted to draw attention to the amazing ethers.io thing that is two links deep inside of this post...) This was honestly the first time I saw a great demo of what Ether can do and how it should be used, all within a browser, and also thanks to Coinbase supporting Ethereum, without even reaching for my wallet.
Edit: And the Devcon2 video behind the ethers link! This is the link that keeps on giving!
That was the easiest anyone on the internet ever took my $20. And I feel like you just showed me So Much in so few steps.
I have no idea what I just bought, or if I need to do something so that I can receive a kit? Hope your crowdfunding is successful? It says teaser, so I'm assuming that what I bought was just the ENS name, and the incredible exchange that was absolutely frictionless. I see that I have my own vanity address in there now, and I'm thinking that this is all somehow built on Ethereum ecosystem. In about 60 seconds you just completely restored my confidence that the whole Ethereum thing is absolutely incredible, and gonna take over the world.
(Not to mention I like the looks of your product/DIY thing!)
Man I feel like I'm really far behind the curve on this Ethereum thing, I learned all about Bitcoin but I never took any time to learn about Ethereum, and I feel like that was such a huge mistake. I know that it's contracts, and smart contracts, and by default accounts can't even tell you about transactions at all, until you write more something or other in a contract; and contracts are somehow JavaScript, and that's about as far as my knowledge extends about it.
I really just figured out that I needed to get some when it was worth about $90. But only just now, seeing how slick this Javascript wallet thing is that you just showed me, that you made me figure out how to keep, only now do I feel like I Really Get how much power there is in Ethereum that you don't just get "Batteries Included" like this on Bitcoin.
Looking at the recent Broadcom wifi vulnerability -- just having a phone sitting there with the radio on is enough to let an attacker gain root on some devices.
I've generally seen the term "air-gap" used to mean "as isolated as possible" -- i.e. take apart a laptop and remove all networking hardware, microphones, speakers, fill all the ports with epoxy, and connect it to an isolated battery / power supply.
If an attacker can poke at your device by sending it custom BLE packets without your knowledge, I'd argue that it doesn't qualify.
From the video:
The firefly is receive only, so it cannot be remotely hacked.
Bullshit.