Hardware hacker and YouTube creator Joe Grand recently joined Dennis Fisher on the Decipher podcast to talk about his recent adventures hacking hardware cryptocurrency wallets and staying curious. This is an edited and condensed transcript of the podcast.
Dennis Fisher: I was thinking about what people know you as now. So for people our age you're Kingpin from the L0pht, for like a slightly younger generation, you're the DEF CON badge hacking guy probably you know or maybe the dude they saw in Prototype This like once upon a time but now for the current generation, you're definitely the hardware crypto wallet hacking guy.
Joe Grand: Yeah, that's a really interesting point. I never really thought about that. it's like different groups of people, maybe not different generations but different groups of people and it's funny because, with all the cryptocurrency wallet hacking stuff I've done. I'm basically just still a hacker just using my skills for this particular genre. So it's definitely interesting that that's what people know me as and people expect a lot. That's what I'm noticing too is being like a YouTube celebrity in air quotes. Where people see these videos and they kind of have this connection to you and they think oh you know, nice guy, I'm going to have him do something for me. Like people expect you to do things for them and I've gotten hundreds and hundreds of emails and a lot of them are like can you do this for me and it's like I'm you know I'm sorry I can't. There's too much other stuff going on and sometimes people respond with nasty things. You know it's like I'm not here necessarily to serve everybody. I want to serve certain people that need help. But I'm doing this because I love doing it and because I want to do it not because I'm in service of some random person on the internet. I mean it's not even the money. It's the time right? It's like I'm not getting any younger and it's like I only want to spend the time doing things that are intellectually challenging. You know, technologically challenging and interesting and stimulating for my brain.
Dennis Fisher: That's one of the things that's definitely always struck me about you is how much you love what you do. You're lucky to do something that you love. So am I but not everybody gets to do that. You know we get to spend our time doing something that we really enjoy and are pretty good at. So you get to pick and choose these projects that you really want to do, so how did that crypto wallet thing happen?
Joe Grand: Yeah, we're super lucky to be able to do what we love in this hobby now turned into a gigantic industry right? like being involved in cyber security or in hacking. So it was a conscious choice to do it this way and kind of try to stay independent. And do what I can and do my trainings and try to have some sustainable income once in a while and it's amazing, right? I mean it's totally lucky and I I completely acknowledge that a lot of people don't have that opportunity. So I got this email from a guy that was very well written and said hey I you know invested in some cryptocurrency I have a Trezor one hardware wallet and I forgot the PIN, I'd love to get the funds off. It looks like there's some existing research out there. Are you able to help? And I almost ignored it. But then my wife who was in the room when I was reading the email and she's like oh that's kind of cool. Maybe you should respond to that. It was still during Covid. So actually we filmed the hack a year ago in June and then we released the video in January. But it was still during kind of not lockdown but still kind of Covid and and not everybody was out and about like they are now and I wasn't traveling for teaching or anything and she's like you know, just respond and see what he's up to. You're not doing anything else and ah, she's always the voice of reason. I reached out to him and had a call with him and he seemed totally legit. So I started going down the path of researching the device and yeah there was some existing work on hacking the Trezor done by some friends of mine so I was like how hard could it be to replicate their work and it should be fine and that's when I went into the three months of complete learning curve of all of these really amazing kind of hardware hacking techniques and learning the intricacies of all these different problems that you have when hacking with these techniques. I couldn't screw it up because it was a customer and the thing is taking the existing knowledge of a vulnerability and exploiting that in a way that has the least amount of risk.
Dennis Fisher: Yeah, that's the thing that jumped out at me about that particular video is you kept saying we really only have this chance, are you totally sure? When I hit this enter key there's no turning back like if it doesn't work.
"The amount of stuff I learned in that time is priceless.
Joe Grand: That's where the challenge was. If you come from a software background and you have some sort of script or some sort of malware exploit or whatever. If the setup is correct, it will probably work. With fault injection which is the technique that we were using, you're basically affecting the internal logic of a chip to misbehave. Even if you have everything exactly perfect it still might not work. Or you might completely screw something up. So there's always that unknown aspect. I mean you're screwing with physics at that point right? You're like doing ah a brownout. Watching that video again I just can't believe how lucky we actually were to capture it because the ones I did after the fact this past year same versions of firmware or even earlier versions of firmware still vulnerable to this type of technique were not as easy and it just wasn't working as well and I was able to successfully inject the fault but I wasn't getting the contents and this and that and one of them I actually permanently downgraded the security of the chip. So as I was doing my fault injection I corrupted some area of the register or of the flash memory location that was storing the state of security and downgraded it, which is crazy like it's awesome to know that I could do that but scary at the same time because it shows you when you're doing this type of technique, you can affect the chip and say I did it on on this device that had $2 million on it and instead of corrupting the flash in a good way I corrupted it in a bad way that then we could never get the contents out or it wiped the memory. There was always that in the back of my head and even today any time I hack on something even before then you know anytime I've hacked on something ever, it all sounds great. Everybody thinks you're a magician and can do all of this magic stuff. But in reality there's always something that can go wrong.
And I wanted to set that expectation and make sure that the customer knew that when we were filming but everybody who subsequently watched the video knew. Also that you just don't know no matter how easy something ends up feeling or appearing, it might never be that way.
Dennis Fisher: Especially with hardware. I mean with software I expect nothing to work ever but hardware. You know there's a ton of different things that can go wrong. The software, the firmware, the hardware itself, any combination of those can just go sideways. I assume you had those conversations with him ahead of time. You know, no guarantees here.
Joe Grand: Yeah I explained a little bit to him in advance. He did want me to prove that I could do it with a couple other Trezor devices. So I bought a bunch and replicated the work and proved it to him and and I was developing a couple other attacks in parallel to that. Which I'm still working on as kind of alternates to to the one I did on the video because the one in the video was very specific to that version of firmware or earlier and Trezor had patched the problem so I wanted to have some backup options in case that one didn't work for whatever reason so I started working on some other ones that are lower level. Boot loader related attacks which there's been some public work about some of that and I have some other ideas of things that are related to basically be firmware independent and if the chip is vulnerable which they are because the silicon itself is vulnerable then we'll be able to to deal with those. But he had been following along with my process the whole time and the good thing is he was not just a random dude who bought some Bitcoin. He is an entrepreneur and he studied as an engineer. So he was the perfect customer to sort of understand the process as I was developing it and understand the risks and be completely accepting of the options and what's going to happen.
Dennis Fisher: For him honestly it's kind of all upside. If it works, it's amazing. If it doesn't he wasn't going to get it anyway.
Joe Grand: He basically had said I'm already over the fact that I've lost the money. like he wasn't he didn't want to. He didn't want to kind of count his chickens before they hatch. Yeah, for him it was basically just a fun adventure to come here and bring the device and hope that it worked and from my end, you know it was a lot of time kind of prepping for it but the amount of stuff I learned in that time is priceless.