)
)
)
){kind=logo}
Is NGRAVE open source?
We believe strongly in the benefits of open source, but we also must consider its limitations. The security principle of having many eyes checking our code only holds if many people are looking at our code and reporting issues. Unless we have a large and active user base, there is a significant risk that zero-day vulnerabilities do not get disclosed. This means that right now, we will not open source any part of ZERO's firmware, including the secure element, as we prioritize security. However, we are committed to a future plan of gradually releasing open source components when the conditions are favorable, considering factors such as a sizable and engaged user base to maximize code scrutiny and vulnerability disclosure.
To understand our reasoning, you have to understand the overall security design of our inner working: there is a 'regular' firmware taking care of peripherals such as the touch screen, and a secure firmware authenticating the rich OS & providing the operations for all security related operations (secure storage of private key, PIN & fingerprints, signing, key creation with TRNG, etc). We have tried to find the best solution for our secure firmware and partnered with the only player in the world offering EAL7-certified firmware.
)
Furthermore, ZERO has a secure element to store the most sensitive data, which we are also not free to open source. Those chips are, by design, closed source and get a sort of government certification. However, unlike most other wallets, we do not rely fully on those chips while creating your keys. We do not only rely on the entropy of those chips, which are best in class, but to cancel potential backdoors we also include randomness gathered from your fingerprint data and surrounding light input. On top of that, you can also manually alter parts of the key, so that in the end, you are certain that you are the only one to know your key. Not even we at NGRAVE can know what you created.
The vision of open source from our CTO
Can you extract private keys from the NGRAVE ZERO via the USB port in firmware updates?
No, that is not possible. In general, you could say that generating and securing your private key is the main task of any wallet, including ZERO (and except 'seedless' wallets, but that is an entirely different model with different trade-offs). Enabling a feature to export your private key would seriously compromise this and go against the basics of the security model. But that is what any wallet provider would probably say. And, at least in theory, it is possible to make such a feature. So what kind of guarantees do you have as a user?
The fundamental concept of NGRAVE ZERO's security model is that it is offline ('cold') and has no connectivity hardware like NFC or Bluetooth, making it 'air-gapped'. The only way ZERO can communicate is via QR codes. It is a very transparent way of communicating, as you can literally see it. If you are somewhat technical, you can easily decode these yourself to verify the content and make sure your private key never leaves the ZERO. That gives you better guarantees that no communication happens behind your back than any promise about future firmware versions could give.
You might have noticed there is a USB-C port on ZERO too. It is for charging and firmware updates. So, how did we counter the potential risk of connecting your wallet to a computer? The USB is isolated in a separate boot mode contained within the EAL7-certified secure firmware part of our device. And data transfer over the USB port is disabled by default. This means that to enable USB, you have to reboot the device in a so-called 'update mode'. In this update mode, the device will only receive packages, and the USB will be sandboxed from any other part of the device. So, your seed, PIN and fingerprints are protected by the best possible security.
Afterwards, the secure firmware will check the update for its genuineness, display a warning if it is not valid, and otherwise perform the update and boot back into the normal operating mode with USB transfers fully disabled again.
)
It is impossible to install a firmware update unless it is signed with NGRAVE's private key. If you do not want to rely on this, you can verify and install firmware updates yourself on an offline computer. That way, you have an absolute guarantee that there is no hidden communication happening in the background sending your private key or any other sensitive information. You can read this article to learn how to do that Verify and Install Firmware Update Yourself.
Will NGRAVE make a custodial platform or a third-party seed backup solution with shards?
This question surged from an interview of Ruben Merre, NGRAVE CEO & Co-founder, with Scott Melker, AKA The Wolf Of All Streets.
TL;DR: These are in the research phase. Our users will always be in control of their private key. We will listen to them before building and we will not build anything if they do not want it. IF we do build something, we will never compromise our users’ security.
Custodial Platform
The topic was touched upon in the regard that there is a spectrum that goes from people who want full self-custody, to people who rather outsource their security so that a platform can do it for them. This is in the context of broad user adoption of crypto and even institutional adoption. If we ever make a custodial platform, it will be on another platform, not on ZERO, and/or empowered by a strong hardware infrastructure. Our principles would remain the same, i.e. not compromise your security.
Seed Recovery Service
Our model is built so that we cannot extract keys (e.g. the wallet can only push out communication via QR-codes and never via USB, Bluetooth, or other connections). That means that you will always be in control.
That fully fits our vision of you truly owning what is yours. The recovery is still in the research phase, and we will always listen to our customers first and foremost. If they do not want it, we will not build it.
How can I be sure my NGRAVE ZERO wasn’t tampered with in a supply chain attack?
When you set up your ZERO, you can verify the authenticity of the device by scanning a QR code on our website. The verification will only be successful if the ZERO has been manufactured by NGRAVE. Combined with automated checks of the firmware signature, this gives you a better guarantee than tamper-evident seals on the packaging.
Your ZERO comes fitted with 4 layers of protection that should give you peace of mind:
Cryptographic verification: When setting up your ZERO, you can easily verify that your device is genuine and was made by NGRAVE. Additionally the firmware is cryptographically signed and is verified every time your ZERO boots. If there is the slightest change in software, signature verification will fail and ZERO will refuse to boot.
Tamper resistance: You can’t open the device without damaging it.
Tamper evidence: Even if you would succeed in bypassing the previous measure, you can’t put it back together again without leaving traces.
Tamper responsiveness: There are sensors inside the ZERO which will detect it being opened and will wipe/reset the device.
)
Final words
NGRAVE’s mission is to empower people to master their wealth so they can live the life they want. We are passionate about making the world of crypto a safer place. If you have any doubts left, do not hesitate to contact us at support@ngrave.io.
){kind=logo}
)
)