Tutorial by Datagram
A physical Bitcoin is a combination of elements meant for long-term preservation and storage of a private key. They’re comprised of a metal coin, a paper that includes the public key that can be used to verify the balance of a Bitcoin wallet, the private key to retrieve that balance, and an adhesive tamper-evident seal to shield the private key from prying eyes.
In theory, any attempt to reveal the private key would evidence tampering of the seal.
Like most products that use a tamper-evident seal, “Physical Bitcoins by Casascius" boast:
”It’s pretty difficult to remove the hologram without exposing an obvious ‘honeycomb’ tamper evident pattern. The tamper pattern is extremely sensitive and not concealable once exposed.”
Which piqued my immediate interest in tampering them without leaving a trace.
At this year’s DEFCON security conference I ran the Tamper-Evident Village, where we taught attendees how to attack tamper-evident technologies without leaving evidence.
While running the Village I was given one of each generation of Casascius physical Bitcoin (including the newest 0.5 and 1 BTC coins) to tamper. The newest 1 BTC coin has its standard hologram seal with a ring of weakened material around the edge of the seal.
Naturally you’re thinking, “But wait! Don’t these coins include a way to verify the balance of the coin?"
The answer is yes, they do. The standard attack scenario would be to tamper the coin, record the private key for future use, re-sell the coin, then extract the balance at some later date.
It’s unlikely that the balance will be changed by the owner of the coin in the near future. Doing so requires tampering of the coin to expose the private key which removes the physical security of the tamper-evident seal as well as the numismatic value of a coin with an intact seal. Physical Bitcoins are meant to be long-term storage of the private key - few people are going to spend the extra money to get these coins and then ruin the seal to alter the balance.
Before I extrapolate on the seal design and my attack technique, it’s important to remember that there are no rules and no limitations for an attacker. My single attack at DEFCON is in no way representative of the security of the seal in terms of tamper-evidencing.
There are many ways to defeat an adhesive seal - any adhesive seal - and no seal protects against all attacks. Like many areas of security, building a bulletproof tamper-evident adhesive seal turns out to be a difficult problem.
I’m often asked, “What is a good tamper-evident adhesive seal?” The real answer is that none exist. There are no standards for their design and minimal public information on what separates good seals from bad ones.
The first thing to do when evaluating an adhesive seal is to determine substrate and seal materials. With physical Bitcoins we have a metal coin (brass or silver depending on generation) and an unknown plastic/adhesive seal. A metal coin adhered to a plastic seal should be relatively easy to remove, but re-application of the original seal may leave evidence of tampering if not done perfectly.
Second, you want to determine if it is possible to counterfeit the seal. The Casascius seal is not serialized or uniquely identifiable, so a resourceful attacker should have no problem counterfeiting the hologram (though the newest 1BTC seal is more difficult due to the weakened edge, a non-standard seal feature).
Counterfeiting would be my preferred method of attack if I wanted to sell the most believable secondary market physical Bitcoins.
Finally, you’ll want to examine all possible attack techniques and their effectiveness given the seal characteristics and the resources you have available. The common attacks on adhesive seals are: solvents, temperature (hot *and* cold), counterfeiting, and shimming. There are many other techniques, of course, and each technique has different avenues to explore; just think of how many chemicals the term “solvents” implies.
Since I only had one of each coin (older 1 BTC brass, newer 0.5 BTC silver, newer 1 BTC silver with weakened ring), I chose to use solvents as my attack method. I used a non-polar solvent and a standard 3 mL syringe to dispense the solvent near the seal adhesive.
A common misconception is that a solvent dissolves the seal’s adhesive, allowing it to be removed from the substrate. In reality, this is rarely the case. The solvent breaks the bond between the substrate and the adhesive and creates a buffer between the two that lets you lift the seal from the substrate.
Most seals can be re-adhered with their original adhesive once the solvent evaporates from the seal and substrate. Only one solvent was tested across each of the Bitcoins I had, and undoubtedly many other solvent will work in the same way - some might even be better.
I did the solvent attack with a single 3 mL syringe and a microscope (this isn’t necessary but I wanted to see everything close up to see if things were breaking/dissolving right away). The entire defeat took about 10 minutes but most of that time was spent talking or answering questions from the people that were watching.
Submerging the coin in a pool of solvent may be a better approach, but with only one of each coin I wasn’t able to test this. Submersion can facilitate seal removal because it requires less pulling and prodding of the seal to break adhesion to the coin.
The other benefit of submersion is that the technique ensures contact between the solvent and the adhesive while the seal is being removed. With the syringe you can apply too little solvent then hit a dry spot while lifting, causing the residue pattern to appear.
The main downside of submerging the coin is that the seal backing (the plastic layer on top) comes into direct contact with the solvent. Some seals will evidence tampering if this happens, but it was not a problem with the seals tested.
At the end of the day, I gave myself a 5/10 on the defeats because they weren’t perfect.
On Saturday at DEFCON, I did the older 1 BTC which was accidentally poked by the syringe (some reported this was a “syringe insertion mark” which is incorrect).
On Sunday at DEFCON I did the newer 0.5 and 1 BTC coins. The 0.5 BTC coin did fairly well; no poking, no tearing - but there was an uneven texture when I reapplied the seal to the coin.
Again, this was user error and not a fault of the technique. The 1 BTC coin has a fragile ring around the edge which should make it harder to tamper, but when using the solvent technique it was not much more difficult than the 0.5 BTC coin. The solvent doesn’t damage this ring, and it remains attached to the rest of the seal when lifted. Most importantly, the seal’s tamper-evidencing honeycomb pattern wasn’t exposed on any of the coins.
When all was said and done, the coins were tampered, but tampering was evidenced.
Given a full toolkit, time, and motivation, the technique can be refined to perfection - and I think that many other techniques are possible.
Ultimately, with any physical Bitcoin you’re trusting the security of the coin to the physical Bitcoin issuer at every step of the manufacturing and minting process.
Even so, you’re assuming that the presence of an intact seal indicates the integrity of your coin’s private key. With all of this in mind, always store your coins in a secure location.
Then again, the physical security you give these coins is something else you probably want to look into.
Maybe the folks here at Rift Recon can help with that. :)
Photo Credit: David Perry @ Coding In My Sleep