Defence in Depth means multi-layer security, many layers and many types of protection. We mention defence in depth and physical security frequently because it is as important to us as it is to you.
You're probably aware of COLDCARD®'s layers like encryption, air gapping, and verifiable software (if not, please browse our documentation). In this section, we focus on COLDCARD's physical security features:
The first line of defence is the tamper-evident bag with its colourful and detailed printing, bar code, and water damage indicator. Our Quickstart Guide covers the bag-opening process for new customers.
One of the most important features is the bag number. The factory records this number in a secure location within the COLDCARD's flash memory. So, there is an actual link between a COLDCARD and its bag.
The bag number appears three times: ① in the blue border at the top of the bag, ② with a bar code under the orange Coinkite® text, and ③ inside the bag on a torn-off tab. All three instances of the bag number match.
The tear-off tab inside is another way to confirm factory freshness. The numbered tab gets removed from the top of the bag and sealed inside before shipping. Put the two together and inspect them. You should see the tear-off tab matches the top of the bag.
Pulling apart the bag reveals the VOID seal. If you open the bag and don't see the words VOID and OPEN (for example, you cut the bag instead of pulling it apart), you can still make sure the VOID seal is present and genuine by locating the layers and pulling them apart.
NOTE: Tweezers for demonstration purposes only. Tweezers won't pull the layers apart very well.
If the bag has been compromised and exposed to water, the thin white stripe below the VOID seal will wash away, releasing a pale blue dye.
The left side shows where the water has reached; the right side shows the white stripe intact:
Malicious hardware has nowhere to hide. COLDCARDs have see-through cases making physical attempts to alter the hardware glaringly obvious. The case material is tough, impact-resistant plastic. Even if you accidentally drop your COLDCARD, you're still hodling tight and worry-free.
Attackers discouraged from implanting hardware may consider the firmware route to compromise a COLDCARD. Unfortunately for them, the factory signs every firmware release, and the device looks for this signature on startup.
Each time a COLDCARD connects to power, it verifies the firmware signature and checks all data stored in its flash memory. The red CAUTION LED is lit during this process while the screen displays the verification notification message. Once the signature and the flash memory are verified, the green GENUINE LED indicates it is safe to enter your PIN. If the firmware is not factory-signed, the red CAUTION LED stays lit as a warning not to enter your PIN.
These LEDs also have a role in the firmware upgrade process, which you can read about here.
The epoxy inside a COLDCARD isn't there just for looks. It defends your secrets in several ways by covering critical components like:
We've used a special case to give you a clearer look at our epoxy.
On the back of the case, you'll find our most apparent application of epoxy, which covers the MCU and bonds it to the case. This bond ensures splitting the case apart causes visible and functional damage.
Flip the COLDCARD over and between the GENUINE and CAUTION LEDs is the second most visible dab of epoxy, the one covering the Secure Element.
As for the LEDs, epoxy also covers their control circuit. Getting through the epoxy to tamper with the circuit is easily detected.
Each dab of epoxy is unique, like a fingerprint. A user familiar with the appearance of their COLDCARD's epoxy can treat the epoxy as yet another identifier if their device gets secretly swapped.
In short, the epoxy globs:
You might not think of physical security as part of a chip's job, but the Secure Element's contribution to the cause is much deeper than the epoxy covering it.
Secure Element defence highlights:
It's even willing to take a bullet to protect your secrets. We've marked where to aim - just in case.
We've found relevant search results.