Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Hardware wallets
Re: Foundation Passport (FE) hardware wallet review and walkthrough
by
n0nce
on 24/01/2022, 10:54:41 UTC
Quote from: FoundationKen on Today at 06:45:48 AM
Quote from: n0nce on Today at 03:37:17 AM
PS: One more question; will both devices run the same firmware? If not, will new and old device's firmwares be developed and maintained in parallel?
GitHub has no repository for the new firmware, which makes me hope they run the same one; thus reducing codebase to maintain + elongating FE update support.
Hi, Ken from Foundation Devices here.

I wanted to make sure that FE had a long life, so I put in quite a bit of effort to make sure that it would be able to run the newer codebase.

There will be two separate firmware downloads, but they will be built from the same codebase.

There are improvements in the new hardware that we'll be announcing soon, but, to the extent possible, we're trying to make the firmware on the two devices have similar features.

Note that there might be an initial delay of a few weeks in releasing the first FE version of this new code, but after that my intention is that new firmware versions for the two devices get released simultaneously.

Cheers!
Cool, really appreciate this. Makes sense that compilation will change slightly between devices and you'll need some extra code for Li-Ion charging circuit for example, I suppose. But it's great to hear the codebase stays common! Not only for longevity but also for security. Since a bug found in one device will also make the other one more secure, as well as a static security analysis making more sense if it covers more devices.

Quote from: ETFbitcoin on Today at 10:02:21 AM
Quote from: n0nce on Today at 03:37:17 AM
Quote from: ETFbitcoin on January 23, 2022, 12:19:46 PM
IMHO, if people choose FE rather than other hardware wallet (such as Ledger and Trezor) which is cheaper and easier to use, it's more likely they have better secure practice. I wouldn't worry about malicious application which replace PBST file if you perform good security practice and verify the transaction before sign/broadcast process.
Oh, for sure, but maybe it would be worth adding to the guide or something. Like, especially with airgap, people may expect to be able to use it on fully infected machines and shit and rely too much on perceived security. On the other hand, the large screen makes it very easy to confirm the receiver address and if that matches, you're obviously good.

Good point, HW wallet such as Ledger and Trezor could be used on infected device and it's not easy to perform MitM attack on USB connection.
Well, USB is not 'un-MITM'-able as well, but to me it seems easier to write a shellscript checking for removable drives than hooking into USB communication.