Talking Bitcoin Security with Alena Vranova of Trezor


In the two and a half years I’ve been involved with Bitcoin, one of the nagging concerns I’ve had is the question of how to secure my bitcoins. I learned early the dictum to never trust another with my private keys, and I have played with and researched paper wallets and multi-sig solutions. Even after finding a solution that I am relatively comfortable with, there is always that nagging concern that someone will swipe my wallet.dat file, keylog my password, or somehow or other just make off with my digital assets.

One of the advantages of Bitcoin is that it puts people back in charge of their own money and takes away the necessity for someone to have to use banks or credit card companies. The disadvantage, proven time and time again by a quick scan of r/bitcoin, is that it is just all too easy to get scammed, hacked, or just lose some coins in a computer crash or with a forgotten password. One of the things that will need to happen for Bitcoin to go to the moon is that it must become easy and secure enough for a novice to use with confidence.

Bitcoin Warrior recently became an affiliate of TREZOR, a pathfinder in Bitcoin security (shameless link here) and I took the opportunity to ask Alena Vranova, one of the founders of SatoshiLabs, if she would sit for an interview.

First, for the majority of people, Bitcoin is really an oddity. If they read the newspapers, they often enough think that it’s really used for things like drugs and even terrorism. What do you think the real benefits of Bitcoin are, and what do you think it will take to overcome the apathy and misinformation that is stacked against it?

Bitcoin is really radical; it allows a secure system of exchanging value between people, and indeed machines, who have never met, that can be trusted, verified and never forged. Yes, we have heard of many instances connected with drugs, hackers, thieves and terrorists, but these are not security issues with the core bitcoin network per se, rather weakness in the whole current system and storage of the keys used to secure a bitcoin wallet. Just like a bank vault with the combination lock code taped to the front door not being secure, bitcoins secured by keys left lying around where they can be easily stolen are not safe from theft either. Also we need to build applications on top of bitcoin that would be beneficial and easy to use. No need to explain bitcoin the same way we have no need to explain the TCP/IP protocol to Internet users. For example for safe use of user accounts, you dont need to understand bitcoin, just get a Trezor and learn to use it, which is very easy.

This is a related question. I personally believe that Bitcoin can’t hit it big until the infrastructure has been built out enough to allow all the people and business waiting in the wings to pile in. What do you make of the current state of the Bitcoin infrastructure and what do you think needs to be done to make it ready for mass adoption?

In past two years, we could see huge growth in the Bitcoin economy and companies building infrastructure around Bitcoin. With all these recent investments in the blockchain based companies, we will see many new applications coming to the market helping spread usage of Bitcoin and general awareness about Bitcoin and blockchain.

We should now concentrate more on building an independent BTC economy � earning Bitcoin and living on them, not having to convert it. Entire supply chains that would work on bitcoin need to be built. For example, services like Cashila, which enables payments in Bitcoins for your utility bills and invoices. But to achieve mass adoption, where people will use Bitcoin on a daily basis, we will have to wait until people change their mindsets and realize they do not need to trust government issued currency; they can use an alternative the same way and without need to deal with any middlemen.

Something that people who have held even a small amount of bitcoin are familiar with its security. There are so many reports of hacks and thefts, great and small. Of course, it’s to help solve that problem that TREZOR was created, but before we get into that, can you tell me what you think are some of the biggest mistakes people make when securing their bitcoins and what advice you would give them?

There are few areas people should be aware of, when planning to start using Bitcoin

1. Trusting a 3rd party – we’re used to being babysat by big corporations and that’s what we don’t have to have with bitcoin. Finally, we don’t need to rely on any 3rd party; with Bitcoin, you are the only owner of your money.

2. Not being computer security experts – the standard ways to secure BTC are too obscure and nearly impossible for an average computer user to achieve. Computers by design are not built to hold money.

3. False sense of security – being comfortable with marketing claims. The infamous Mt.Gox used to claim to be super secure

Now TREZOR is, I believe, the first dedicated hardware Bitcoin wallet. What problems did you folks have in getting it up and running and how did you overcome them?

TREZOR’s security model is based on the principle of zero trust. The zero trust principle says that any part of a secure system could at some point be compromised. One of the biggest challenges was to get rid of all possible security attack vectors – wi-fi, fingerprint readers, bluetooth and build a device which is completely hack proof. Also we had to build our own wallet because when we released TREZOR there were no TREZOR compatible wallets at that time. Now you can use TREZOR with multiple wallets � Multibit, Electrum, Encompass, Mycelium etc.

There were many other challenges we had to solve during the TREZOR development, but in the end, we managed to bring a device to market which is hack proof and easy to use even for novice Bitcoin users.

There have been some reports, on Reddit and other places, of people discovering how to attack TREZOR wallets. What steps have been taken to make TREZOR fully secure?

You are probably referring to Johoes test with the micron osciloscope�which he used to try a side-channel attack on Trezor. This potential side-channel�attack had already been fixed before the report was even published, thanks to cooperation with Johoe. Also our project is opensource, so everyone in the community can review the code. All potential digital attacks are covered; not a single bitcoin has ever been stolen from TREZOR.

Where does the name TREZOR come from?

As you might know, SatoshiLabs is a company based in the Czech Republic, and trezor is the Czech (Slavic) word for vault.

Finally, what lays ahead for TREZOR? What are you folks planning for the future?

There are few areas we can see TREZOR involved in. For example securing online identity, passwordless login, smart assets, secure messaging, document timestamping, voting, shared funds management. Also a new Trezor version might come out:-)