Trusting hardware you buy online or in retail
As the team expands where customers can purchase Bitkey, it’s a good time to share how we think about the security of the hardware. Specifically, customers want to know whether buying a Bitkey from a retailer introduces new hardware tampering risks. The short answer? We’ve prepared for this.
Bitkey is designed with hardware and firmware security at its core, ensuring robust protection against tampering, counterfeiting, and other threats, whether you buy from our website or through a retailer. But here’s the key takeaway: even if someone manages to tamper with your Bitkey, it’s not enough to steal your bitcoin. Why? Because of our 2-of-3 multisig design, an attacker would also need to compromise one of the other two keys to access your funds.
Security through design
At Bitkey, security isn’t an afterthought, it’s fundamental. Our hardware and firmware are engineered to address both everyday and advanced attack vectors. Whether purchased from a retailer or directly from us, every Bitkey undergoes a rigorous security-focused process throughout manufacturing, starting with our secure supply chain:
- Unique device certificates: Each Bitkey’s chip is equipped with a secret key specific to that chip prior to manufacturing. This ensures that only authentic devices can interact with the Bitkey app. Counterfeit or maliciously modified devices are immediately detected.
- Secure boot and firmware protections: Bitkey’s hardware enforces a secure boot process, meaning it will only run firmware signed for Bitkey. Bitkey cannot be debugged or reflashed, even by the Bitkey team. The only way to update a Bitkey is through over-the-air firmware updates, which are signed, and also require unlocking the device to begin. Not even Bitkey can update your firmware without you unlocking your device.
- Resistance to physical attacks: The Bitkey microcontroller employs state-of-the-art anti-tamper technology. Critical keys and data are stored in a secure vault leveraging a physical unclonable function (PUF) unique to each device. This means that when the device is off, your keys are encrypted - and there's nothing for an attacker to go after. It's only once the chip is powered on that the PUF makes critical keys usable - and that ensures other protections against physical attacks can be turned on, too. Attempts to extract this information physically would likely render the device inoperable
Although no chip is impervious to the most sophisticated physical attacks with highly advanced lab equipment and expertise, these attacks are inherently not scalable, and generally cost-prohibitive. Moreover, even if Bitkey is tampered with, it’s not enough to steal your bitcoin—an attacker also needs to compromise one of the other two keys forming your multisig wallet.
Returns and resales
The rise of returns or resale markets raises a valid question: What happens if someone returns a device that has been tampered with or already used? Bitkey’s architecture addresses these concerns comprehensively:
- No Refurbishments: Bitkey does not refurbish and resell returned hardware. If a device’s box has been opened, it is permanently retired and will not be shipped out again, ensuring customers only receive untouched, brand new devices. However, if a third party were to sell a previously sold Bitkey device, there are other measures in place to mitigate security risks.
- Secure State Management: Before returning a Bitkey, customers can wipe the device back to its factory state. This process requires the device to be unlocked, meaning only the original owner can perform the wipe. If a returned Bitkey is not wiped, it remains inaccessible—even to Bitkey—due to the device’s robust security protections.
- Immutable Security Features: Even in a resale scenario, the device’s core security features—such as its attestation certificate, secure boot protections, and anti-tamper mechanisms—remain intact and immutable. Our boot process and onboarding checks ensures that the device is still secure and unmodified. A customer will be notified if the device software has been tampered.
Why trust Bitkey?
Bitkey is not just a piece of hardware; it’s part of a multi-layered security system. Even if an attacker were to compromise the hardware, they would still only gain access to one key. Since two keys are required to move funds, immediate access to your bitcoin is prevented.
The security architecture is open, and we welcome scrutiny from independent experts who can help validate Bitkey’s security for the benefit of all customers.
Bitkey is built to keep your bitcoin safe—no matter where you buy it. Whether you’re a seasoned developer auditing our open code or new to bitcoin, you can trust that Bitkey’s hardware and firmware have been designed to protect what matters most: your funds.
