Burrow Wifi Security
Not Your Entropy, Not Your Keys
In a previous post I discussed the advantages of using using ShowMyWork, a process I developed which enables a Bitcoin user with no technical background to fully audit the generation of his own set of seed words. Perhaps the easiest way to use ShowMyWork is by booting up a Raspberry Pi with the latest Rudefox Burrow image. Creating such a device makes a nice complement to any hardware wallet setup. Of course, you will want to make sure that you use the hardware in a way that is secure and consistent with the requirements of your threat model. This may, for example, place requirements around how you source the parts, require you to keep the device air gapped at all times and require you to either destroy the device after use or keep it archived securely with your seed words.
What About Wifi?
Around the requirement of keeping the Burrow air gapped, I would like to address the concern around how to deal with the on-board Wifi on the Raspberry Pi models 3 and 4.
Raspberry Pi Zero
Perhaps the best option would be to use a Raspberry Pi Zero. The less commonly known unit that ships with only 512MB RAM, mini-HDMI port, micro-USB port and NO wireless capabilities is cheaper and smaller than the other models. The fact that it includes a CSI connector for optional QR-code-scanning-camera cements this device’s position as being as a match made in heaven for Burrow.
That being said, I haven’t yet tested Burrow on this device (though I plan to). However, I don’t see any additional risk in trying Burrow on the Zero untested over using a Pi 3 or 4 — the Zero will either boot up with Burrow or it won’t. I happen to have some Pi Zero’s on order so I can add support for the Zero soon. If you use the Zero, note the caveat that you may require mini-HDMI and micro-USB adapters for your peripherals. It is also worth noting that the Raspberry Pi Model 2B is also devoid of wireless hardware, so this is an option which would allow you to use a keyboard and display that use full-size connectors.
UPDATE: The Pi Zero has since been tested and works well! I highly recommend using the Pi Zero for Rudefox Burrow.
I created the Burrow Pi Image project to make the experience of creating an air gapped Burrow device seamless. However, you also have the option of installing Burrow on any device capable of running Windows, macOS or Linux. You can download the source, build and install Burrow on a Linux device, such as an old laptop running Tails with Wifi hardware-disabled.
As an additional measure, you could purchase a Faraday bag and place just the Pi inside, leaving a small opening for keyboard, display and power cables to exit the bag. This should almost completely block any Wifi or Bluetooth signals from leaving the device. You could even build your own with a box of paper clips.
Depending on your threat model, a quick Wifi scan using your phone or laptop could also provide Pretty Good mitigation against the threat of compromised software leaking your seed. An attacker who doesn’t know your location would have to rely on there being an open, publicly visible Wifi hotspot in the area (at the time of seed generation — or anytime thereafter that the device is powered on). So you could greatly mitigate this threat by scanning the area using an app like Wifi Analyser and testing each access point in rage for open access by trying to connect to it.
Burrow Software Protection
It is also worth noting that I have taken some measures in software like removing networking software packages from the standard Raspbian image build. I would love to base the image on a Linux kernel build completely stripped of networking modules, but this is a ‘wish list’ project for When I Have Time. Of course, you should verify software yourself and someone who does not possess the technical skills to verify herself should rely on a consensus of trustworthy auditors. So it would be preferable to implement one or a few of the above recommendations if your threat model dictates.