Xapo Responds to CoinDesk Article On Susceptibility to Backdoor Attack

January 19, 2015

A recent CoinDesk article titled “Research: Hackers Could Install Backdoor in Bitcoin Cold Storage” raised the prospect of a type of reverse-engineering, backdoor attack, described by Stephan Verbücheln of Humboldt University.  The article specifically mentioned Xapo, and we wanted to respond.

The article describes an attacker changing an enterprise code and inserting a “backdoor” to exploit the software. As noted by several people in the comments section of the article, this is only possible if the attacker has access to changing the code. Though all bitcoin companies are subject to this type of risk, we believe that Xapo’s deep cold storage node poses the most secure alternative (and lowest risk of exposure) to this type of  attack.  Here’s why:

1) Installation of a deep cold storage node. The process of installing a deep cold storage node requires multiple steps designed to virtually eliminate any possibility of the existence of a backdoor before installing the software.  The process includes a deep analysis of the software to install, including using reference clients and verifying the correct software versions, verifying the functionality of the software against previous test cases created, analyzing all source code, and employing stringent installation procedures.

2) Key generation process. The process of generating keys in deep cold storage is designed to further assure the cryptographic soundness.  The process produces the necessary entropy levels, discards materials used to generate the keys, and utilizes a robust generation process.

3) The physical security of the nodes.  The physical implementation of the deep cold storage nodes also ensures that once the software is installed on the nodes, unauthorized modifications cannot be undertaken.  Our primary deep cold storage vault is located in Switzerland, with additional secure sites deployed around the globe.  This physical security combined with physically dispersed installations means that unauthorized changes would involve simultaneous modifications across multiple physical sites, which would be nearly impossible.

We are committed to the belief that private keys should never touch the Internet. Private keys traveling over the Internet or stored in browsers or other Internet-connected endpoints are vulnerable to compromise.  This exposes a user to a myriad of threats, from user error (if the users loses keys) to third party theft (if the user’s computer is compromised (including transmitted data over SSL)).  We believe that our deep cold storage architecture offers the highest levels of bitcoin storage security available by any bitcoin company.

Carlos Rienzi

By Head of Security

Article published on January 19, 2015

, , , , , ,

Time to withdraw your Bitcoin Gold (BTG)

The time has come for you to withdraw your Bitcoin Gold (BTG) balance generated in your Xapo Wallet after the fork of October 24th, 2017. During this event, anyone owning Bitcoin (BTC) at the moment of the fork received an identical amount of BTG. So if you had BTC at Xapo at the time of…

By Federico Murrone

Xapo Card Closure Update - and what's next!

As of January 4th, 2018, Wave Crest Holdings, Ltd. issuer of the the Xapo Card Program, was instructed by Visa® to cancel all its Visa® Programs effective immediately. As a result, all the cards of the Xapo Cards Program were deactivated. As a consequence of this unanticipated closure of the Xapo Card Program, we’ve put…

By Anni Rautio

Xapo update about Bitcoin Gold

On Tuesday, October 24th at 1:20 am GMT approximately Bitcoin Gold (BTG) was created (or forked) as a new cryptocurrency based on the original Bitcoin Blockchain. Xapo is handling this fork according to its fork policy, just like we did with the Bitcoin Cash fork. If you had bitcoins in Xapo at the time of…

By Federico Murrone