Xapo Responds to CoinDesk Article On Susceptibility to Backdoor Attack

January 19, 2015

A recent CoinDesk article titled “Research: Hackers Could Install Backdoor in Bitcoin Cold Storage” raised the prospect of a type of reverse-engineering, backdoor attack, described by Stephan Verbücheln of Humboldt University.  The article specifically mentioned Xapo, and we wanted to respond.

The article describes an attacker changing an enterprise code and inserting a “backdoor” to exploit the software. As noted by several people in the comments section of the article, this is only possible if the attacker has access to changing the code. Though all bitcoin companies are subject to this type of risk, we believe that Xapo’s deep cold storage node poses the most secure alternative (and lowest risk of exposure) to this type of  attack.  Here’s why:

1) Installation of a deep cold storage node. The process of installing a deep cold storage node requires multiple steps designed to virtually eliminate any possibility of the existence of a backdoor before installing the software.  The process includes a deep analysis of the software to install, including using reference clients and verifying the correct software versions, verifying the functionality of the software against previous test cases created, analyzing all source code, and employing stringent installation procedures.

2) Key generation process. The process of generating keys in deep cold storage is designed to further assure the cryptographic soundness.  The process produces the necessary entropy levels, discards materials used to generate the keys, and utilizes a robust generation process.

3) The physical security of the nodes.  The physical implementation of the deep cold storage nodes also ensures that once the software is installed on the nodes, unauthorized modifications cannot be undertaken.  Our primary deep cold storage vault is located in Switzerland, with additional secure sites deployed around the globe.  This physical security combined with physically dispersed installations means that unauthorized changes would involve simultaneous modifications across multiple physical sites, which would be nearly impossible.

We are committed to the belief that private keys should never touch the Internet. Private keys traveling over the Internet or stored in browsers or other Internet-connected endpoints are vulnerable to compromise.  This exposes a user to a myriad of threats, from user error (if the users loses keys) to third party theft (if the user’s computer is compromised (including transmitted data over SSL)).  We believe that our deep cold storage architecture offers the highest levels of bitcoin storage security available by any bitcoin company.

Carlos Rienzi

By Head of Security

Article published on January 19, 2015

, , , , , ,
More News

Introducing Xapo’s new experience

We’re thrilled that you finally get to see what we’ve been working on for the past few months! As part of our rebrand project, we’re releasing our revamped Android, iOS, and web apps which include exciting and refreshing new features. We’ve started the global rollout of the new app and it should reach you in…

By Carolina Fabroni

Meet the new Xapo

At Xapo, we’re firm believers that no matter who you are or where you're from, you deserve easy access to digital financial services. This conviction led us to create a simple-to-use bitcoin wallet and an industry-leading bitcoin storage platform, described by The Wall Street Journal as the “Fort Knox of bitcoin storage.” Since 2014, we’ve…

By Carolina Fabroni

Time to withdraw your Bitcoin Gold (BTG)

The time has come for you to withdraw your Bitcoin Gold (BTG) balance generated in your Xapo Wallet after the fork of October 24th, 2017. During this event, anyone owning Bitcoin (BTC) at the moment of the fork received an identical amount of BTG. So if you had BTC at Xapo at the time of…

By Federico Murrone