In light of trying to simplify the UX of Status, I’ve been looking for pop-ups and interfaces that may not be entirely intuitive for the average user. One that came to mind is the “This is your signing phrase” pop-up whenever you open your wallet.
Could someone that is more familiar with the security goals of this signing phrase describe what the threat model is here? Is this to help identify if a device has been compromised? Or perhaps this signing phrase guarantees the integrity of the secure enclave on the device? A description of a hypothetical attack would be appreciated.
With a greater understanding of the threat model, that could allow us to look into alternatives that may be more conducive to a mainstream user experience. Thanks!
Phishing, what the app is doing is authenticating itself to the user.
This makes it difficult for webpages to create a fake signing screen to steal your password / attempt to steal your private keys (imagine an attack vector).
If the user is familiar with a phrase to check when signing, an attacker would have to guess that image.
The potential combinations would makes it improbable for an attacker to randomly generate your signing phrase and target an individual.
I still think this is better suited as a graphic/pictogram, like a series of 3 emojis rather than text. Calling it a signing phrase also confuses people with asking people to remember a key phrase.
A change to a emojis would be super easy, as it’s just a matter of replacing the word list.
I’m glad someone else is looking into it, I hope it gets changed.
Phishing, what the app is doing is authenticating itself to the user.
This makes it difficult for webpages to create a fake signing screen to steal your password / attempt to steal your private keys (imagine an attack vector).
I see. But in this case, stealing the password would be very low value (only has a purpose if the same attacker will eventually have physical access to the device, at which point, they could just be an evil maid and setup a camera to record the password entry), and stealing the seed phrase would be obvious.
Intuitively, I would believe that asking for the user’s seed phrase would be much more of a giveaway than having the incorrect signing phrase/emojis. It’s quite likely that someone simply doesn’t care enough to verify the signing phrase, but I think nearly everyone would get suspicious about the “app” asking for their seed phrase when they try and create a transaction.
Perhaps this form of phishing could be mitigated by simply having the following warning: “Status will never ask for your seed phrase, unless you are setting up your account for the first time. You will never need to enter in your seed phrase to sign a transaction.”
We don’t know the attackers angle, they are very creative.
I like to think about it in the most general terms, think about it like this,
What are the highest value screens in the application?
What are the highest risk screens in the application?
What are the most trusted and interacted screen in the application?
Now, how can we de-risk those screens, prevent trust-transitivity of those screens whilst ensuring they retain their value as high as possible?
You’re right. Now I ask you, why can’t this be part of the attackers angle?
Think like an attacker. Hell, think like a marketer or sales guy.
If I replicate the screens the user trusts and get compliance, then they are more likely to comply on the following screens. Just like in face to face sales or any landing page flow. You want people to say yes to these to create a micro confirmation bias, if I can get you to enter in your password in an official looking screen, then I’m more likely to have your trust to enter your passphrase. Even the Status application itself does a flow similar to this on account recovery.
You must be new to crypto. Passphrase stealing happens by scammers all the time, especially in bull markets, in regular browsers no less.
So to make the assumption that a user doesn’t care, the solution is to cater to braindead users by removing a defense for users who do care about their transaction security? I don’t think we should cater to the lowest common denominator user when it comes to security.
People don’t read, and they certainly don’t remember. Why would a user who doesn’t care to read in the first place read this, and then worse, remember it? Unless you imagine this popping up everytime…
in which case the anti-phishing feature of the transaction signing screen is a continual reminder to be vigilant, is functionally useful and is less verbose than a 2 sentence paragraph.
What could an attacker do with just your password?
I can imagine a scenario that an attacker has some type of disk access to the user, but can only retrieve the encrypted file. They’d need your password to get access to secrets inside (private keys, chats, profile info, etc).
Then a simple phishing campaign in the browser that mimics the signing screen would do the trick to get the rest of the information needed.
So in order to remove this feature or do it in some other way, I’d need confidence around there being a very low likelihood that an attacker cannot get access to the encrypted database file on the devices storage, and that a phishing campaign has a low likelihood of being able to mimic the signing screen and trick the user.
I’d need confidence around there being a very low likelihood that an attacker cannot get access to the encrypted database file on the devices storage
I don’t believe this is necessarily the case. There could be a very high probability that an attacker can get access to this encrypted database, but if this means of access also provides them with a trivial way to phish, then the signing phrase still does not help.
For example, if an attacker gains access to the encrypted database via physical access to the phone, either by knowing the pin, or exploiting some firmware/enclave bug, they would also be able to easily uninstall the original Status app, and simply reinstall one with a perfect replica of the login screen asking for your password. You could even make the random username match as well, and check/uncheck the “Save password” box depending on what the values were in the original. At this point, you just leave the phone where it was.
On the other hand, if we consider an RCE within Status that is capable of stealing the encrypted database, presumably this same RCE would also be able to steal the signing phrase, at which point, the attacker can now replicate a perfect phishing screen, despite Status’ use of a signing phrase.
Personally, I don’t see any way in which an attacker could obtain the encrypted database without also simultaneously stripping away any protections provided by the signing phrase.
You must be new to crypto. Passphrase stealing happens by scammers all the time, especially in bull markets, in regular browsers no less.
Yes that is correct, but someone who is foolish enough to enter in their seed phrase would also be foolish enough to do so with or without the presence of a signing phrase in the original app.
If I am phishing for a seed phrase, something that is never requested in the normal app, then I am already using some kind of UI that the user has never seen before (one that requests a seed phrase despite the user having created an account).
If I am presenting the user with some UI that is completely new, I can just omit the signing phrase altogether. No need to guess. I do not understand how a signing phrase can protect against seed phrase phishing when the attacker would be creating a completely new UI anyway, in which they would evidently not display a signing phrase as they don’t know it.
After all, the user has never seen such a screen before. They don’t know if this kind of screen is supposed to show their signing phrase, because it’s new.