BitBox01 threat model

Introduction

This page uses technical language and is primarily written for advanced users and security researchers.

Threat model

The BitBox01 is designed to protect you from attackers that try to steal your funds (without using coercion), make you lose funds (without getting it themselves) or compromise your privacy without unlocking the device first, for example, by learning your transaction history. In order to be secure, you should always trust the paired mobile app screen over the information displayed on your computer and verify carefully what is displayed there. The mobile app supports verification of Bitcoin and Litecoin address and transaction details. The reason why you should buy and use a hardware wallet is to reduce your attack surface from a highly complex general purpose operating system with millions of lines of code and weak security domains to a security device built for a single purpose – namely to keep your private keys private – that only runs trusted code.

Out of scope

There are no protections in place if an attacker gets access to both your device and your device password, or to your backup and your backup recovery password. (If you forget or misremember your backup recovery password, your coins are lost and no one can help you.) Attacks involving physical access are out of scope for the threat model of the BitBox01.