A year has passed since I wrote a blog post on hardware wallets elaborating on 4 types of vulnerabilities that all legacy hardware wallets are susceptible to, except the ZVC-powered hardware wallet. This week the work was published in a peer-reviewed Future Internet journal (Will Zero Vulnerability Computing (ZVC) will ever be possible? Testing the ZVC hypothesis). The hypothesis question presents a challenge that’s already unanimously answered by cybersecurity experts as impossible.
Here’s what three cybersecurity hall of famers have to say about the impossibility of achieving fool-proof cybersecurity:
Why fool-proof cybersecurity is impossible?
All modern computing devices follow two mandatory design rules to make them usable:
1. The permissions that computers grant to 3rd party applications, which bad actors and threat agent often abuse to create attack surface and vulnerabilities that attack vectors can exploit;
2. The inherent vulnerability of in-computer data storage.
In prior art there is no hardware or software that’s devoid of 3rd party permissions. Although it is permissions that allow computers to run diverse applications, most, if not all computer vulnerabilities originate from those inherent permissions. This creates attack surface that hackers use to deploy attack vectors. Neither the attack surface can be completely eliminated, nor can a connected device hold data offline, rendering fool-proof cybersecurity practically impossible. Those rules, although perfect for the pre-Internet era, have failed to stop cybercrimes, compelling experts to conclude that fool-proof cybersecurity is impossible. Without unlearning that deeply ingrained knowledge it is difficult to comprehend this new ZVC (Zero Vulnerability Computing) paradigm that:
1. bans all 3rd party permissions, thus completely obliterating the attack surface.
2. creates switchable in-computer offline storage within the connected device itself.
In the context of the first ZVC prototype, i.e. the hardware wallet, my original post described, with empirical evidence, four ways that hardware wallets can be hacked. Supported by 30+ European partners, ZVC is potentially resistant to all of them. There is at least one sub-category of chip-based attacks called side channel attacks that may not depend on 3rd party permissions, so it needs further elaboration.
How the ZVC-powered hardware wallet builds resistance to permission-independent side-channel attacks?
Most side-channel attacks that are permission-agnostic require proximity to the target computing device, and use either electromagnetic, acoustic, power, or optical cues given off by the target device to reconstruct the internal data signals of that device. None of these approaches can work with the NV hardware wallet because any type of signal originating from the device’s secure data transmission activity is obfuscated by equal or higher intensity signals of concurrently running processes, creating a signal noise that is almost impossible to decipher into comprehensible data.
In conclusion, device unhackability is possible, at least in a hardware wallet settings, if we rethink and redesign computer and cybersecurity, starting from scratch, by challenging the very basic rules of computing that are so deep rooted in our professional learnings as computer experts.
