Not Your Computer, Not Your Keys: Crypto Devices and Supply Chains
Tyler Mincey
0x0885
November 30th, 2022

Baukunst is a collective of creative technologists advancing the art of building companies at the frontier of technology and design.

This is edited from a talk I originally gave at the Baukunst Creative Technologist Conference on May 5th, 2022.

For some time, I’ve been wanting to talk about how I see crypto and web3 technologies fundamentally changing connected devices and our relationship to them.

I’ve had the pleasure of working on a number of groundbreaking products in my career, most notably the original iPhone and many generations of iPods during my time at Apple. These were amazing products…delightful to use, approachable interfaces wrapped around surprisingly complex embedded systems that we completely redesigned year after year – custom silicon, dramatically new software experiences – that would go from idea to being manufactured at over 200,000 units/day often in a span of just 12 months.

Groundbreaking at the time, iconic in retrospect
Groundbreaking at the time, iconic in retrospect

I’m deeply deeply familiar with this type of product. Connected devices that have enclosures, printed circuit boards, radios, embedded software, apps, etc are my expertise. But to be honest, my excitement has waned over the last few years as everything seems to have converged into these platonic pieces of glass. Pick your aspect ratio, maybe the cameras get better, maybe the UI gets snappier. Not always sure.

Meanwhile, I’ve found my interest being pulled towards crypto. Now “crypto” is a hilariously broad term for a number of technologies and use cases that mean many things to different people, but I’m just going to use that as shorthand and roll with it. I’ve been starting to see the edges of how that world is affecting the devices around us. I’m going to be a little bit more hardware leaning in what I’m talking about today, but fundamentally these devices are platforms for software and it’s really the integrated product-level experience that makes this so interesting.

To start with I have three premises

  1. “Crypto” represents a major computing paradigm shift.

  2. It’s happening now and faster than anything we’ve ever seen.

  3. Our computers will never be the same.

If / when this paradigm shift happens, our old computers are not going to be our new computers.

Crypto Devices

Now, the first thing that comes to mind when I think of a “crypto device” is something like this.

Bro, do you know about gas flaring?
Bro, do you know about gas flaring?

This bitcoin miner just looks a little over-the-top… makes you want to joke about razor blades, but it’s just as silly as a giant mainframe computer that filled up whole rooms in the 40s and 50s.

Totally worthwhile use of resources
Totally worthwhile use of resources

It’s a reminder of how much optimization and improvement happens over time. We should treat that mining rig with the same respect that you might treat an old mainframe if you went back in time with the knowledge of how much it would change personal computing and personal lives. In just one lifetime these things can come a really long way.

Core Technology

“Crypto” is actually a confluence of a number of different core technologies:

  • Public key cryptography

  • Distributed ledgers

  • Decentralized consensus + incentive mechanisms

  • Belief systems → passionate early adoption → network effects

The first, public key cryptography, is a process by which two parties can securely exchange information and verify identity. I can hold a secret that can be used with certain algorithms to provide a publicly verifiable signature that I am who I say I am and send messages that only I can send. This is all really just math. Conversations around regulating this technology border on free speech issues to me. Next is a distributed ledger (of which blockchains are a type), a shared account of who owns what and a record of transactions. And finally consensus protocols: you can have distributed ledgers without agreeing on which is the right one, so you have to invent systems of agreement, how you incentivize good behavior, punish bad actors, and agree on a source of truth (hopefully).

Beyond these three typically cited core technologies, there’s one that is often overlooked: the underlying belief system. Strong veins of privacy, self-sovereignty, autonomy, transparency, decentralization, and equitable value distribution run through the communities developing this technology and motivate its applications. This mission-driven zealotry has spurred a groundswell of early adopters and builders which has in turn established real network effects around these protocols and systems. To me, the culture itself is an undeniable part of the tech stack.

When you bundle all these things up, what do you get?

  • A decentralized identity system

  • A decentralized asset and ownership system

  • A decentralized payment system

  • A decentralized computer - execution, storage, networking

I can say who I am… you can verify who I am…without a centralized authority. That’s super interesting. We can have an accounting of digital assets (or digital tokens that map to real world assets) in a way we can traceably exchange. We can send funds to each other without a central gatekeeper. Super powerful. We have a Turing-complete decentralized computer where we can develop all possible software and run it in a decentralized fashion.

Like the Internet in 1994

This is looking like the fastest technology adoption in human history.  Let’s take a quick accounting of the world in 2022. We have just shy of 8B total humans on the planet. Shockingly a little less than two thirds of them are on the internet. We’re not totally on the internet island for a third of the world still. We’re still in the slow end tail of the S curve.

Harder, better, faster, stronger
Harder, better, faster, stronger

Graphs like this are often cited showing how technology adoption is accelerating over time. But to be clear, this isn’t a value argument. New technologies are not necessarily getting adopted more quickly because they are better. They are getting adopted more quickly because people are more closely tied together. We’re traveling more, communicating more frequently. Faster means faster, not better.

https://twitter.com/raoulgmi/status/1392939136689053699
https://twitter.com/raoulgmi/status/1392939136689053699

That being said, if you zoom in on crypto and line it up against internet adoption, some estimations show crypto is growing faster than the internet did on a time adjusted basis. Where we are today is roughly analogous to where the internet was in 1994. Imagine sitting around in 1994 saying “hey this internet thing is going to be pretty big.” You’d be on to something. That’s where we’re at with crypto right now. This is happening.

Today we’re at ~100M crypto users, only about 2% of people online today. (We’re still early™) And it’s interesting to look at how widespread awareness is. In the US, over 86% of adults have heard of crypto currencies, just about Bitcoin and Ether in this study, not even NFTs etc. Amazingly high levels of awareness. And 16% of US citizens say they’ve held some crypto asset. Over 1 in 10 Americans.

https://www.pewresearch.org/fact-tank/2021/11/11/16-of-americans-say-they-have-ever-invested-in-traded-or-used-cryptocurrency/
https://www.pewresearch.org/fact-tank/2021/11/11/16-of-americans-say-they-have-ever-invested-in-traded-or-used-cryptocurrency/

Some stats around activity: Metamask published numbers saying they have 32M monthly active users, a relatively large slice of the full crypto install base. Tools are catching on incredibly quickly.

If you roll up the market cap of top coins, we’re actually at over 1% of the global stock market. [A lot has… um...changed in the crypto world since I gave this talk. I’ve left stats at May 2022 levels for history’s sake.]  An amazing amount of economic weight. Some of the liquidity is razor thin around those tokens and you couldn’t actually cash that value out, but there’s amazing financial resources at play.

Consumer Crypto Devices

Drafting off this growth, we’ve seen the emergence of a new class of crypto-centric consumer device. This first wave are hardware wallets: semi-offline devices that allow people to securely hold keys and verify their identity, transfer assets, etc like we talked about in a (supposedly) more secure way than a general-purpose, online computer. You can search Amazon for “hardware wallet” and see some examples:

We’re at the Cambrian explosion / dumpster fire stage of this category of device. They have arrived. You can buy bejeweled bitcoin keys. These are all horribly untrustworthy to do anything with…it’s impossible to sort through them all. Lots of sponsored results. It’s a fairly noisy market right now (to say the least).

“Wallet” is already an anachronism though. These are identity systems, with a similarly transformational evolutionary roadmap as phones→smartphones.

A couple of the major players today to call out are Trezor and Ledger.

Trezor Model One + Ledger Nano
Trezor Model One + Ledger Nano

The device on the left is the Trezor Model One built by Satoshi Labs based in Prague. They’re notable for releasing this “original cryptocurrency hardware wallet” back in 2014 and have announced that they’ve shipped over a million units since then. They’ve been dedicated to open source hardware and software from the very beginning and have maintained a smaller, independent minded ethos.

The current market lead by volume is Ledger, based in France, who makes the Ledger Nano shown on the right. They’ve raised ~$500M at north of $1.5B valuation and by some estimates are shipping >1M units a year. The totals of just these two products establish hardware wallets as a high volume consumer electronics category.

It’s interesting to compare the different security approaches of Trezor and Ledger.

Open source designs are key in this world. The phrase “trustless” is thrown around a lot but the intention of being open source is to achieve trust by being open, auditable, and enabling rapid patching over time. This stands in stark contrast to the closed source model of deriving trust by a brand having a black box and demanding that you trust them.

Trezor is a completely open source device, both hardware and software, and they’ve really stuck to their guns around that process. You can be relatively confident that the device is deeply understood, but that came with some compromises. The private keys do exist in physical memory and in software in ways you can extract if you lose physical control of the device. There have been proof of concept attacks demonstrated where someone with very basic lab equipment can extract keys in ~15min. You should assume you’re pwned if someone gets a hold of your Trezor.

https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/
https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/

Ledger took the opposite approach of being a mostly close-source system, relying more on security through obscurity and the use of more physically secure, but closed source hardware. Ledger *does* use an embedded operating system that is built on an open source framework, but the firmware itself and the hardware is not. Notably, they use specialized components called secure elements that can hold private keys in a single surface mount component that the system and software only interact with at a high level, sending messages to be signed, and not directly with the private key. Secure elements themselves are notoriously closed source and often require restrictive NDAs from manufacturers to procure. Now, nothing is unhackable…you can still get at those with a sophisticated laboratory but they provide a level of physical security above and beyond purely open source designs like the Trezor’s.

So Ledger has a much better story in regard to physical security perhaps, but it’s important to consider all the attack surfaces surrounding these devices.  Ledger had a Shopify hack a couple years ago where the customer data of over a million users got exposed, including home addresses. Not great for this category of users. People actually started receiving fake devices in the mail…things that looked legit but might have had suspicious code on them. Security considerations extend beyond the devices themselves to the adjacent social and logistic systems as well.

And let’s just say that the user interfaces for these devices leave a lot to be desired. You shouldn’t feel like a telegraph operator putting in a password. You should be able to easily read the full addresses associated with a transaction. Your tin foil hat can hurt as much as protect…people probably lose funds just as often for forgetting a password as they do getting hacked.

Not Your Computer, Not Your Keys

A common question: What about custodial services?

There are custody services (like Gemini) that provide web app layers on top of private keys so users don’t have to manage those themselves. Other services (for example, centralized exchanges like Coinbase) don’t keep your funds in a dedicated wallet…you’re just trusting that they account for your funds correctly on their internal ledger.

That kind of works right now for some users [Nov 2022 self is laugh-crying], but we have to remind ourselves where this is going in the future. Yes for low frequency store-of-value transactions…you can imagine doing that with your bank today. But in a future where you’re doing a cryptographic action every time you sign into a website, any action in an app, or a move in a game. It really just doesn't work unless you’re in control of your own keys at that point. When you start thinking about the frequency and complexity or those actions, for me, it’s totally inconceivable that a financial institution would intermediate that for me. Only companies like Google, Facebook, and Apple have implemented authentication layers like that with any success and they kind of still suck. To think that’s going to happen with a financial institution, even a relatively digitally-forward one, is totally crazy to me. I’m long on self-custody…more for user experience than security.

Another common question: What about my phone?

A few modern smartphones *do* have architectures with secure enclaves that can provide a layer of additional key storage security. And we’ve seen the emergence of many software wallets, like Rainbow and others that take advantage of them. I think there’s a place for those products that strike a balance of security and interoperability. But smartphones these days are just fundamentally slow moving systems, and companies like Apple have chosen to deeply integrate the secure enclaves into their mainline SoCs. The timeline to develop the main SoC for a phone stretches into many years…a mismatch in keeping up with evolving cryptographic algorithms/curves, support for new blockchains, and patches for exploits. They’ll continue to evolve slowly and perhaps be a trustworthy foundation for the slightly older applications / algorithms, but unlikely to be cutting edge.

And they’re still security issues too. A couple years ago the highly touted T2 chip was completely jailbroken. For everyone one of these exploits we hear about publicly, there’s probably five we don’t hear about too. The massive install base is a huge target.

https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/
https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/

Beyond security, there’s a real risk of being deplatformed if your app runs afoul of sometimes-opaque app store approval processes, or the evolving in-app-purchase revenue sharing rules become incompatible with your business model.

Glimmers of what’s next

Hardware wallets today remind me of mp3 players in 2000. There’s a real opportunity for these devices to have an iPod moment. The iPod wasn’t the first mp3 player, but it was the first product to take the converging technological building blocks and wrap them in a well designed product experience.

As the crypto user base pulls more mainstream and people want their products to “just work” without having to understand the underlying complexity quite so much, there’s a real need and opportunity to balance user experience with the novel technology. It’s also important to remember that there was no iPod without iTunes. Rich multi-platform software experiences make these products work.

Some emerging new examples:

These are hardware wallet concepts that we’ve seen Square Block experimenting with. No comment on the industrial design but they’re working on some interesting conceptual directions. These are designed to be a companion device for an app on your phone and certain tradeoffs (biometrics, no screen) were made with this in mind. [They’ve been quite transparent in recent months on everything from processor architecture, to key recovery mechanisms, to supply chain design]

I’m fortunate to be on the board of Foundation, who’s making a Bitcoin-centric hardware wallet that’s designed to balance user experience with uncompromised security and self-sovereignty. Their first device, Passport, works with a camera to exchange QR codes to a phone app, a truly airgapped design with no wireless radio connection between the devices (and especially easy to support in 3rd party apps vs a bluetooth/NFC device). Their companion app makes device setup a breeze and longer term will have an increasingly clever backup and recovery service.

Foundation Passport
Foundation Passport

I also put the Stem Player in this consumer category even though it doesn’t have a blockchain connection right now. This is a product with a dedicated content distribution network associated with it. It speaks to a specific ethos of ownership, participatory media, vibrant subcommunities, and relationship with artists. This is a great example of a product that considers culture a part of its tech stack.

Stem Player
Stem Player

This is a hardware wallet concept from Multi that Eli Rousso and team are working on. It’s a hardware wallet specifically designed around NFTs (in this incarnation) that takes a forward thinking, borderline alien, approach to the design language. Details are sparse, but they’re also strongly in the self-sovereignty camp and it’s another gesture towards new images of technology and our relationship to them as people that’s really exciting to me.

Concept from MULTI
Concept from MULTI

New Technical Architectures

To build one of these products, there’re many architectural considerations that are fundamentally reprioritized vs most consumer electronic devices. To name a few:

Key storage, secure elements/enclaves

How are keys stored? What attack vectors do you care about? How hard-line are you on open source? What signature curves do you need to support now and in the future? What do you do if a vulnerability is discovered?

Key provisioning, entropy sources

How do you generate keys in the first place? Does a centralized authority issue those? There are interesting predicates with SIM cards. Giant companies like Gemalto that have been built around securely issuing cell phone identifiers that allow people to get on carrier networks. There’s an extremely deep body of knowledge in that industry.

**
**Or do you want the devices themselves to derive keys in a decentralized way? What is your source of randomness in that process? If you have only a semi-random process, you can be more susceptible to brute force attacks. In an interesting example, Foundation’s Passport incorporates a clever open source circuit design for an entropy source.

Key backup

How do you back up the private keys, if at all? Do people have to write down a seed phrase or engrave them on a steel plate? Is there a way to back them up in the cloud? How secure is that? Do people put them on SD cards (and do the devices need card slots)? Do you spread signing privileges over a number of devices in a multi-sig configuration that requires coordination between multiple parties and/or redundancy for device loss/failure? Do you back up full device state?

Wireless Architectures

How exposed should the device be to the internet and remote attacks? Does the core user experience require connectivity? I believe that for the high frequency + interactivity use cases being imagined, wireless will be required. Designers will be looking at more siloed system architectures where the core key management is happening on a dedicated coprocessor and separate from the wireless interfaces or application processor perhaps….affecting both the hardware and firmware in deep ways.

Firmware Security

Smartphones today from major manufacturers are quite sophisticated in this regard but most consumer electronic and IoT devices pay shockingly little attention to firmware security, especially startups but large companies too. Running signed code, secure boot, secure wireless interfaces…mayyyybe a startup thinks about 5 years later on gen 2/3/4 of a new product. But for a crypto-native device you have to plan for this on day 1.

Should a user always be able to sideload their own code? That has tons of implications. You have to decide how thick your tinfoil hat needs to be. Where did you get your source from? Do you trust your compiler? Who has code signing authority? But also the physical interfaces of the devices. Do they all need USB ports? Do they all need desktop clients?

Open Source Model

Is this a requirement for a crypto-native device? In the future, I think so. I believe over time that security by obscurity is going to always lose to an open source model. And not just from the perspective of security itself, but also for composability and new models of community product development & personalization. Today there are clear counterpoints with the Ledgers of the world though.

I think the companies that embrace open source are ultimately going to win, but that undermines business models that revolve around making points of margin off of a one time sale of a hardware widget. The people that are going to succeed at open source are also going to have to succeed at innovating on new service/protocol-centric business models that pair with open source.

Supply Chain Verification

A box shows up in the mail…do you really know where it came from? Had it been opened en route? How do you know that the right code was programmed on it? There are physical design mitigations: Maybe you go with ultrasonic welding and heat stakes instead of screws. Maybe you use security tape on the boxes. And there are ways to use checksums to verify the software to some degree but how is a normal person ever going to be able to deal with that stuff?

More stringent lifetime / reliability requirements

Many of these devices are long term stores of value. I believe they’re going to need to be less disposable than other consumer electronic devices in our lives. That comes with lots of ultimately healthy requirements around device reliability in physical or environmental conditions, battery lifetime etc. Repairability is also a more important factor but usually fundamentally opposed to supply chain verification / tampering concerns.

Biometrics

Like Apple demonstrated with TouchID and later FaceID, biometrics can provide a path to great user experience alongside reasonable security. Those features were all about the UX improvement of not having to put in the passcode every time you unlocked your phone, not really about making it more secure. There’s a rich design space to integrate biometrics with crypto-native devices (which are only lightly adopted beyond fingerprint sensors) but come with serious security tradeoffs.

UI - screens, input devices

Does the device need a (touch)screen? (Block decided their device didn’t) Do you need to verify things like wallet addresses on the device itself vs a companion app? How interactive does it need to be? Do you feel like a frustrated telegraph operator putting in a PIN into your Ledger?

Web3 IoT

Let’s get back to the numbers. Today there are estimated to be over 10B devices on the internet…that’s 2x humans online. The whole IoT thing is happening somewhat slower than projections (especially with the chip shortage), but there are still way more computers on the internet than humans and the gap is widening. The same will be true of web3.

When we think about these crypto-native devices being online and interacting directly with web3 protocols, they’ll need to have equally deep technical architecture and user experience design as humans. We have to think about them as intelligent agents on the network with equally complex considerations.

We’re seeing extremely interesting things happening already with crypto-native IoT devices. Take Helium as an example: They’re a decentralized wireless network where individuals own and operate hotspots that others can send/receive data on in a more permissionless way.

🎈🎈🎈
🎈🎈🎈

They’ve seen amazing growth in the last two years and have created LoRaWAN coverage in most major metropolitan areas in the US and increasingly Europe and other parts of the world. They claim to be the “world's largest contiguous wireless network” today.

Snapshot from May 2022
Snapshot from May 2022

Here’s a chart of active hotspots over time. This is crazy during the chip shortage. Very few hardware companies can draw this chart during the last two years. Their big innovation was using a token incentive model that rewarded hotspot operators for providing provable network coverage before there was significant usage of the network. This incentive system will evolve to reward network usage over time as well and the same tokens will be used to pay for data transfer. Harnessing the value of that potential future market for network build-out was a major breakthrough.

There were times when hotspots on the edge of the network (which cost ~$500) were paying off on the order of two weeks. That’s largely driven by arguably unhealthy levels of speculatory pressure, but in this case it was incredibly productive for network expansion.

Thank you @jhiller
Thank you @jhiller

Helium started by making their own hotspot that was designed and manufactured in a centralized way, but have expanded to a whole network of third party manufacturers that now build totally different devices that operate on the network.

A world of hotspots
A world of hotspots

In the old way of thinking, this is just a bad idea. You usually try very hard to minimize the number of versions of a product you have out in the wild. Even supporting a couple old versions of firmware is usually a bad idea, much less completely different hardware products with different code bases that are all supposed to play well together.

This is a fundamentally hard thing but it’s demonstrably starting to work and the benefits start to outweigh the challenges. It’s been interesting to see this evolve. Now you can buy a hotspot from all these different manufacturers.

How do you pick? It’s really hard. And there’s a nice disclaimer telling you to do your own research.

DYOR!
DYOR!

All of these vendors have made slightly different decisions around that full list of architectural considerations we talked about before: How you install the device, what environment it’s designed for (indoor/outdoor), how you get support, etc. It’s a bit of a wild west that’s fairly consumer unfriendly. Some obvious room for improvement in helping people navigate these choices better.

Other people are following that same tokenomic incentive model. There’s Planet Watch that’s doing a similar thing for air quality sensors and data.

Dor, who makes a foot traffic counting system that was primarily being used in retail environments, is now selling their sensor as a miner. Individual operators can now buy these sensors and get compensated for contributing data that is monetized from their SaaS revenue streams.

Dor was a traditional hardware + SaaS company initially and benefited from a mature blockchain platform, Constellation (who ended up acquiring Dor), to launch this new model. Constellation’s platform helps companies launch their own tokens and provides other required infrastructure pieces like a software wallet and a decentralized exchange in addition to strategic crypto-specific support. I expect to see more companies pursue similar tokenomic models by building on platforms instead of getting into the crypto-specific weeds too much themselves.

There’s other token projects/ platforms like IoTeX playing in this space of the physical and digital coming together.

They’re building out systems for people to provide proof of various things in the real world (location, data from an activity monitor etc). We’re seeing the emergence of platforms that are productizing the underlying infrastructure for these classes of device

To recap the key points on how web3 is changing IoT:

1) Tokenomics breaking traditional chicken and egg cap ex dilemmas

Helium is a strong proof point that tokenomics can break traditional barriers in high capital expense network buildout. It’s expensive to build a wireless network. You’re building or leasing towers and  installing expensive equipment with specialized labor. In the past, you couldn’t afford to do that unless you had customers already… but who’s going to be your customer without credible wireless coverage? That was the fundamental dynamic that has slowed network expansion historically. Helium is a singular proof point that creative, crypto-driven incentives can break this dilemma and we’re seeing many other projects rapidly applying this approach.

2) Tokenomics dramatically reducing op ex

All these individuals operating wireless infrastructure in a decentralized way has changed the operational expense of running these networks. The network isn’t directly paying up front for site scouting, land, buildings, energy, data backhaul, and maintenance. It’s truly a win-win-win between the infrastructure operators, the users of the network, and the protocol/network level themselves.

The model isn’t a magic wand though. All the same buckets of operational support still need to be in place at someone’s expense, but the tokenomics design incentives more efficient, on-demand support from underutilized resources in the ecosystem.

3) Decentralized manufacturing

I was a huge skeptic but there are real proof points now that decentralized manufacturing is working to some degree. There are immense hurdles in customer experience, interoperability, and software upgradability/compatibility to overcome, but if they are, it unlocks transformative customization and supply for users.

4) Pre-order and fulfillment mechanisms

We’re increasingly seeing mechanisms like Planet Watch’s licensing system where you actually buy a license that’s separate from the device itself and can pair the two together. I think we're going to see variations on this more and more for other physical devices. I believe that buying an NFT to hold your place in line or as a preorder is 100% how all physical things will be bought in the future. There’s so many benefits: generating a secondary market and price discovery, extra cash flow for secondary royalties, helping with inventory financing. This is a huge opportunity with lots of correspondingly large challenges.

Culture > Tech

We covered a lot of technical detail/minutiae in this talk, but to close I want to revisit the last point in the tech stack. The cultural change this technology represents and the values that drive its community of builders is the most powerful thing in the space right now. People are building towards autonomy, equitable value distribution, long-lived collective infrastructure, and complex ecosystems. The underlying technology is being dramatically reinvented and re-architected to match those value systems. The new world demands new infrastructure.


Further Reading / Coming Soon:


If you’re interested in building this future, I’d love to talk to you. We have a $100M pre-seed focused fund at Baukunst and a great community of builders to work alongside.

Subscribe to Baukunst
Receive new entries directly to your inbox.
Collectors
View
#1
#2
#3
View collectors
This entry has been permanently stored on-chain and signed by its creator.
Author Address
0x0885F0e1a641F…1C30c5D9dC9c0f4
Content Digest
f-ZWa48dveU-SBi…dvNV5cCJ9JZfzJ8