# Having a default pairing password on Keycard To simplify user experience the idea of using a fixed, default pairing password when setting up Keycard with Status has come up. The idea is that this way we can do pairing without any user interaction, unless the user intentionally changed the pairing password (the option to do so will remain). Since this has effects on security, to better evaluate the risks let's consider how the SecureChannel works and what the pairing password is for. ## SecureChannel - The SecureChannel is used to encrypt and authenticate all commands and responses between card and app. A session key is generated each time using ECDH and hashing the result together with a pairing secret. - The pairing secret is generated the first time a client/card combination need to communicate. - To generate the pairing secret a random challenge is exchanged. This random challenge is concatenated and hashed with a pre-shared key that both client and card must know and which is not transmitted. - The pre-shared key is derived from the password using PBKDF2. - The pairing secret once generated is saved in a pairing slot on the card and doesn't change even if the pairing password changes. - Changing the pairing password means changing the pre-shared key needed to create new pairings ## Attack scenarios if the pairing password is compromised (or is a fixed one) If the attacker can listen to communication during pairing, they will intercept the random challenges and together with the known password, they can generate the same exact pairing secret as the legitimate user. This wouldn't be possible with a unknown pairing password. In this case the attacker becomes able to communicate with the card. Without the PIN however no operations are actually allowed, except discovering the PIN/PUK retry counter and/or attempting PIN/PUK authentication (eventually blocking the card if bringing the counter to 0). This would allow the attacker to have up to 2 free tries every time the regular user inserts the correct PIN (resetting the retry counter). Since the PIN is 6 digits, the user might change the PIN, the user might do a wrong PIN attempt (blocking the card if the attacker used 2 attempts) which would then result in the PIN changing and/or the card being reset this attack route seems extremely unlikely to succeed. Because ECDH is used to generate session keys, an attacker with a stolen pairing secret still cannot decrypt communication logs for sessions they didn't establish. The attacker becomes able to perform an active MITM attack however. This means they pose as the card to the client and as the client to the card during the session key generation procedure. This way they can act as a relay and decrypt all traffic, including the PIN or even the seed/mnemonic if the user is loading a new account during the attack. ## Attack routes While the active MITM attack is severe and defeats the security of the card, the routes to perform such an attack require comprimising the user machine in a way were several other, probably easier, attack scenarios become available. The notes below apply not only to the MITM attack but even to just be able to intercept any communication between card and client software. Modifications/additions to the card reader would be both visible and complex on both mobile and PC. A modified card reader would require autonomous network connection and attack firmware because it doesn't have the ability to send commands to the computer. On a phone it would be even more difficult because the reader is inside the body of the device. A more realistic attack route would be a malicious usb or pcsc driver. With driver signing being now pervasive, this attack route seems also very limited and also require to have the user install the malicious driver somehow. Finally, the malicious client approach is possible (fake Status client), but in that case it wouldn't pay the effort to do an active MITM attack since the malicious client could simply transmit to the attacker all mnemonics it generates or are input by the user much more easily.