ClavaStack

Menu
Menu

🌍World Wide Shipping

Security even for paranoid people

Specter DIY Sicherheit. Ohne Virus, Hacker und Internet. Airgapped Sicher und Transparent.

The Specter DIY hardware wallet was created by Stepan Snigirev in 2019 because the devices available at the time did not meet his strict security requirements. Specter was a completely open-source Bitcoin-only wallet that anyone could build themselves and whose code could be independently verified. Since then, a significant portion of the software has also been used in the SeedSigner and Krux projects.

Security features

Firmware and software security

Open source

The firmware of the Specter DIY is completely open source and freely usable by other, even commercial, projects. A large portion of the code is therefore used by the SeedSigner and Krux projects, which underscores the security and robustness of the code.

Here is the entire code

Reproducible builds

Don't trust, verify! Specter DIY's firmware is fully reproducible. This means anyone can compile the open-source code independently and ensure that the resulting software matches the official version. Detailed instructions and additional information about the reproducible builds are available on the official GitHub available.
 

You can also sign the software yourself to ensure you're using the official version of Specter. This is much easier; you can find a Instructions

Secure Boot

The Specter DIY's firmware is signed exclusively by the official developers of the Specter Association. With every update, the device checks the digital signature to ensure only verified and authentic versions are installed. This ensures that no compromised or tampered software makes its way onto your device unnoticed.

Anti-phishing words

When the device is first started, a unique secret is generated on the main microcontroller. This secret allows you to check if the device has been replaced with a tampered one – when you enter your PIN, you'll be presented with a list of words that always remains the same. As long as this list of words remains the same, you can be sure that the device hasn't been tampered with during that time.

Seed phrase management

Seed custody

Save seed phrase to the internal device memory (not recommended)

Your PIN code and the unique secret (see Anti-Fishing Words) are used to generate a decryption key for your Bitcoin seed phrase (if you save it). Even if an attacker could bypass the PIN screen, decryption would still fail.

If you lock the firmware (instructions for how to do this follow), the secret key material will also be effectively locked. If an attacker attempts to install a different firmware on the device, this secret will be erased. You'll notice this because the word sequence differs when entering the PIN code. However, this method is not recommended, as it is theoretically possible to extract the seed phrase using techniques such as lasers or acid.

Save seed phrase outside the device: Temporary Seed

Therefore, the Bitcoin seed phrase is typically only stored in the RAM during active use and is deleted when the device is turned off. The seed phrase is thus stored outside of the Specter DIY. Typically, the 12 or 24 seed words are written down on paper and entered via the large touchscreen when using the device, conveniently scanned as a seed QR code, or imported from an SD card.

Recommendation: Multiple copies of the seed phrase should be created and stored in different secure locations. It is recommended to store them in tamper-evident bags or in the backup stack. Additionally, a passphrase or a multi-signature setup should be used. This allows for detection of potential theft of the seed phrase and prevents access to the Bitcoin through the additional backups and/or the passphrase.

Seed storage on the secure element of the smartcard

The Specter Shield and Specter Shield Lite offer all the features of the Specter DIY plus a smartcard option. This allows you to store the Bitcoin seed phrase encrypted on the secure element of the removable smartcard. For a potential thief to access the Bitcoin seed phrase, they would need three different secrets: a random secret on the secure element (smartcard), a random secret on the microcontroller, and a random secret on the microcontroller. (Specter Shield) and a secret of your choice, the device PIN. If 10 incorrect device PINs are entered, the smart card with the Secure Element becomes unusable, and this seed phrase can no longer be generated by the Secure Element. This limits brute-forcing (multiple guessing) of the PIN to 10 attempts. 

Wallet seed generation

The security of the Specter DIY is based on a robust generation of the private seed phrase by combining several entropy sources:

  1. Random generator: A hardware-based True Random Number Generator (TRNG) on the microcontroller generates true random numbers.
  2. Touchscreen interactions: The time and position of each touch on the touchscreen are measured. The resulting entropy is collected in a hash and updated with each subsequent touch.

These sources are combined and hashed to create a high-entropic seed phrase that is more secure than any single source alone.

Optional can also be playfully simple and transparent Incorporate real life randomness into seed phrase generation by means of coin tosses, where a coin can be flipped for each single bit. 

Additional security features

Only Bitcoin and Liquid support

The Spectre DIY can be operated not only with the Bitcoin mainnet, but also with the Liquid mainnet (a second-layer solution for Bitcoin). It also supports various test networks: Testnet, Signet, Regtest, Liquid Testnet, and Liquid Regtest. Since it supports only Bitcoin and no altcoins, the code remains lean, thus reducing potential attack surfaces. The networks are strictly separated from each other – each wallet is always assigned to a specific network. This means that a wallet imported into the testnet is not available on the mainnet or Regtest. If you want to use a wallet on another network, you must first switch to that network and import the wallet there separately.

Secure display

The Specter DIY is designed for scenarios where your computer may be compromised and therefore untrustworthy. The large touchscreen display allows you to directly and securely review all important information—such as transactions, receiving addresses, fees, and other details.

Rules for transactions signed by Specter DIY

  • Warning for mixed inputs: If inputs from different wallets are detected in a transaction, the user is warned on the display. This protects against potential attacks aimed at manipulation.
  • Warning about unusual change addressIf the Specter DIY detects a suspicious or unusual change address, the user is clearly warned on the display. This check is performed for both single-sig and multi-sig transactions to ensure maximum security.
  • Change outputsChange addresses (return outputs) display the name of the wallet to which they are sent. This ensures full transparency and control.
  • Multisig or miniscript usageTo use multisig or miniscript transactions, you must first import the corresponding wallet. This is done by adding the wallet descriptor via QR code, USB, or SD card.

Communication options

The Specter DIY offers three different methods to communicate with the companion app on the internet-connected device.

Air-Gapped

Two of these communication methods are completely air-gapped, meaning there is no physical connection to the other device. This type of communication is also particularly transparent, as the user can always see exactly what information is being transmitted.

via QR code (recommended)

This is the most secure form of communication: Data is exchanged completely air-gapped and transparently via QR codes with the companion app. A separate microcontroller is used to scan the QR codes, so image processing takes place outside of the safety-critical main microcontroller.

via SD card (not recommended)

Communication via the SD card is also air-gapped: The card is plugged back and forth between the Specter DIY and the internet-enabled device. However, this method offers a larger attack surface, as the data exchange takes place directly via the security-critical microcontroller, thus providing a larger attack surface.

not air-gapped (not recommended)

This method of communication is not quite as secure because the communication is less transparent. 

via cable (not recommended)

Communication via mini or micro USB cable is also possible. This is very convenient, but less transparent and not quite as secure as using QR codes.

Privacy features

multiple accounts

The Specter DIY enables secure management of multiple accounts by storing their xPubs on the device. Wallet descriptors are imported via QR code, USB, or SD card. Accounts can be individually named for clarity.

Coin Control

With Specter DIY, you can easily select exactly which UTXOs you want to use for each transaction.

Notice

The Specter DIY is designed for self-sufficient Bitcoiners who know or want to learn how to securely store their Bitcoin. The Specter DIY offers maximum freedom in your Bitcoin storage and does not have built-in parental controls, so it supports some features that, if used improperly, do not ensure maximum security. These optional features are marked "not recommended" on this page.

For the sake of completeness, you can find the Specter DIY GitHub security page. Even if a lot of things are repeated there.

Pages

Home

Specter DIY Features

Specter DIY Security

Uncle Jim Wallet

About Us

 

Products

Specter DIY

Specter Shield

Safety talk

Backup Stack

Security bag

Guidelines

imprint

Privacy Policy

Cancellation policy

Terms and Conditions

Social Media
X-twitter Instagram YouTube
Newsletter

Subscribe