Earlier this month, cryptocurrency custody firm Casa came under fire on Twitter for some of its security practices. However, it does not seem that the company has publicly addressed any of the concerns that were expressed by a number of cryptocurrency community members.
Specifically, an individual who identifies as “JW Weatherman,” the founder of MathBot.com, expressed serious concerns over some of the language contained in Casa’s Frequently Asked Questions page on one of its products, the Casa Node. The Casa Node allows its users to run nodes for the Lightning Network as well as the Bitcoin Network. Securing the Node involves the generation of a seed phrase and a password.
(While the FAQ page does say that “the Casa Node is NOT a hardware wallet,” the Node is capable of holding cryptocurrency that can be used in transactions. In response to the question, “How much money should I put on this?” Casa writes, “only as much as you’re comfortable losing in case something goes wrong. Don’t get too #reckless.”)
Casa implies that users can “operate under the general assumption that your home network is secure”--but community members say no
However, JW Weatherman took issue with another piece of advice on the page.
Underneath a question that asks, “my browser says this is running over http. Is this secure?” Casa responds that “your Casa Node should only be accessed via http from inside your home network, under the general assumption that your home network is secure.” The response then recommends that users access their Casa Nodes via the Tor network.
“Am I taking crazy pills or do you send seed words over clear text on the local network?”, JW Weatherman wrote on Twitter.
Ray Redacted, the handle for a network and Information Security researcher with 20 years of expertise in cyber defense research, chimed in that “sending seed words over clear text based on the assumption that the users ‘home network is secure’ isn’t just I’ll advised, it’s practically criminal negligence. (sic)”
Sending seed words over clear text based on the assumption that the users “home network is secure” isn’t just I’ll advised, it’s practically criminal negligence.
This is a big mistake, @CasaHODL. Please invest in a thorough security audit. https://t.co/14mP4GFsHi pic.twitter.com/93RotnAcBo — Ray [REDACTED] (@RayRedacted) October 11, 2019
”Home WiFi networks should be assumed [to be] compromised.”
In other words, Weatherman believes that Casa’s advice to users--which seems to be that they should “operate under the general assumption that your home network is secure”--is a recipe for disaster. This is particularly because Casa sends users’ seed phrases, which can be used to access funds in a non-encrypted manner (clear text.)
“Home WiFi networks should be assumed [to be] compromised,” Weatherman wrote. “With full time security pros I’ve never found a corporate network that was clean.”
This could be particularly concerning because of the fact that Casa is marketed toward wealth managers and family offices, which could potentially have a large amount of funds.
Other community members responded to Weatherman’s tweets, saying that they had noticed the security flaw earlier this year.
Me and other's have warned about this since January: https://t.co/Cr3V8RNxmM
— ReproducibilityMatters (@the_charlatan_) October 11, 2019
Weatherman urged Casa to respond with the threat of posting another security flaw. The firm did respond, but only with directions for further direct contact.
Hi JW. First, if you find a security flaw, please email help@team.casa and we would be happy to test.
Casa is always transparent with our customers about security issues. The use of HTTP is already known and has good reasons. You’re linking to our FAQ page discussing it. — Casa (@CasaHODL) October 11, 2019
"All devices ship with the same default password.”
Unsatisfied with Casa’s response, Weatherman posted details on another aspect of Casa’s security model that he takes issue with: the fact that “all devices ship with the same default password.”
In other words, users who never change their passwords from the default (and it is safe to assume that there are some are at risk of being compromised.)
Ok, the second critical security issue of the day for @CasaHODL
And I’m only posting this because it’s clear they won’t respond except through back channel games from @jeremyrwelch going on all day today Is that all devices ship with the same default password. — JW Weatherman | mathbot.com (@JWWeatherman_) October 12, 2019
“With this default password you can access bitcoin with physical access to the device,” Weatherman wrote, “And I wouldn’t be shocked if it can be combined with other flaws to execute this remotely (though I don’t have evidence of that yet).”
“Don’t know what the password is?” Weatherman continued, “no problem either ask your buddy with a Casa node or just email help@team.casa and without any authentication they will give you your password. (sic)”
Don’t know what the password is? No problem either ask your buddy with a Casa node or just email help@team.casa and without any authentication they will give you your password
AND EVERYONE ELSES too. — JW Weatherman | mathbot.com (@JWWeatherman_) October 12, 2019
However, other members of the community have pointed out that Weatherman's criticism of Casa may not be as sound as it may seem.
Weatherman going on about Casa. He's right to call it out although there's also technical confusion on his side. Naturally.
— Max (@maxtannahill) October 12, 2019
You're falling for the stupid fud. Tell Weatherman to prove it that he can steal fund from a Casa before you believe him.
— flipflop (@forieq0) October 13, 2019
Casa's response
Casa eventually responded with a blog post addressing the security concerns brought by JW Weatherman, saying that "both concerns are known issues that are a result of intentional design decisions," and that "you should always be careful with any Lightning node. Lightning is still #reckless."
There are no known undisclosed security vulnerabilities with Casa Node at this time.
That said — you should always be careful with Lightning, which is still early and #reckless. More details on security concerns raised this weekend here:https://t.co/O0LlIW9qRJ — Casa (@CasaHODL) October 13, 2019
However, Weatherman remains unsatisfied:
The other thing to keep in mind is that neither of these security flaws are present in any of the competitors including @nodl_it
The recent announcement from them was for far less serious issues, but they owned it and fixed it. — JW Weatherman | mathbot.com (@JWWeatherman_) October 13, 2019
Finance Magnates reached out to Casa and JW Weatherman for further commentary on this story but did not receive responses by press time. Commentary will be added as it is received.