Has Crypto Custody Company Casa Failed Cybersecurity 101?

Friday, 25/10/2019 | 08:03 GMT by Rachel McIntosh
  • Cryptocurrency community members have expressed serious concerns over some aspects of Casa's security practices.
Has Crypto Custody Company Casa Failed Cybersecurity 101?
Finance Magnates

Earlier this month, cryptocurrency custody firm Casa came under fire on Twitter for some of its security practices. However, it does not seem that the company has publicly addressed any of the concerns that were expressed by a number of cryptocurrency community members.

Specifically, an individual who identifies as “JW Weatherman,” the founder of MathBot.com, expressed serious concerns over some of the language contained in Casa’s Frequently Asked Questions page on one of its products, the Casa Node. The Casa Node allows its users to run nodes for the Lightning Network as well as the Bitcoin Network. Securing the Node involves the generation of a seed phrase and a password.

(While the FAQ page does say that “the Casa Node is NOT a hardware wallet,” the Node is capable of holding cryptocurrency that can be used in transactions. In response to the question, “How much money should I put on this?” Casa writes, “only as much as you’re comfortable losing in case something goes wrong. Don’t get too #reckless.”)

Casa implies that users can “operate under the general assumption that your home network is secure”--but community members say no

However, JW Weatherman took issue with another piece of advice on the page.

Underneath a question that asks, “my browser says this is running over http. Is this secure?” Casa responds that “your Casa Node should only be accessed via http from inside your home network, under the general assumption that your home network is secure.” The response then recommends that users access their Casa Nodes via the Tor network.

“Am I taking crazy pills or do you send seed words over clear text on the local network?”, JW Weatherman wrote on Twitter.

Ray Redacted, the handle for a network and Information Security researcher with 20 years of expertise in cyber defense research, chimed in that “sending seed words over clear text based on the assumption that the users ‘home network is secure’ isn’t just I’ll advised, it’s practically criminal negligence. (sic)”

”Home WiFi networks should be assumed [to be] compromised.”

In other words, Weatherman believes that Casa’s advice to users--which seems to be that they should “operate under the general assumption that your home network is secure”--is a recipe for disaster. This is particularly because Casa sends users’ seed phrases, which can be used to access funds in a non-encrypted manner (clear text.)

“Home WiFi networks should be assumed [to be] compromised,” Weatherman wrote. “With full time security pros I’ve never found a corporate network that was clean.”

This could be particularly concerning because of the fact that Casa is marketed toward wealth managers and family offices, which could potentially have a large amount of funds.

Other community members responded to Weatherman’s tweets, saying that they had noticed the security flaw earlier this year.

Weatherman urged Casa to respond with the threat of posting another security flaw. The firm did respond, but only with directions for further direct contact.

"All devices ship with the same default password.”

Unsatisfied with Casa’s response, Weatherman posted details on another aspect of Casa’s security model that he takes issue with: the fact that “all devices ship with the same default password.”

In other words, users who never change their passwords from the default (and it is safe to assume that there are some are at risk of being compromised.)

“With this default password you can access bitcoin with physical access to the device,” Weatherman wrote, “And I wouldn’t be shocked if it can be combined with other flaws to execute this remotely (though I don’t have evidence of that yet).”

“Don’t know what the password is?” Weatherman continued, “no problem either ask your buddy with a Casa node or just email help@team.casa and without any authentication they will give you your password. (sic)”

However, other members of the community have pointed out that Weatherman's criticism of Casa may not be as sound as it may seem.

Casa's response

Casa eventually responded with a blog post addressing the security concerns brought by JW Weatherman, saying that "both concerns are known issues that are a result of intentional design decisions," and that "you should always be careful with any Lightning node. Lightning is still #reckless.‬"

However, Weatherman remains unsatisfied:

Finance Magnates reached out to Casa and JW Weatherman for further commentary on this story but did not receive responses by press time. Commentary will be added as it is received.

Earlier this month, cryptocurrency custody firm Casa came under fire on Twitter for some of its security practices. However, it does not seem that the company has publicly addressed any of the concerns that were expressed by a number of cryptocurrency community members.

Specifically, an individual who identifies as “JW Weatherman,” the founder of MathBot.com, expressed serious concerns over some of the language contained in Casa’s Frequently Asked Questions page on one of its products, the Casa Node. The Casa Node allows its users to run nodes for the Lightning Network as well as the Bitcoin Network. Securing the Node involves the generation of a seed phrase and a password.

(While the FAQ page does say that “the Casa Node is NOT a hardware wallet,” the Node is capable of holding cryptocurrency that can be used in transactions. In response to the question, “How much money should I put on this?” Casa writes, “only as much as you’re comfortable losing in case something goes wrong. Don’t get too #reckless.”)

Casa implies that users can “operate under the general assumption that your home network is secure”--but community members say no

However, JW Weatherman took issue with another piece of advice on the page.

Underneath a question that asks, “my browser says this is running over http. Is this secure?” Casa responds that “your Casa Node should only be accessed via http from inside your home network, under the general assumption that your home network is secure.” The response then recommends that users access their Casa Nodes via the Tor network.

“Am I taking crazy pills or do you send seed words over clear text on the local network?”, JW Weatherman wrote on Twitter.

Ray Redacted, the handle for a network and Information Security researcher with 20 years of expertise in cyber defense research, chimed in that “sending seed words over clear text based on the assumption that the users ‘home network is secure’ isn’t just I’ll advised, it’s practically criminal negligence. (sic)”

”Home WiFi networks should be assumed [to be] compromised.”

In other words, Weatherman believes that Casa’s advice to users--which seems to be that they should “operate under the general assumption that your home network is secure”--is a recipe for disaster. This is particularly because Casa sends users’ seed phrases, which can be used to access funds in a non-encrypted manner (clear text.)

“Home WiFi networks should be assumed [to be] compromised,” Weatherman wrote. “With full time security pros I’ve never found a corporate network that was clean.”

This could be particularly concerning because of the fact that Casa is marketed toward wealth managers and family offices, which could potentially have a large amount of funds.

Other community members responded to Weatherman’s tweets, saying that they had noticed the security flaw earlier this year.

Weatherman urged Casa to respond with the threat of posting another security flaw. The firm did respond, but only with directions for further direct contact.

"All devices ship with the same default password.”

Unsatisfied with Casa’s response, Weatherman posted details on another aspect of Casa’s security model that he takes issue with: the fact that “all devices ship with the same default password.”

In other words, users who never change their passwords from the default (and it is safe to assume that there are some are at risk of being compromised.)

“With this default password you can access bitcoin with physical access to the device,” Weatherman wrote, “And I wouldn’t be shocked if it can be combined with other flaws to execute this remotely (though I don’t have evidence of that yet).”

“Don’t know what the password is?” Weatherman continued, “no problem either ask your buddy with a Casa node or just email help@team.casa and without any authentication they will give you your password. (sic)”

However, other members of the community have pointed out that Weatherman's criticism of Casa may not be as sound as it may seem.

Casa's response

Casa eventually responded with a blog post addressing the security concerns brought by JW Weatherman, saying that "both concerns are known issues that are a result of intentional design decisions," and that "you should always be careful with any Lightning node. Lightning is still #reckless.‬"

However, Weatherman remains unsatisfied:

Finance Magnates reached out to Casa and JW Weatherman for further commentary on this story but did not receive responses by press time. Commentary will be added as it is received.

About the Author: Rachel McIntosh
Rachel McIntosh
  • 1509 Articles
  • 58 Followers
Rachel is a self-taught crypto geek and a passionate writer. She believes in the power that the written word has to educate, connect and empower individuals to make positive and powerful financial choices. She is the Podcast Host and a Cryptocurrency Editor at Finance Magnates.

More from the Author

CryptoCurrency