Worldcoin orb privacy and security audit report

The Worldcoin project is founded on a commitment to privacy and security. As part of this commitment, project contributor Tools for Humanity (TFH), in conjunction with the Worldcoin Foundation, engaged the respected security experts at Trail of Bits to conduct a specialized audit of the orb’s software. In addition to a typical security assessment, Trail of Bits focused on evaluating a series of privacy and functionality claims related to the orb. 

The final report is available here.

Trail of Bits began their assessment on August 14th, 2023 on a software version frozen July 8th, 2023 with SemVer 3.0.10. As of March 14th, 2024, the current version of software deployed to orbs is 4.0.34 with a first release date of January 17th, 2024. 

TFH provided a series of non-exhaustive technical claims to scope the engagement in an attempt to validate their implementation. These claims targeted the software release of the version frozen July 8th, 2023.

1. For the default opt-out signup flow, no personally identifiable information (PII) except the iris code is collected by the orb

• No PII is written to persistent storage on the orb
• No PII except the iris code leaves the orb (eg. uploaded)

2. For the non-default opt-in signup flow, PII is handled securely by the orb

• The only PII persisted on the device is on the orb’s SSD and asymmetrically encrypted*
• Asymmetrically encrypted PII stored on the orb’s SSD cannot be decrypted by the Orb

3. The Orb does not extract any sensitive data from a user’s device

• The only information the orb collects from a user’s phone is in the QR code.**

4. The user’s iris code is handled securely

• The user’s iris code is not written to persistent storage on the orb
• The user’s iris code is only included in a single request to the orb’s backend ***
• The iris code can only be sent to approved servers, and the network communication is end-to-end encrypted.

* As of the 4.0.XX release, the orb no longer saves any data to the SSD regardless of the data custody option.

** In orb software version 3.0.10 the QR code contained a 128-bit UUID user_id and a data_policy bool representing the user’s data custody choice, and an optional DataCollectionConfig struct for internal use. In software version 4.0.0 the QR code has been modified to include a cryptographic hash that includes the user’s public key, named user_data_hash. This hash is used to validate the correct public key is used when encrypting data to the user’s device. 

*** In software version 4.0.0, a new “Personal Custody” feature will be added where an additional copy of the iris code and biometrics are encrypted directly to the user’s device using the user’s public key.

These claims were further refined into specific goals available in the final report in coordination with Trail of Bits. The orb’s customer user-space applications in Rust and its Debian-based operating system were defined as within scope of this assessment, and the following components were excluded as not applicable to the original claims:

1. Bootloader configuration
2. Driver modifications
3. TrustZone Applications
4. Secure element interface

An exhaustive list of the targets are enumerated in the final report.

Three consultants performed a total of six engineering-weeks of review. Auditors were given full source code access, along with runtime access to two evaluation orbs. While the report describes potential attack surfaces (TOB-ORB-4 and TOB-ORB-5, TOB-ORB-10, and TOB-ORB-11), they conclude that “our analysis did not uncover vulnerabilities in the Orb’s code that can be directly exploited in relation to the Project Goals as described.” Further, while Trail of Bits' review identified some unconfirmed concerns that could theoretically affect project goals, and the affected code has since been updated, the audit did not identify any instances where the project goals would be directly compromised, either through known vulnerabilities or during normal execution.

Trail of Bits auditors provided expert recommendations for additional hardening of the kernel configuration as well as tools and techniques for the runtime software which are available in more detail in the final report.

The assessment concludes that the configuration of the audited version of the software does not retain, nor exfiltrate, PII besides the “iris code” from the orb. Trail of Bits recommended additional configuration hardening changes to enhance the orb’s “defense in depth” to ensure that future changes to the configuration or code do not introduce accidental leakage (finding TOB-ORB-1). 

In cases where users choose to opt-in to data custody, the orb asymmetrically encrypts the PII using the libsodium library in a one-way envelope* construction called a “sealed box.” In the final report, the auditors state “[w]e did not identify any places where PII is persisted outside of the Orb’s SSD and/or unencrypted” and conclude that “once PII is encrypted, the described mechanism does not permit the Orb to decrypt it.”

*The newest code does not save data at all, regardless of the data custody option, but instead reuses this encryption code for the Personal Custody package using the user’s public key.

When a user first interacts with an orb to perform a signup, a QR code is displayed on the user’s device which is processed by the orb. In the relevant code, the auditors did not identify any additional data or information gathered from the user’s device by the orb. The assessment, however, did highlight potential memory safety issues (finding TOB-ORB-4 in the final report) with the library used to scan the QR code (ZBar). In response, the vulnerable library was replaced with a pure-Rust barcode scanning library, rxing.

The auditors attempted to validate claims related to how the “iris code” is handled and communicated to the backend. They report that “we believe the iris code is not written to persistent storage on the Orb and that it is included only in a single request to the Orb’s back end,” and that “[w]hile this configuration can be improved to make it more secure (TOB-ORB-10), it should not be possible for typical attackers to extract the iris code from the Orb’s network traffic; the attacker would have to be in control of one of the trusted certificates.”

The full report of Trail of Bits’ thorough analysis contains all of the individual findings and their remediations, along with additional analysis of the claims. 

This was not the first, nor will it be the last, third-party security evaluation of the orb, and additional reports will be shared with the community as they become available. 

You can help keep the Worldcoin project secure by participating in the Worldcoin bug bounty program. Additional important information concerning the project is available in the Worldcoin protocol whitepaper.