Bitcoin Forum

What if someone goes for cheap (2nd hand) hardware rather than buying it from official website just because s/he may be getting it for way cheaper (like 10-20 bucks)?

And even if the website is one of the most trustworthy *sellers, what if they're giving these hardware at discounted rates (not so cheap but hey, who doesn't like saving)? Can these hardware also be one of the used ones? Can they also attach a malware in those hardware?

*By saying Sellers, I didn't mean they cannot sell you vulnerable devices are their entire credibility gets limited to being trusted in terms of selling and after that, consequences may be different than what we expect once we've got some coins in that hardware.

I can talk about the Ledger Nano S since I have one. In Nano S if you want to setup a new device then just create a new 24 word seed with passcode then it's all yours. No matter you bought the Ledge 2nd hand or brand new. Now to restore the wallet you just need those 24 word seed and the passcode.

I hope this finds your answer?

Warning: Do not use any seed and passcode given by any seller or anyone else.

Yes, you can *presumably* attach some sort of malware to the ledger nano S, or preset a wallet/pin, which is why they usually recommend you to factory reset your ledger if you get it second-hand (and make sure the firmware is updated).

If the hardware has been tampered with, well then you're kind of fucked, unless you know how to safely remove it. (Big balls if you were to continue using that ledger s though.)

The only risk which comes with a second-hand hardware wallets is that you can get wallet with pre-generated seed, and if you are not aware dangers which arise from that, fact that you use wallet with seed which is known to someone else leads to almost guaranteed loss of your funds. That should be resolved only by resetting devices to the factory settings and set-up with new seed.

Modification of hardware is also possible, but this is not easy process and requires specific technical knowledge. I see this option acceptable for hackers only if they have targeted user who is having significant amount of crypto, otherwise such modified device can come into the hands of someone who have only $100 or something like that.

For 10 bucks it's not worth.
In this case, I consider any hardware that came from second hand user as permanently compromised. I would just discard it .

A hacker could have access to it and made hardware modifications, or even a firmware modification. I am no specialist, I know my limitations, I could be cheated this way. So I prefer and I advice only buying from official retailer.

Even if the seller is trusted or whatever they are not professionals. Someone who works there may have access to the hardwallet and made a modification.,


If you are buying a hardware wallet and want to save 10-20 bucks just wait for a Black Friday or some other promotion (ledger makes a lot of promotions in their website).

It is not worth trading security for 10-20 bucks, specially in a hardware wallet, that you are buying to feel 99.9999% safe.

Agreed. I myself would never use a second-hand hardware wallet, simply because i don't necessarily know if the firmware hasn't been tampered with, or if the hardware is all original. I don't have the expertise, and even if i would, it still wouldn't be worth the 0.01% chance that i missed something about the device for 20$ off. Not worth it.

I would not be surprised if sooner or later (if not already!) some sellers can give out devices that look like and behave almost like normal Ledger / Trezor / whatever, but containing a small modification allowing them find out your private key or seed. Somebody can mass produce them and sell them cheap. They'll get back the investment when they'll start stealing your money.

Maybe I'm too paranoid, but I bought my Ledger from their website and I would clearly ever avoid "re-sellers" or "second-hand" devices.

Thanks for that reply--I'm seriously considering a purchase of a Ledger Nano S from Amazon, but I'd thought of buying one second hand for a while.  I've never owned a hardware wallet before and don't really know a hell of a lot about them (which is why I'm reading threads like this).

I assume the Ledger is the best....?  When I browse hardware wallets on Amazon, there are just so many to choose from.  

I wouldn't be surprised either.  Counterfeit crap is everywhere, and making a fake hardware wallet with some sort of key-stealer would be an ideal scam.  No doubt someone somewhere is working on such a thing.

I'm biased on my decision here as some here believe that factory-resetting it could save me even on a 2nd hand hardware too? What's your take on this?


Ok, I've got one more question about official hardware (from their official website).

What IF:
- I use official ledger hardware on a compromised PC?
- Isn't Ledger's official hardware prone to clipboard copy-paste scams where you copy a BTC address and a malware detects and changes it to another address? Is such hardware safe from it?


I got that, you actually got me wrong there.
You're mistaken here as you are taking it like $10 discount but I've asked my question based on - if some sellers sell it way cheaper for a measly $10 - $20 as that's what lures cheap buyers to fall for these deals.

My advice is: if one has the money for a proper hardware wallet, buy one from the producer. 60 EUR for a Ledger Nano S is not that much imho.
If one doesn't have that money he can always print paper wallets or use Tails + Electrum as cold wallet.

Non-genuine Trezor Ones have already been spotted in the wild:
https://blog.trezor.io/psa-non-genuine-trezor-devices-979b64e359a7

I'm not sure if any malicious intent (beside selling fake products) has been ascertained though. They might have just been 1:1 copies sold by a third party without any changes whatsoever.

In general Trezor firmware integrity is ensured by the wallet web interface. IIRC Ledger has a similar mechanism in place. Hardware integrity can not be ensured this way though -- I'm not sure if it would be even possible to verify hardware integrity on the software level -- which still leaves room for threats like the Evil Maid Attack: https://wiki.trezor.io/Security:Threats#Evil_maid_attack_-_replacing_Trezor_with_a_fake



- Hardware wallets such as the Ledger and Trezor will protect your private key from compromised PCs
- They will not protect you from clipboard copy-paste malware. It's still up to you to (1) compare the address on your computer with the address as displayed on the hardware wallet and to (2) if possible, verify the address over a separate channel (ie. if you received the address via email, check on your mobile device as well or make a phone call with your counterparty)

You can use it on compromised pc.

They already patched it and now the address is displayed in Leger nano led visor. (On the device, theoretically unhackable)

I would not use it even for free.  Not worth the risk.
As I said, it is a permanently compromised device

Amazon? Are such hardware wallets sold on Amazon officially (or by the official team) or are you going to buy a 2nd hand device over there?

Ehhh....I don't know if they're by the official team, but I'm assuming so since what I just purchased is brand new.  It's definitely not a second hand thing.  

Maybe I'll make a followup post here once I receive the item.  This is the link to it on Amazon (https://www.amazon.com/gp/product/B07FCC1F7M/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1), so maybe you or someone else can advise me on whether I made the right choice or not.  I'm a complete ignoramus about hardware wallets, but I'd heard great things about the Ledger Nano S.  

Edit:

Thank you so much for that information, it really helps.

Yeah, that's sold by Ledger themselves, via their Amazon supplier. You can see the link to their Amazon page from their own site here: https://shop.ledger.com/pages/retailers. You can rest assured you've bought a legit and brand new device.

Even so, when the device arrives, you should still perform some basic checks to ensure it is genuine and to initialize it for the first time. Step by step instructions can be found here: https://support.ledger.com/hc/en-us/articles/360002481534-Check-if-device-is-genuine. Work your way down the sidebar, to "Check if device is genuine", "Set up as new device", and "Update device firmware".

There's lots of other good information on their support site which would be worth a read. The official Ledger companion software is Ledger Live which you will also need to familiarize yourself with if you want to use it. The Ledger is compatibile with many other wallets though, and Ledger + Electrum is a particularly popular combination.

@The Pharmacist
I think you made a good choice with the Ledger Nano S. You don't strike me as the type of person who holds bags of different Altcoins so if you are going to use your Nano S for Bitcoin + maybe 1 or 2 additional Alts you will be satisfied with your purchase.

Some users have complained that they can't install more than 2 different Apps on Ledger Live. Others have reported that they have 10 apps installed at the same time so I am not really sure what is causing all that. I held a maximum of 4 apps at the same time but I am now back to just 2.

The initial installation of the device is a bit of a lengthy process but I wouldn't have it any other way really. You have to take note of your seed and then re-enter and confirm every single word on the device itself. But this is a good thing because if you made a mistake somewhere the device will give you an error.

Make sure you remember your PIN because you can only make 3 mistakes while entering it, after the 3rd mistake the device wipes itself clean.       

For sure many bad people work on fake hardware wallets, but majority of crypto users know that only safe way to buy hardware wallet is to order it directly from the manufacturer. Of course there are those who will try to save some money, and they always look for cheaper solution which makes them ideal targets for fake hardware wallets.

What worries me is the possibility of compromising the official distribution chain, in a way that fake devices get mixed with originals and that some company is not even aware that it sell fake devices. Regarding the number of resellers of hardware wallets, this is not an option that should be neglected.

---

Number of apps installed on Ledger Nano S is not mystery, everything is clearly explained. We have stand-alone apps (BTC / ETH) which are bigger in size, and we have dependent apps, which are based on them. So if you install Bitcoin app only, then it is possible to install more apps which are based on Bitcoin (up to 10), but if you use Bitcoin+ETH app you reduce size of storage significantly.

The point is that we can have more than two or three app in same time, but key is in app combinations. Some more info can be read here (https://support.ledger.com/hc/en-us/articles/115005171425).

3 time entered wrong PIN (in a row) does not mean loss of coins, if user is have seed then it will just take some time to recover such wallet. But I agree it is not easy to type 24 words on Nano S, so be careful with PIN.

I have been using my Ledger Nano S from last 2016 (if I remember the year correctly) 13/6/2017 (order date)­. So far I never had any issue with it. So, I will give you positive support for it.

It was costing me  81.75 € but now it's a lot more cheaper (€59.00) in their official website.

There are not much risk (in my opinion) buying a 2nd hand Ledger but since we are going to store thousands of dollar worth of Bitcoin and other altcoins then why would we just want to save some money when we buy one. This was my original thought when I ordered it from their official website.

By the way, one thing I love about ledger is the varieties of coin they support. I can store my NEO, ADA, ETH, Wabi safely there.

Check: https://shop.ledger.com/pages/crypto-currency-assets

Side note: Seems like I gave you a paid lecture LOL but trust me this came from the satisfaction I had or have with using this product.
It's not a paid feedback/lecture or whatever you call it :-)

I uninstall the one I do not need or I am okay to use later and install the one I need for my current operation. It's not that much hassle. The security is the key that I feel with my Ledger Nano S

I can totally understand that but those who are interested in acknowledging the technology by using it and if they don't have much to spend upon it or willingly uninterested to do so (like newbies with least information or others with some information but don't want to spend higher), while they can get it for almost 50 - 70% less (maybe the hardware could be a first copy - pirated kinda and not the original one or even a 2nd hand but original Ledger wallet) will definitely give it a shot rather than going for the official one, no?

Is anybody here aware of Black Friday deals on such hardware during that event? If yes, what's the least one can purchase them for? And are they original too or they should also be considered 2nd hand?

A question somewhat related to this topic:
My friend purchased a 2nd hand PC and the person he bought it from, used to mine alts in it which clearly means that the previous owner held crypto in it (maybe BTC too).

So, to save the current owner (my friend) from any possible malware the old owner may have had installed in this PC, what should we do to prevent ourselves? Will a complete OS change work out? Like if we install new Windows without keeping old Windows.dat file in his PC, can we consider ourselves safe in this situation? He wants to use it mostly as an offline mode of storing his crypto there in his PC. Is he safe if we do it like that here?

@Stedsm
I think your friend should definitely reinstall the OS on the 2nd hand PC he bought. Like you said you never know what the previous owner did with the PC and what his online habits were like.

Black Friday is a good time to purchase a hardware wallet. If I remember correctly there was like a 50% discount during the last Black Friday on the Nano S.

Reinstalling the OS is the absolute minimum you should do.

You'll get most malware removed with a wipe of the hard drive + reinstalling the OS.

However, the theoretical risk of rootkits still exists. Reinstalling the OS won't help you there.
But the chances aren't very high to have a computer infected with a good (in terms of professional) root kit.


But since it is going to be used as an offline storage, you shouldn't be worried too much about that.

I always install a fresh windows in this kind of case. It's safe for both party. As a buyer you feel secure that you have started from zero point.

About the hardware wallet - my original thought behind this is that they have enough crypto to have a hardware wallet. For example: If someone has 100$ worth of BTC then there are no point to buy a hardware wallet that will cost 55 euro.

Edit: Just noticed the response from two members above me regarding the OS. Now you can see you have 3 votes to reinstall the OS :-)

I would not agree with you on this, although this is often a repetitive phrase and some members on this forum will tell you that you do not need to invest in hardware wallet if you have less then $500 or something like that. There is some logic in that, but hardware wallet is actually a pretty cheap investment and anyone who wants extra security should not hesitate with such an investment.

One better smartphone is cost ten times more then one Nano S, and they are sold as if they cost like hardware wallet. $100 worth of BTC today can be very easily doubled or tripled in future, so it is maybe wrong to say that you protect only $100.

Just wanted to say that it's either offline 100% of the time... or it isn't an "offline" cold storage PC.

If it remains offline 100% of the time, it won't matter too much if there is any malware on the PC, as it isn't connected to anything so the malware can't leak any info. However, if your friend plans to "occasionally" connect it to the internet, then you would be well advised to do everything you could to ensure that it was "clean". In this case, as the others have already stated, wipe/format the drive and do a fresh OS install as a minimum.

Like HCP said, what if my friend wants to go online occasionally on this PC? What exactly is to be done with that root kits thing? And can't they do anything with the certificates/signatures installed for each app before and after?

And going online through a smartphone (via HotSpot) or through WiFi Modem (Broadband service) makes any difference? He wants to use PC as an offline storage for crypto, but does that mean that he cannot go online even for other curricular things he needs to do in life?

Yes, it does mean he cannot go online. If he wants true "offline storage", then the computer needs to remain offline permanently. Otherwise, it should be considered no more secure than a "normal" desktop wallet and then associated security measures will need to be taken to ensure the security and safety of their funds.

Additionally, using your "everyday" computer in conjunction with cryptocurrency can be problematic if your "everyday" computer activity includes "risky" activities (downloading pirated software, visiting porn sites etc). The chances of infecting your PC with malware/viruses is a lot higher in these instances.

I don't think it's completely off-topic here to mention that I received my Ledger Nano S today, along with the steelwallet.  Both are things of beauty, but that's about the only thing I can say about them right now since I haven't actually played around with them yet.  So far I'm very happy with my purchase, and I've no doubt that these are the real deal and not some counterfeit garbage.

The Ledger and steelwallet arrived late in the day and I'm tired, so tomorrow I'll see what I can do about storing some crypto on the Ledger.  I'm mostly interested in keeping NEO on it since it'll earn GAS without having to be running all the time. 

If anyone else has any good advice for me, I'd greatly appreciate it--and I did read this thread.  Hardware wallets are new to me and I'm not sure what the pitfalls are, if any.

Hardware wallets are a bit of a meme in my book. I would look into the new Raspberry Pi 4, the 4 GB version. It should be similar to running a node in a Core 2 Duo I guess. You get 4 1.5ghz cores and without the IME or PSP clusterfucks.

https://thumbor.forbes.com/thumbor/960x0/https%3A%2F%2Fblogs-images.forbes.com%2Fjasonevangelho%2Ffiles%2F2019%2F07%2Fraspberry-pi-4.jpg

In addition, it looks cute plus you get to piss off Craig Wright running a node on it.

There aren't too many pitfalls really... and the Ledger Nano S is a decent enough piece of kit.

Aside from all the normal advice of making sure the device is reset and generating a new seed mnemonic/PIN/Passphrase etc... I would also advise that BEFORE you send any crypto to the device, make sure you're comfortable with wiping it and restoring from the 24 word seed mnemonic.

Basically, install Ledger Live, connect the device and follow the instructions for setting it up. Then note down the receiving address(es) given. Then wipe the device (there is an option in the settings or you can simply enter an incorrect PIN 3 times)... the restore from the 24 word seed mnemonic and confirm that you see the same receiving address(es) following the restore.

This will give you piece of mind that:
1. You have correctly written down the WHOLE seed mnemonic (from memory, the initial setup only confirms a couple of the words at random).
2. The restore functionality works as advertised without risking any coins.

When I got mine, I actually created a couple of different seeds and checked against things like Ian Coleman's BIP39 mnemonic converter to make sure that it was creating "proper" mnemonics, before I wiped and then created the "final" one. ;)


Also, try installing, deleting and reinstalling the coin apps on the device to get comfortable with how the "Manager" functionality in Ledger Live works and see that even if you remove an app and then reinstall, you still get the same addresses etc.

Finally, just an FYI, by default, Ledger will give Nested Segwit addresses for BTC. You can also create "Legacy" if you want and apparently the native Segwit support is in final stages of release... for now, I believe native segwit is still marked as "experimental".

This site is useful if you are going to be storing alts on your Ledger: https://support.ledger.com/hc/en-us/categories/115000811829-Apps. Basically, it gives you a step-by-step guide for each alt, including which wallet you need (or which wallets you can choose from) which are compatible with the Ledger to store your coins. The page for Neo is here: https://support.ledger.com/hc/en-us/articles/115005530425-Neo-NEO. Essentially you will be downloading the NEON wallet, and the instead of using a password or similar to unlock it, you will unlock it with your Ledger device.

I would definitely follow HCP's advice above first, though. I also received and sent a few small transactions (a few dollars worth of BTC) first to make sure I was happy with how that worked too. One of the main benefits of the hardware wallet is that any time you are making a transaction, the transaction address and amount are shown on the hardware wallet's screen, and you have to confirm that these are correct (by pressing the right button) before the transaction will be signed. Make sure you check the address against the original address you were sent/given/displayed, and not against what you copy/pasted, just in case your computer is infected with clipboard malware.

A lot of time has passed since I set up my Nano S but if my memory serves my right I had to check and confirm every single word of my seed and not just a few of them!?
If someone has done the initial setup recently please confirm whether you had to re-enter every single word of your seed or just a few of them?

It only asks for some of your words (e.g #8, #12, #17...) and not all of them.

IIRC, there was a case whereby someone was scammed with a fake seed. The person bought a hardware wallet online advertised as new and there was a pregenerated seed that was disguised as the recovery code and several victims fell for it. I would still take precautions and do my own due diligence with regards to buying a hardware wallet regardless of whether its new or not.

On the topic of raspberry pi, that's my current cold storage solution. Using Core on even with Pi 3+ is possible, provided that you're not operating it as a full node. I prefer a more simplistic approach with Electrum's GUI and its worth a consideration since the whole setup goes for about $35 and its cheaper than even a used hardware wallet. The security would be somewhat similar barring physical attacks.

Hey bud just wanted to give you a shout out. You must remember this post (https://bitcointalk.org/index.php?topic=5161200.msg51705621#msg51705621) which I responded to you and advocating for ledger. I still do but there is something I was not aware.

Please read this: https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/

It seems more than a year old article but this gives a very good insight about the device security. I hope this knowledge will help us to keep out crypto safe.

Cheers :-)

Man, I have no background in computer science or anything related to that, so most of that article is Greek to me--but I do appreciate the link.

I have not yet set up the Ledger S, but I think I'm going to do it today and may add my NEO onto it.  I don't suspect I'll have a problem as long as I can follow the directions.  We'll see how it goes.  For better or worse, I'm not all that concerned about my coins getting stolen, but I'll be careful about that.

The thing is that you still need physical access to the hardware wallet and a bit of social engineering to "break it". So, in most cases you will be safe as the only way you can actually be affected by this is if the bad guy is with you and you follow his instructions (in this case, he would probably just use the $5 wrench method).

I wouldn't worry about this.

You will be okay. In their website they have good manuals. If you follow then it's easy peasy. For NEO, you will need to...
Download the NEON Wallet (https://neonwallet.com/), install it in your computer.
Install the Neo app in your Ledger

and you will be good to go once you setup your Ledger Nano S

Anyway, the reason I give you the above link was that I felt I advocated too much about Ledger without knowing some of the risks might still exists. And I thought I should let you know about it.


I too is not much worry about it but it's good to know the things we are dealing with.

Cheers :-)

The reddit thread about it is here: https://www.reddit.com/r/ledgerwallet/comments/7obot7/all_my_cryptocurrency_stolen/
Ledger's response to the incident is here: https://www.ledger.com/scam-second-hand-ledger-device/

Regardless of where you ordered your Ledger from (or any other hardware wallet), even if directly from the official website, you should perform some basic checks when it first arrives to ensure it has not been tampered with, as I suggested earlier in the thread. Provided you do this, you will not fall victim to this kind of attack.

Worth mentioning that all these security flaws have since been patched, provided you update your Ledger to the latest firmware (as I suggested in my reply above). See here for more details: https://www.ledger.com/firmware-1-4-deep-dive-security-fixes/. Also, by successfully updating, you are also verifying the genuineness of your Ledger, and that it hasn't been tampered with.

So, this probably shows that 2nd hand devices are actually worthless to be purchased and we shouldn't go for them at all when we even need to have a basic check passed even on our official devices, right?


I believe I can ask this here -
Can you tell us something about the different types of procedures such devices can be tampered with? If so, it could make us more mature about them so to save ourselves and others from falling apart from their coins just because they've got no / least technical knowledge about using these devices with care.

There are only really 2 ways to tamper with the device:

1. Firmware
2. Hardware

#1 is the "easiest" method... it's simply modifications made to the firmware to compromise the integrity. Ledger have made great strides since the work of Saleem Rashid (https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/) to ensure that the device is able to detect altered firmware and/or stop it from working.

#2 is a lot harder as you'd need to break open the casing (without damaging it) and either replace all the internals with your own custom board that replicated the workings of a Ledger... or you're need to attempt to find space in an already cramped container to try and squeeze in your own extra hardware.

Then you'd need to put the case back together. I think it would probably be easier to actually just 3D Print your own casing and build your own full internals than attempting to modify and repackage an existing Ledger device.

Related to this.



1.  What if you bought say a used modem/router?  Then start using it.  Is it possible to get hacked very easily with this if you use a laptop and connect to the modem/router?


2.  What if you bought like a charger for your laptop?  Or what about those powerbanks that work for laptops?  Like those that connect to your laptop to give you a charge when you cannot find an outlet?  Could someone do something to it where when you connect it to your laptop, you can get malware/keylogged?


3.  What about connecting your iphone or android phone to someone's power bank?  Or what about connecting them to an outlet say at starbucks or coffeeshop?  Could someone set something up in those outlets etc?

OK, so I'm no expert here, but I own several power banks (I find them incredibly useful when I'm out on my bicycle).  I'm almost certain that connecting your Ledger to a power bank would not be an issue.  I'm assuming you mean the connection would be power bank-->laptop-->Ledger, because it would make no sense to just connect the power bank to the Ledger.

If anyone can show I've given some bad advice, I'm all ears. 

I did hook up my Ledger Nano S, and it's great!  Very easy to use, and I even spent a ridiculous amount of time setting up the words in the steel wallet that came with it.  I've never used a hardware wallet before, and I'm really liking this.

Hi there, when you say powerbank, you mean the one specifically for your laptop?  Or its one of those powerbanks where you can charge your laptop but also usb devices like tablets and phones?  Im talking about those that you can connect to your laptop.  But also the ones that connect to your usb devices.


Well i don't mean connecting your ledger to a powerbank... im confused how you would do this?  Can you explain?  You cannot do this and im not sure why you would even do this if you can?  A powerbank is meant to charge laptop, tablet, phone.


I mean say your laptop is running out of battery and you need to charge it but you have no outlet or power... but you have a fully charged powerbank... you connect powerbank to your laptop.  Then you use your laptop as normal.  I mean could someone install malware/keylogger in that powerbank where the moment you connect it to your laptop or say a tablet/phone... get malware/keylogger?  Like imagine you bought a powerbank from someone online or someone lend you it... but it has malware if you ever connect it to your laptop/phone/tablet.


Then even once you unplug power bank from your laptop, the next time you open emails or enter your password to your email or password manager, then all your information is keylogged?  That is what i mean by powerbank.  Like you only use it when you need power and there is no outlet to connect to.


Do you get what im asking?  Im confused with your example.

Can you post link of which powerbank you have?  Like is it powerbank only for laptop?  Or its those that are for tablets/phones mostly?

I'll post the Amazon links, since that's where I got them from:

RAVPower 26800mAh Dual Input Port Battery Pack (https://www.amazon.com/gp/product/B07793KSV4/ref=ppx_yo_dt_b_asin_title_o05_s00?ie=UTF8&psc=1)

Solar Power Bank, RAVPower 25000mAh Outdoor Solar Phone Charger (https://www.amazon.com/gp/product/B07GKP5W8Q/ref=ppx_yo_dt_b_asin_title_o05_s00?ie=UTF8&psc=1)

JETSUN Solar Charger, 16750mAh Power Bank (https://www.amazon.com/gp/product/B078M7923M/ref=ppx_yo_dt_b_asin_title_o01_s00?ie=UTF8&psc=1)

And then I got this bad boy from Chargetech.com: 54K PLUG PRO (https://chargetech.com/product/plug-portable-power-supply/).  I think that's a link to their whole site and not to the specific charger, but they have some great products.

Okay i see this.  So these actually charge your laptop as well?  Or you use it for your phone?  IM curious but what laptop do you have that works with these power banks?


So is it possible or not possible for someone in install malware/keylogger on this... then moment you connect laptop to it or tablet/phone to it... you get keylogged?

Im confuse why you say


powerbank to laptop to nano ledger s? 


Do you mean if you wanted to use the nano ledger s but the issue is your laptop is low battery so you connect the power bank to it to it can charge it?  That way it has enough battery on the laptop so you can connect your nano ledger?


If so, i didn't mean that.  I just mean like if you ever connect a power bank to your laptop... is it possible for someone to put malware or firmware on it where the moment you receive the powerbank... then whenever you connect it to your laptop or tablet/phone... now your device is compromised.  Thus any password manage you use or email you use when you type it in your laptop, is now compromised because that powerbank is compromised.  Does that make sense in what im asking?


I know that even if your laptop is compromised... even if you connect your nano ledger s to it, there is no issue because when you send btc... it will show the actual address you are sending to if its to a different btc address, then you wont send the btc. 

Yes.

Anything which has a micro controller can be tampered with, either by reprogramming (doesn't work with all micro controller) or replacing it.
That's by the way one reason (if you have sensitive data on your computer) why i would discourage from plugging in USB sticks from other people. They don't necessarily want to intentionally damage you.. but who knows how they are handling their ITsec..

USB sticks are the most prominent and most probable example of getting infected.
Real micro controller tampering happens rarely, but is very well possible.


But if you start to believe everyone wants to infect you (e.g. official powerbank seller, amazon, etc..), you might start getting a bit too paranoid.

If you're super concerned... just use a "power only" usb cable... ie. one that doesn't have the data pins connected. Then it doesn't matter what sort of USB port you plug into, the only thing that will be transferred is power.

You can even DIY this: https://www.instructables.com/id/USB-Condom/ :P

Yes. An attacker could replace the modem or router's firmware with a malicious version which could do a variety of things, including transmitting your data to them, allowing them access to your home network, transferring malware on to connected devices, etc.

Provided your laptop charges from a dedicated AC power port such as this one, then there is no risk of infection:
https://images-na.ssl-images-amazon.com/images/I/618-DZAFnFL._SL1500_.jpg

If your device charges via a port which also accepts data connections (so all mobiles and tablets, and some laptops, notably Apple ones), then it is entirely possible. This kind of attack is known as "juice jacking (https://en.wikipedia.org/wiki/Juice_jacking)".

Yes. This is "juice jacking" as above.

As well as DIYing your own cable as HCP has said, you can buy adapters which will fit to any cable and only transfer the charging pins and not the data pins. Exmaple: https://www.amazon.com/PortaPow-3rd-Data-Blocker-Pack/dp/B00T0DW3F8/

Bob thanks for the response.  Well for poker banks whether its for laptop or phones/tablets... if its from the official site, well that is safe.  I mean say from amazon 3rd party on ebay... would you say there is risk with this?  Also with amazon... assuming it comes directly from amazon.com and not 3rd party, there is no risk right?  Now if you buy a powerbank from dell or apple site... pretty much zero risk since it comes from them directly right?



How much money and time would it take for someone to install keylogger/malware into something like a powerbank?  Whether its a powerbank for laptop or powerbank that is used for portable devices?  Woudl it be even worth the time and money though?  But if they knew the buyers had crypto on their computer for example, then wouldn't some scum do that?



Yes i know usb flash drives can easily have malware.  Even i know this.  Yes if someone connects usb stick to your laptop, that is not good because like you said most likely they are not trying to put malware on your computer, its you dont know where their usb has been. 


But the real micro controller tampering you are talking about, what devices would this include?  I assume


1. Modems
2. Routers
3. Printers
4. Powerbanks
5.  Mouse
6.  Keyboard



Wouldn't mouse and keyboard be the easiest and least detectable thing because most ppl wouldnt even think about it?  Example imagine someone knows a certain someone has crypto in their computer and does not have nano ledger etc.  Someone could lend or give someone a mouse or keyboard...they connect to their computer, they are now screwed right?



But where would you rank powerbanks?  What about powerbanks that only connect to the power outlet in your laptop?  I mean it does not connect to your laptop usb.  But still that doesn't matter?  What about say powerbanks that connect to usb-c?  Now that is much more different right? 



What if someone lends you say their asus or dell laptop charger?  Is it possible for them to lend or sell you an asus or dell laptop ac adapter charger where connecting it gives you malware/keylogger?  Of course it connects to the power plug in your laptop only... not the usb-c port in your laptop. 

Hi there.  Okay thats what i thought about with the modem/router.  Thanks for confirming this.


You posted the plug for a laptop charger.  Yes that is what i mean.  Something like that which connects to the power port of your laptop.  So as long as you stick something like that to your power port to your laptop, its impossible to get anything?  What if they compromise the charger itself?  The big part of the laptop charger?



What about a powerbank... that connects to something like that?  Are you saying if it looks anything like that... that you connect to your power port on your laptop even if its a shorter one... its impossible?


I seen power banks where it does not charge into the power port in the laptop... instead it charges into the usb-c port of the laptop instead.  Have you seen this or know what im talking about here?
So you are saying.. that is definitely possible for malware right?  And that is juice jacking?


Thanks.

The only one I've used to charge a laptop is the Chargetech power bank, because it has an AC outlet whereas the others don't.  The other power banks I use are mainly for my phone, my headphones, and various other electronics that need to be charged via USB.  

That Chargetech badboy will charge any laptop.  It'll power your refrigerator for a short time, too (though I haven't tried it).  And I think you got your answer from other users:  there won't be any keylogger on any of these chargers.  Well, maybe some of them think it's possible, but I'm sure as hell not worried about it.

Edit:

Yeah, all from either Amazon or Chargetech; nothing was used.

Okay yes i meant like a powerbank that charges your laptop... so the chargetech power bank.  But do you think its possible for someone to do something do it put malware/keylogger on it... thus compromise it... then when you connect it to your laptop... you get compromised?  I assume possible but no one would go to these lengths right?  Also the chargetech power bank... its connects to the power port of your laptop right?  Or does it go into the usb-c of your laptop?



Did you bought all these items new from amazon and that chargetech site?  It was from amazon directly right and not 3rd party?  If so, then there would be nothing to worry about. 

There is no way to infect your hardware wallet this way. If that was the case, that would also happen when you even put it in a infected PC.

Right now I don't think there is any way of infecting your HW. Not from an infected PC, not from a USB/powerbank/charger/etc...

All I could see happening is a bad USB disguised as a power bank. But all that could possibly do is infect your PC, not your HW.

Honestly, I'm not sure that there is ANYTHING that will satisfy your level of paranoia ::)

Asking whether a device can be compromised by an AC power bank like that is just ridiculous. If all it does is connect to your laptop via the normal power cable, that is simply impossible.

Yes, power banks that connect via USB or USB-C connectors could theoretically be a disguised device setup to compromise your device. However, in that instance, the attack vector is instantly rendered useless by simply using "power only" USB cables/connectors as already discussed.

I think you need to learn the difference between "possible" and "probable". For instance... is it "possible" that I could randomly generate the same seed as your HW wallet? Yes, the odds are non-zero... BUT is it "probable"? Hell no... the odds are so ridiculously small that it may as well be considered "impossible". :P

Is it possible that someone is selling keylogging USB power banks on Amazon? Yes... is it probable? I'll let you figure that one out...

Hey all.  I know you cannot infect a hardware wallet.  Im well aware of that.  I mean a laptop powerbank or powerbank infecting your computer or laptop.  Thus imagine your password manager like lastpass or keepass gets compromised.  Or other wallets you have on your wallet gets compromised such as electrum or similar wallets with other altcoins.



Would you say its good to be always paranoid though?  I mean remember... when electrum message show update... how much percentage of ppl even think... okay this looks suspicious.  Would you say that is something to be paranoid about?  Like if i opened electrum and saw that update that ppl saw... i could not tell you if i would have updated it or not.... because well its a message directly from electrum.  But if it goes to github... obviously i would be a bit suspicious but i wouldnt know.  But always better to be careful and paranoid right?  I mean, anyone that is not paranoid with electrum, well they wouldnt think much besides okay i got to an update.. you agree with me here?



Well i just want to know if an ac power bank can be compromised... Example imagine someone put something in it... then sells it.  Then that person who uses it whether they have crypto or do things like online banking and online shopping... then the seller could see everything on their screen and keylog everything.  I mean back then... i never had any laptop or online security at all.  I didnt even use a password manager.  You would not believe how foolish my passwords were for many sites that i go on.  So when i hear okay someone could stick a usb flash drive in your laptop while you are away for 1 minute and you got a virus... thats when i thought well what else could hackers do?  I mean let say you know someone has lot of crypto and they want to buy a mouse or keyboard and you have one.  Well a scumbag hacker could put things in it... then sell it to you without you knowing anything was done to it... would you agree? 


Okay powerbanks connected usb or usb-c could compromise the device.  THat is what i wanted to know.  So now i know this for sure but i figure it has to since if flash drive connected usb could... usb-c shoudl as well.


Well possible and probable... i get what you mean by it.  Well if someone on amazon or ebay was selling keylogging flash drives, well they could say i bought from reseller or it was new etc... and not be responsible. 


Because i previously a long time ago have bought a used modem before.  But of course back then, i had no computer security whatsoever.  So i want to know like what products you buy can possibly be compromised.  I mean put it this way... if you use a computer for crypto and banking, you certainly dont feel safe buyed a used computer right?  But if you wipe it fullly and use a new hard drive... that is fine?  But of course there is chance of RAM having malware... i read about this.  Yes its very paranoid.  But i rather be that then not think of anything... and then suddenly you got keylogged or malware without you knowing...

There is "being cautious" and then there is "being paranoid". This should solve all your problems: https://mcphee.com/products/tin-foil-hat ::)

Seriously, you keep banging on about USB and USB-C devices... you've already been told, simply get "power only" cables or those data blocker adaptors that were listed above. Problem completely solved. You could even buy a powerbank from "Hackers R Us" and use it with those and you'd have no need to worry.

You keep playing the "what if?" game and never seem to want to make an actual decision. If you keep doing that, you'll eventually get to the level of: "Well, what if someone drops a dirty bomb on the bank where my cryptosteel is stored in a safety deposit?" ::)

Refer: Analysis Paralysis (https://www.google.com/search?q=analysis+paralysis)

Money? Probably just a few bucks
Time? Depends on the actual microcontroller you try to tamper with.
You can't generalize this by saying it takes X minutes/hours/days.

Some USB sticks, for example, can be tampered with within a few minutes (software side).
Others would require to replace the controller completely.

Each devices is different and it almost always is not a trivial task.




Anything which has a microcontroller which doesn't verify the firmware.
So, yes.. everything in your list. At least on a theoretical level.




Sure.

There also already have been many cases where keylogger have been hid in keyboards.
Not directly manipulating the microcontroller, but inserted a small chip which reads out the keyboard buffer each X milliseconds.

There are countless ways to gain access to sensitive information. Effectively you can not protect yourself against all of them. It is a probability game.
If you buy your hardware from a trusted seller and don't let some shady techy people (who want to harm you) access it, you are pretty much safe.




As others have mentioned, if there is no data connection, no data can be transmitted.
And therefore no malware can be transmitted / installed.

---

Well.. what if this happens? Is it safe to spread my cryptosteel around 10 banks then? What if there are a lot of bombs being dropped ? Is it safe then ?  :P

Wow, surprised! I mean what the hell? Even these kind of hardware are prone to stealing our data at a theoretical (and to some extent, real) levels? I'm actually shocked to know about this list and very much scared to know that almost every digital device out there has got some sort of weakness which can be used by stealers / hackers to steal / transmit our data through various channels implemented into these devices. Heck, this discussion gave me an in-depth look into what kind of software / hardware can be dangerous in fetching our fortunes (yes, our data is everything for us) and how we can save ourselves from becoming a victim.

---

Lolz, I'm actually getting a complex from that guy whenever he asks a question and uses the same pattern I've used to make it my only used way to ask a question here. After reading the thread today and the way he's asking back-to-back questions make me feel that I'm his alt. /jk (don't take my words seriously :P)

I believe even cryptosteel is prone to being stolen and / or rust taking place on it and messing up with the paper inside (as I know about a few use cases where metal changes its form in size and shape due to various air / oxygen / iron related issues and this could be dangerous while removing the paper as it may also end up tearing paper into many pieces). I believe the only way to save our hardware from being malevolent is to keep it away most of the time from using online (I mean connected to internet).

Just FYI, you generally don't store paper in a "cryptosteel" type seed mnemonic storage device.

The idea is that you either engrave or "punch" the seed mnemonic directly into the metal... or you use laser engraved letter "tiles" to piece the words together.

When you say keyboard, you mean wired or wireless or both?  So basically if someone know you have crypto in your computer and had access to your keyboard, they can basically put something there and when its connected to your laptop, you are screwed?

I think they are talking about keyloggers, access to your copy and paste clipboard, etc.

If the attacker had physical access to your computer or keyboard or hardware wallet this is certainly a problem, and I would consider those devices permanently compromised (unless if you are dealing with small amounts of btc). Most of successful hardware attacks had physical access to the device.

There are also some attacks which you copy the correct address and paste the attackers address (when making transactions). This is why ledger nano confirms the address in the device's led. Maybe he was talking about that as well.

Cautious yes, paranoid no.  I think you're being paranoid about the risk of getting some malware installed onto something from a power bank.  I believe I already mentioned that you don't charge the Ledger from a power bank, so there's no need to ever connect the two.  As far as a power bank being able to infect a laptop....that's highly unlikely IMO.  There certainly hasn't been a case of that happening yet.

Right-o, and I think he's teetering toward the paranoid side.