Bitcoin Forum

Hi guys
I will be getting a hardware wallet in 2 weeks or so, will probably be going for the Nano as it supports more coins. However how can I know that the box hasnt been opened and re-sealed or anything before I got it ?  I mean anything can happen in the warehouse from the online shop im buying from, or at airport customs.. etc..

To my understanding there is a piece of paper in there with my seed words, how can I know that nobody has those ?

The best thing would be to only buy from an official reseller or the original store, that makes you rather safe from supply-chain attacks.

If you go for a ledger be aware that they had exactly this problem before the last firmware update. Someone could manipulate the ledger nano s (and blue) in that way that even the creation of a new seed wouldn't have helped, see here: https://www.ledger.fr/2018/03/20/firmware-1-4-deep-dive-security-fixes/

Make a hard reset in any case and be sure that you've got Firmware 1.4.1 or higher.

You can't be 100% safe tough, unfortunately.

No, you won't receive the seed (if so then it's almost 100% positive someone already saw it, wrote it down and have access to that wallet).
Seed will be generated brand new once you first start the device.

Ledger uses attestation to prove a wallet's authenticity so if the device is tampered, you won't be able to use it as it won't be recognized.
Read this article for give to give you more depth about this topic: https://www.ledger.fr/2015/03/27/how-to-protect-hardware-wallets-against-tampering/

There's also a way for hardware savvy's: https://support.ledgerwallet.com/hc/en-us/articles/115005321449-How-to-verify-the-security-integrity-of-my-Nano-S-

awesome thanks guys. This is one of those things where you kinda learn as you do it. But for a hardware wallet learning only then is too late.

I fully trust the retailer I am buying from, reason Im not going official site is due to customs taxes/ import duties and so on.

Another thing to add: another common attack involving hardware wallets is the inclusion of seeds on a piece of paper. If you find one packaged with your hardware wallet, it's likely compromised, but a reset should be enough to stay safe in those cases.

It's not a problem if you fully trust your retailer, but one thing to consider is that you're trying to save a few bucks while risking thousands by potentially getting a compromised device. Just a thought.

Note that a recently publicised exploit managed to fool the attestation process (https://www.ledger.fr/2018/03/20/firmware-1-4-deep-dive-security-fixes/)... To prevent issues, you should make sure that:

1. You ensure your Ledger Nano S is running the latest firmware. (1.4.1 at the time of this post (https://www.ledger.fr/2018/03/06/new-firmware-update-1-4-1-available-for-the-nano-s/))
2. You reset the Ledger Nano S at least once to ensure that any "preloaded" seed is wiped
3. You ignore any pre-printed card that proclaims to be your seed

NOTE: Should you actually receive a Ledger Nano S that comes either preloaded with a seed, or with an included pre-printed card... you should return it and ask for a refund as it is likely that it has been tampered with. You should also report the reseller to Ledger.