Bitcoin Forum
October 15, 2019, 03:07:00 AM *
News: Latest Bitcoin Core release: 0.18.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3] 4 5 6 7 8 »  All
  Print  
Author Topic: It is NOT secure to use hardware wallets (and it never was)  (Read 1940 times)
achow101
Staff
Legendary
*
Offline Offline

Activity: 1918
Merit: 2832


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
March 27, 2018, 04:47:56 PM
Merited by Carlton Banks (1), butka (1)
 #41

I'm not objecting just confused: Is it about firmware, BIOS, fucking NVIDIA device drivers or what? We have Linux and Free BSD, don't we? Is it impossible to have Core's wallet running on top of a clean installed Linux?

I'm seriously interested in your term 'closed source computer', actually it is my main research topic for the last couple of years, I'm just wondering how deep is your interpretation of this concept and whether you have developed any idea as an alternative?
There's more to a computer than just the OS. A lot of firmware such as processor microcode are closed source. So it doesn't matter whether the OS you use is open source; if the firmware for your hardware and the hardware itself is closed source, then you are at risk of that closed source being malicious or containing something that can be exploited. One example of this is the Intel Management Engine which could allow someone to remotely access and control your computer and there's no way to disable it because it is baked into the hardware and firmware, both of which are also closed source.

1571108820
Hero Member
*
Offline Offline

Posts: 1571108820

View Profile Personal Message (Offline)

Ignore
1571108820
Reply with quote  #2

1571108820
Report to moderator
1571108820
Hero Member
*
Offline Offline

Posts: 1571108820

View Profile Personal Message (Offline)

Ignore
1571108820
Reply with quote  #2

1571108820
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1571108820
Hero Member
*
Offline Offline

Posts: 1571108820

View Profile Personal Message (Offline)

Ignore
1571108820
Reply with quote  #2

1571108820
Report to moderator
cellard
Legendary
*
Offline Offline

Activity: 1372
Merit: 1211


View Profile
March 27, 2018, 05:41:09 PM
 #42


Do they claim their hardware to be unhackable!?


More or less they were claiming that it's unhackable, and that's my only issue with them.
https://www.ledger.fr/2015/03/27/how-to-protect-hardware-wallets-against-tampering/

Quote from: link above
There is absolutely no way that an attacker could replace the firmware and make it pass attestation, without knowing the Ledger private key.

This claim was proven false now.

Nevertheless in my opinion I still think a hardware wallet is more secure than any other wallets when used safely.
Just that hardware wallets do have security issues does not make any other type of wallet which have MORE security issues suddenly better.

My ranking of wallets in terms of security would be the following

  • Hardware wallets
    If you don't take them outside of your home and attacker don't get physical access they are pretty safe -> with physical access as proven now it might not be safe
  • Paper wallets
    If they are kept hidden in a secret place -> but with physical access by an attacker -> no security at all.
    If people carry them around I consider them worse than any mobile wallets (they do at least have a pin to secure the wallet).
  • Airgapped PCs
    Pretty safe as long as an attacker don't get pyhsical access. I consider them worse than a hardware wallet because a PC/MAC/whatever even if not connected to the big world has a much bigger attack vector than a hardware wallet if getting pyhsical access.
  • Any local hot wallets on PC/MAC
    With spyware or other malicious software these wallets can be easily compromised. No physical access necessary
  • Any mobile wallets
    The security of such wallets is usually quite bad. Usually very short pin-codes are used to secure the wallet. As it's easy to lose them an attacker can get physical access to it.
  • Online wallets where you control the private keys
  • Online wallets where you don't control the private keys

Did I miss any type of wallet?

Beside of my listed ranking anyone can (and should) improve the security by combining several methods above and use multi signature addresses. In this case it is not possible to steal funds if just one of the methods is compromised.

Would be interested if someone has a different ranking than me.

You indeed did forget the most important and still the most secure: Bitcoin Core and all the other open source software where you download the entire blockchain and where you can encrypt the wallet.

Just a few additions:

Paper Wallets can be encrypted, which makes it more secure than cash, but still is open to a regular robbing with weapon use (Tell the password or die), but the main problem I think is that it can be destroyed very easy.

An encrypted wallet.dat fie can be renamed into Michael_Jackson-Earthsong.mp3 and you carry it around (or send it around). Place another unchanged and unencrypted wallet.dat file with a low amount for plausible deniabiity. There are other plausible deniability solutions like hidden partitions etc. Multiple backups make a file pretty much undestroyable.



I never trusted hardware wallets, from my research, airgapped old laptops runnig some linux distro are the best way for cold storage. You must learn how to bring raw transactions from your airgapped computer into an online node, I haven't learned how to do this yet, I will eventually get into it. Unfortunately Core has no improved support for this like Armory does, so you must need to craft the transaction manually, presigned, then move this hash into the node to broadcast it... use a QR code or something so you can avoid USB surface attack.

You can't also leave the computer non fully encrypted. Encrypt the entire drive ideally. I haven't looked into this yet. I tested with Veracrypt before, I did it wrong and I bricked 3 HDDS on my 3 attempts, now they are useless, so beware with that. Do some testing first. I think Linux has no FDE support with Veracrypt, so you must use LUKS which is more complicated, haven't learned yet. Im not sure if dm-crypt is safe enough nowadays.
BitCryptex
Hero Member
*****
Offline Offline

Activity: 728
Merit: 1043


Write @BitCryptex or quote my post to notify me


View Profile WWW
March 27, 2018, 06:17:52 PM
 #43

I never trusted hardware wallets, from my research, airgapped old laptops runnig some linux distro are the best way for cold storage. You must learn how to bring raw transactions from your airgapped computer into an online node, I haven't learned how to do this yet, I will eventually get into it.

Hardware wallets might be not a best choice for cold storage, but they are still a good choice if you want to access your bitcoins on many different computers which might be compromised. I used to encrypt my Electrum seed using VeraCrypt but I was too scared of keyloggers and other malware. Right now I don't have to worry about it since my TREZOR has a touchscreen to input everything on the device. It is still possible that this model might get hacked anytime soon, time will show us.

Wind_FURY
Hero Member
*****
Offline Offline

Activity: 1246
Merit: 813


Crypto-Games.net: Multiple coins, multiple games


View Profile
March 28, 2018, 07:07:07 AM
 #44


Do they claim their hardware to be unhackable!?


More or less they were claiming that it's unhackable, and that's my only issue with them.
https://www.ledger.fr/2015/03/27/how-to-protect-hardware-wallets-against-tampering/

Quote from: link above
There is absolutely no way that an attacker could replace the firmware and make it pass attestation, without knowing the Ledger private key.

This claim was proven false now.

Nevertheless in my opinion I still think a hardware wallet is more secure than any other wallets when used safely.
Just that hardware wallets do have security issues does not make any other type of wallet which have MORE security issues suddenly better.

My ranking of wallets in terms of security would be the following

  • Hardware wallets
    If you don't take them outside of your home and attacker don't get physical access they are pretty safe -> with physical access as proven now it might not be safe
  • Paper wallets
    If they are kept hidden in a secret place -> but with physical access by an attacker -> no security at all.
    If people carry them around I consider them worse than any mobile wallets (they do at least have a pin to secure the wallet).
  • Airgapped PCs
    Pretty safe as long as an attacker don't get pyhsical access. I consider them worse than a hardware wallet because a PC/MAC/whatever even if not connected to the big world has a much bigger attack vector than a hardware wallet if getting pyhsical access.
  • Any local hot wallets on PC/MAC
    With spyware or other malicious software these wallets can be easily compromised. No physical access necessary
  • Any mobile wallets
    The security of such wallets is usually quite bad. Usually very short pin-codes are used to secure the wallet. As it's easy to lose them an attacker can get physical access to it.
  • Online wallets where you control the private keys
  • Online wallets where you don't control the private keys

Did I miss any type of wallet?

Beside of my listed ranking anyone can (and should) improve the security by combining several methods above and use multi signature addresses. In this case it is not possible to steal funds if just one of the methods is compromised.

Would be interested if someone has a different ranking than me.

You indeed did forget the most important and still the most secure: Bitcoin Core and all the other open source software where you download the entire blockchain and where you can encrypt the wallet.

Just a few additions:

Paper Wallets can be encrypted, which makes it more secure than cash, but still is open to a regular robbing with weapon use (Tell the password or die), but the main problem I think is that it can be destroyed very easy.

An encrypted wallet.dat fie can be renamed into Michael_Jackson-Earthsong.mp3 and you carry it around (or send it around). Place another unchanged and unencrypted wallet.dat file with a low amount for plausible deniabiity. There are other plausible deniability solutions like hidden partitions etc. Multiple backups make a file pretty much undestroyable.



I never trusted hardware wallets, from my research, airgapped old laptops runnig some linux distro are the best way for cold storage. You must learn how to bring raw transactions from your airgapped computer into an online node, I haven't learned how to do this yet, I will eventually get into it. Unfortunately Core has no improved support for this like Armory does, so you must need to craft the transaction manually, presigned, then move this hash into the node to broadcast it... use a QR code or something so you can avoid USB surface attack.

Bitkey, https://bitkey.io/, has. Go to the site, click "usage" then click "coldstorage-offline". Very advisable for long term holders who have millions stored in Bitcoin.

Quote
You can't also leave the computer non fully encrypted. Encrypt the entire drive ideally. I haven't looked into this yet. I tested with Veracrypt before, I did it wrong and I bricked 3 HDDS on my 3 attempts, now they are useless, so beware with that. Do some testing first. I think Linux has no FDE support with Veracrypt, so you must use LUKS which is more complicated, haven't learned yet. Im not sure if dm-crypt is safe enough nowadays.

I believe it would be less trouble to partition /home and encrypt that in case you need to reinstall.


▄▄▄████████▄▄▄
▄██████████████████▄
▄██████████████████████▄
██████████████████████████
████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
████████████████████████████
██████████████████████████
▀██████████████████████▀
▀██████████████████▀
▀▀▀████████▀▀▀
   ███████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
███████
BTC  ◉PLAY  ◉XMR  ◉DOGE  ◉BCH  ◉STRAT  ◉ETH  ◉GAS  ◉LTC  ◉DASH  ◉PPC
     ▄▄██████████████▄▄
  ▄██████████████████████▄        █████
▄██████████████████████████▄      █████
████ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄ ████     ▄██▀
████ █████ ██████ █████ ████    ▄██▀
████ █████ ██████ █████ ████    ██▀
████ █████ ██████ █████ ████    ██
████ ▀▀▀▀▀ ▀▀▀▀▀▀ ▀▀▀▀▀ ████ ▄██████▄
████████████████████████████ ████████
███████▀            ▀███████ ▀██████▀
█████▀                ▀█████
▀██████████████████████████▀
  ▀▀████████████████████▀▀ 
✔️DICE           
✔️BLACKJACK
✔️PLINKO
✔️VIDEO POKER
✔️ROULETTE     
✔️LOTTO
aliashraf
Hero Member
*****
Offline Offline

Activity: 924
Merit: 664


View Profile WWW
March 28, 2018, 08:26:32 AM
 #45

I'm not objecting just confused: Is it about firmware, BIOS, fucking NVIDIA device drivers or what? We have Linux and Free BSD, don't we? Is it impossible to have Core's wallet running on top of a clean installed Linux?

I'm seriously interested in your term 'closed source computer', actually it is my main research topic for the last couple of years, I'm just wondering how deep is your interpretation of this concept and whether you have developed any idea as an alternative?
There's more to a computer than just the OS. A lot of firmware such as processor microcode are closed source. So it doesn't matter whether the OS you use is open source; if the firmware for your hardware and the hardware itself is closed source, then you are at risk of that closed source being malicious or containing something that can be exploited. One example of this is the Intel Management Engine which could allow someone to remotely access and control your computer and there's no way to disable it because it is baked into the hardware and firmware, both of which are also closed source.

I know about Intel's ME, but I was just asking OP whether he is mentioning it or what?

As of Intel's ME, there are solutions to  neutralize or disable it people even suggest not to use Intel processors made since 2008 and AMDs since 2013.

But I think it is not just about foolish architectures like this and even a system built around an 'innocent' 80386 cpu is susceptible not because of its bios or any other hardware potential backdoor but for a more inherent characteristic of our contemporary technological paradigm that allows machines to be dominated by attackers without disclosure.

By 'attackers' I don't just refer to crackers or state agents I am mentioning the owners, legitimate owners as well!
Imagine some black hat cracker who goes to the market buys a laptop, installs some evil software on it, plugs it to the internet and participates maliciously in some public protocol, trying to take advantage of its security holes while it is pretending to be a fair player, it is a hijacked laptop in my terminology!

Our current state in computing technology, gives unlimited access to the owner (and the army of crackers, hardware manufacturers, state organisations, ...) to install whatever s/he wants without disclosure.

This way people have access to 'things' that can be 'anything' and pretend to be 'something' else! This is totally a mess which security experts, cryptographers, ... are trying to cover it up, both desperately and inefficiently.

Happiest
Member
**
Offline Offline

Activity: 212
Merit: 22

XETHER - BET ON HONESTY!!!


View Profile
March 28, 2018, 08:42:01 AM
 #46

And here I am thinking that using a ledger ware is the best safe place to store my bitcoin as sometimes I travel a lot. I have been meaning to buy one since it's easily portable but seeing that article, I am quite confused.
I am always skeptical of storing my bitcoin in my laptops cause most times, I change laptops alot and I fear selling my used laptop to to stranger might leave a trace of my wallet.dat.  So is there any portable means of storing bitcoin that is not paper wallet?

wansei
Newbie
*
Offline Offline

Activity: 1
Merit: 1


View Profile
March 28, 2018, 04:43:23 PM
Merited by BitCryptex (1)
 #47

I wasn't too comfortable with the hardware being "out of my control" during shipping etc., so I used other hardware wallet solution - simple, cheap/free and extremely safe:

Everyone has old unused laptops laying around. I took two laptops. On both I formatted hard drives and did clean reinstall of the system. 1 of these laptops will never be connected online, network adapters are disabled. On the other laptop, go straight to download section of electrum wallet. Download wallet and verify the authenticity. Take clean USB stick, format it and put downloaded electrum wallet there. Take the usb stick and insert it into the first laptop (the one without internet connection). Create wallet. This laptop will NEVER go online. If you are totally paranoid you can destroy the USB stick Smiley

The laptop with the internet active is used for Electrum - watch only wallet. This type of wallet has no access to your private keys, yet you can see your balances and iniciate transactions (these have to be confirmed via confirm file, created on the laptop with the original wallet).

This process should be reasonably safe.
BitCryptex
Hero Member
*****
Offline Offline

Activity: 728
Merit: 1043


Write @BitCryptex or quote my post to notify me


View Profile WWW
March 28, 2018, 05:42:35 PM
 #48

I wasn't too comfortable with the hardware being "out of my control" during shipping etc., so I used other hardware wallet solution - simple, cheap/free and extremely safe:

Everyone has old unused laptops laying around. I took two laptops. On both I formatted hard drives and did clean reinstall of the system. 1 of these laptops will never be connected online, network adapters are disabled.

I have also met with an opinion that you should use a computer which has never been connected to the Internet. I have no idea why would it be important beside potential malware being downloaded earlier. Your solution is definitely safe and recommended by many people but still, it isn't really convenient and portable. I guess it's the best choice for people who were thinking of using hardware wallets as their main "purse". I will personally stick to them since I send my coins often in many different places.

HCP
Legendary
*
Offline Offline

Activity: 1120
Merit: 1837

<insert witty quote here>


View Profile
March 29, 2018, 01:12:12 AM
 #49

The important things to note from this entire episode are:

1. The recently exposed vulnerabilities in Ledger and Trezor have been patched - Update your devices!
2. NO wallet can be proven to be 100% secure and NO wallet should be treated as such
3. Despite our best efforts, there will always be a certain level of "trust" involved somewhere in the chain (hardware and/or software level)

As with a lot of things in life, it comes down to risk management and how much risk is "acceptable" in your specific situation - "Minimise the risk"™  Cool

RGBKey
Hero Member
*****
Offline Offline

Activity: 854
Merit: 629


rgbkey.github.io/pgp.txt


View Profile WWW
March 29, 2018, 02:17:33 AM
 #50

The important things to note from this entire episode are:

1. The recently exposed vulnerabilities in Ledger and Trezor have been patched - Update your devices!
2. NO wallet can be proven to be 100% secure and NO wallet should be treated as such
3. Despite our best efforts, there will always be a certain level of "trust" involved somewhere in the chain (hardware and/or software level)

As with a lot of things in life, it comes down to risk management and how much risk is "acceptable" in your specific situation - "Minimise the risk"™  Cool

I agree with all of your points, and I personally own a ledger nano device but I also think that the Ledger team understated how vulnerable the device can be, especially once it is in the physical possession of someone else. I will probably continue to use it, as I think it's still got a very good security to usability ratio, but I think that it might have been advertised a bit as something it probably is not.
bitmover
Hero Member
*****
Offline Offline

Activity: 630
Merit: 1064



View Profile
March 29, 2018, 11:50:44 AM
 #51

I think users have far more trust in the integrity and security of the software than the coders themselves.

Stedsm
Legendary
*
Offline Offline

Activity: 1806
Merit: 1135


Piiiii Kaaaaaa Chuuuuuuu


View Profile
March 29, 2018, 12:20:36 PM
 #52

This shows that keeping our coins safe has been ultimately cut down to such levels where we cannot trust anything, except our own deeds.
Keeping it safe is a matter of how safe we try to keep it - IT"S US WHO WILL NEED TO PERFORM EVERYTHING IN A KNOWLEDGEABLE MANNER.
Though, never thought that hardwares could really be unsafe (Had different thoughts though, like if our PC itself has a malware in it and if we use ouor hardware in such device). I trust paper wallets only, but are they also trustworthy? As they come from these "ONLINE" websites only, so shall we trust them too? And if everything's prone to vulnerability, what should be the best place we may put our coins at?

BitCryptex
Hero Member
*****
Offline Offline

Activity: 728
Merit: 1043


Write @BitCryptex or quote my post to notify me


View Profile WWW
March 29, 2018, 12:42:43 PM
Merited by vlad230 (1)
 #53

I trust paper wallets only, but are they also trustworthy? As they come from these "ONLINE" websites only, so shall we trust them too? And if everything's prone to vulnerability, what should be the best place we may put our coins at?

There shouldn't be any problems with a paper wallet as long as you generate it offline. I think there was an online generator which saved people's seeds and later stole their BTC. Extreme holder could encrypt and engrave it on something that would be fire and waterproof. That's one of the safest method if you don't plan spending your bitcoins or any other cryptocurrency for the next few years.

We have a lot of operating systems available on the Internet with different features and security measures. For example. TREZOR is open-source, this might encourage more developers, who may be concerned about security of their money, to create their own, separate version of what's supposed to run on your hardware wallet. They won't be able to fix issues connected with the hardware itself, though.

Lucius
Legendary
*
Offline Offline

Activity: 1568
Merit: 1354


Fortis Fortuna Adiuvat


View Profile WWW
March 29, 2018, 12:46:16 PM
 #54

This shows that keeping our coins safe has been ultimately cut down to such levels where we cannot trust anything, except our own deeds.
Keeping it safe is a matter of how safe we try to keep it - IT"S US WHO WILL NEED TO PERFORM EVERYTHING IN A KNOWLEDGEABLE MANNER.
Though, never thought that hardwares could really be unsafe (Had different thoughts though, like if our PC itself has a malware in it and if we use ouor hardware in such device). I trust paper wallets only, but are they also trustworthy? As they come from these "ONLINE" websites only, so shall we trust them too? And if everything's prone to vulnerability, what should be the best place we may put our coins at?

I think that hardware wallets are still one of the safest ways for safe storage of private keys,although from time to time a security vulnerability appears,but also very quickly after that we have update which fix the problem.This is something quite normal,not only with hardware wallets,but with any other device or operating system which exists today.

Paper wallets are good for long term storage if user is make such wallet offline in 100% clean device.But instead of paper I would always choose some more durable material such as plastic or metal.Then user just need to get private keys - engrave&save them in a safe place.To check balance it's enough to have public key so there is no need to touch "paper wallet".

1Referee
Legendary
*
Offline Offline

Activity: 2030
Merit: 1360

Segwit please.


View Profile
March 29, 2018, 01:22:11 PM
 #55

I think that hardware wallets are still one of the safest ways for safe storage of private keys,although from time to time a security vulnerability appears,but also very quickly after that we have update which fix the problem.This is something quite normal,not only with hardware wallets,but with any other device or operating system which exists today.

It's not normal at all. Hardware wallets advertise themselves as being the most secure way of securing your private keys, but they continue to find themselves in a position that draws negative and unwanted attention. How long will people swallow this? I don't think much longer, because you can keep releasing firmware fixes and whatnot, but the more often you have to do this, the lower your overall credibility becomes as hardware wallet manufacturer. I was doubting whether or not to purchase one, but haven't done so because I am not going to put my faith in a piece of hardware that I personally don't know of what leaks its firmwire may contain that we don't yet know of, or even in the hardware part itself. I have been reading here and there that people owning hardware wallets will revert back to the old and solid paper wallets, and rightfully so.

Lucius
Legendary
*
Offline Offline

Activity: 1568
Merit: 1354


Fortis Fortuna Adiuvat


View Profile WWW
March 29, 2018, 01:45:44 PM
 #56

I think that hardware wallets are still one of the safest ways for safe storage of private keys,although from time to time a security vulnerability appears,but also very quickly after that we have update which fix the problem.This is something quite normal,not only with hardware wallets,but with any other device or operating system which exists today.

It's not normal at all. Hardware wallets advertise themselves as being the most secure way of securing your private keys, but they continue to find themselves in a position that draws negative and unwanted attention. How long will people swallow this? I don't think much longer, because you can keep releasing firmware fixes and whatnot, but the more often you have to do this, the lower your overall credibility becomes as hardware wallet manufacturer. I was doubting whether or not to purchase one, but haven't done so because I am not going to put my faith in a piece of hardware that I personally don't know of what leaks its firmwire may contain that we don't yet know of, or even in the hardware part itself. I have been reading here and there that people owning hardware wallets will revert back to the old and solid paper wallets, and rightfully so.

I understand your stand,and many others think in that way,but is there so far even one recorded case that someone lost BTC or any other altcoin from hardware wallet and that the cause was a security breach?To my knowledge such a situation has not yet occurred,for safe storage and everyday use hardware wallets are currently the best choice.

But if user have large amount of coins and has no intention to spend them in the near future,then paper wallet represents the safest option for long term storage.Although every users need to know that paper is not something that lasts forever(or ink),we have users on this forum who have problem to read private keys because ink is faded.

Stedsm
Legendary
*
Offline Offline

Activity: 1806
Merit: 1135


Piiiii Kaaaaaa Chuuuuuuu


View Profile
March 29, 2018, 02:02:21 PM
 #57

I think that hardware wallets are still one of the safest ways for safe storage of private keys,although from time to time a security vulnerability appears,but also very quickly after that we have update which fix the problem.This is something quite normal,not only with hardware wallets,but with any other device or operating system which exists today.

It's not normal at all. Hardware wallets advertise themselves as being the most secure way of securing your private keys, but they continue to find themselves in a position that draws negative and unwanted attention. How long will people swallow this? I don't think much longer, because you can keep releasing firmware fixes and whatnot, but the more often you have to do this, the lower your overall credibility becomes as hardware wallet manufacturer. I was doubting whether or not to purchase one, but haven't done so because I am not going to put my faith in a piece of hardware that I personally don't know of what leaks its firmwire may contain that we don't yet know of, or even in the hardware part itself. I have been reading here and there that people owning hardware wallets will revert back to the old and solid paper wallets, and rightfully so.

I understand your stand,and many others think in that way,but is there so far even one recorded case that someone lost BTC or any other altcoin from hardware wallet and that the cause was a security breach?To my knowledge such a situation has not yet occurred,for safe storage and everyday use hardware wallets are currently the best choice.

But if user have large amount of coins and has no intention to spend them in the near future,then paper wallet represents the safest option for long term storage.Although every users need to know that paper is not something that lasts forever(or ink),we have users on this forum who have problem to read private keys because ink is faded.

We all are here for privacy and safety, both.
And as said somewhere, past performance does not guarantee future results. Everything is hypothetical and so is the usage of these hardwares, when even computers are not safe with our so-called perfect Anti-Virus which guarantees us that it holds the best properties and all the data that could prevent our PC from being hacked or be malware-affected, still can't fight the newer ones (Viruses) that are being badly released by those hackers with the intention to steal all our data - can you guarantee that such hardwares are trustworthy even after reading the complete PDF given herein by the OP?

oneirozwis13
Newbie
*
Offline Offline

Activity: 23
Merit: 1


View Profile
March 29, 2018, 02:28:29 PM
 #58

Till this point in my reading in the crypto world, I had never even been exposed to the idea (nor did it occur to me) that hardware wallets were not as safe as they seemed. Thanks AGD for sharing this with a wider audience, was a fascinating read. At the very least, it is very good food-for-thought.  Wink
cellard
Legendary
*
Offline Offline

Activity: 1372
Merit: 1211


View Profile
March 29, 2018, 03:22:54 PM
 #59

I never trusted hardware wallets, from my research, airgapped old laptops runnig some linux distro are the best way for cold storage. You must learn how to bring raw transactions from your airgapped computer into an online node, I haven't learned how to do this yet, I will eventually get into it.

Hardware wallets might be not a best choice for cold storage, but they are still a good choice if you want to access your bitcoins on many different computers which might be compromised. I used to encrypt my Electrum seed using VeraCrypt but I was too scared of keyloggers and other malware. Right now I don't have to worry about it since my TREZOR has a touchscreen to input everything on the device. It is still possible that this model might get hacked anytime soon, time will show us.

If your computer was fully encrypted and never accessed the internet, then how could it have a keylogger? Assuming it's properly airgapped, that is, no physical wifi card, ethernet card, or anything else of this nature, then even if somehow the computer got infected with a keylogger, how could the keylogger communicate with the attacker to send the logs?

Seems pretty solid to me. Meanwhile, hardware wallets have their own RNG and you can't just never be fully sure, and the fact that they are devices supposed to contain bitcoin by default it's just an obvious target.
Lucius
Legendary
*
Offline Offline

Activity: 1568
Merit: 1354


Fortis Fortuna Adiuvat


View Profile WWW
March 30, 2018, 10:11:43 AM
 #60


We all are here for privacy and safety, both.
And as said somewhere, past performance does not guarantee future results. Everything is hypothetical and so is the usage of these hardwares, when even computers are not safe with our so-called perfect Anti-Virus which guarantees us that it holds the best properties and all the data that could prevent our PC from being hacked or be malware-affected, still can't fight the newer ones (Viruses) that are being badly released by those hackers with the intention to steal all our data - can you guarantee that such hardwares are trustworthy even after reading the complete PDF given herein by the OP?

I never said that hardware wallets are 100% secure,such a thing actually does not exist-but for daily use and for storage of not too large amounts of coins I think there is no better solution at this time.If user have 50 or 100 BTC only safe storage is something totally offline,with no connection to internet.

I read that report the day it was published and the author says :

Quote
An attacker can exploit this vulnerability to compromise the device before the user receives it, or to steal private keys from
the device physically or, in some scenarios, remotely.

So the greatest danger here came from delivery process,if someone wants to intercept the package and compromise the device before being delivered to the user.This is certainly possible,but if ordered directly from the manufacturer with tracking number I think the possibility of manipulation with package is very small.

All other attacks can be performed only remotely,and requires that user do some bad things like to allow install of custom MCU firmware or to have infected computer.

Ledger is update their firmware and says that all of these vulnerabilities are now fixed.Saleem Rashid confirms that some of problems are resolved in "Fixing The Attack" part,but even he is not sure that all problems are resolved.

In the end I can not guarantee that hardware wallets are worthy of trust,it is the decision of each user individually.So far there is no documented case that any user is lost coins in hardware wallet and that the cause for this is security flaw in device-but that does not mean that this will not happen in the future.

Pages: « 1 2 [3] 4 5 6 7 8 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!