Bitcoin Forum
October 19, 2019, 04:18:53 PM *
News: 10th anniversary art contest
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 »  All
  Print  
Author Topic: It is NOT secure to use hardware wallets (and it never was)  (Read 1941 times)
AGD
Legendary
*
Offline Offline

Activity: 1848
Merit: 1058


Keeper of the Private Key


View Profile
March 22, 2018, 07:32:02 AM
Merited by TheQuin (1)
 #1

I have been warning people about hardware wallets for years. Bitcoin is the most personal store of value. Don't break it by using untrusted third party soft/hardware:

https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

Worth mentioning, that the guy who found this exploit is 15 ys young.

Bitcoin is not a bubble, it's the pin!
+++ GPG Public key FFBD756C24B54962E6A772EA1C680D74DB714D40 +++ http://pgp.mit.edu/pks/lookup?op=get&search=0x1C680D74DB714D40
1571501933
Hero Member
*
Offline Offline

Posts: 1571501933

View Profile Personal Message (Offline)

Ignore
1571501933
Reply with quote  #2

1571501933
Report to moderator
1571501933
Hero Member
*
Offline Offline

Posts: 1571501933

View Profile Personal Message (Offline)

Ignore
1571501933
Reply with quote  #2

1571501933
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1571501933
Hero Member
*
Offline Offline

Posts: 1571501933

View Profile Personal Message (Offline)

Ignore
1571501933
Reply with quote  #2

1571501933
Report to moderator
ricreis394
Newbie
*
Offline Offline

Activity: 37
Merit: 0


View Profile
March 22, 2018, 09:08:21 AM
 #2

I'm amazed  Shocked
And I was about to buy one hardware wallet, but now, I will definitely not buy.
BitCryptex
Hero Member
*****
Online Online

Activity: 728
Merit: 1051


Write @BitCryptex or quote my post to notify me


View Profile WWW
March 22, 2018, 09:11:45 AM
 #3

So what ways of keeping bitcoins safe do you recommend then? Many people consider hardware wallets as something that is not possible to breach because they were told so. In both Ledger and TREZOR there were discovered vulnerabilities which allowed potential attacker to extract the seed. I haven't heard of any issues with KeepKey. I was thinking of using an air-gapped computer for storing large amount of BTC and a hardware wallet in case I needed to travel and have some bitcoin with me just in case. Have you ever used any hardware wallet?

OmegaStarScream
Staff
Legendary
*
Offline Offline

Activity: 1806
Merit: 1480


Exchange Bitcoin quicky--https://blockchain.com.do


View Profile
March 22, 2018, 09:27:24 AM
Merited by eternalgloom (2)
 #4

The only alternative I can think of would be paper wallets but, these are not suitable for spending on a regular basis. Hardware wallets are still a great choice IMO and since they are not vulnerable for remote attacks, they still have some credibility. Ledger nano statement on this when they released their latest firmware update:
Quote
Important note: there are some claims on Reddit and Twitter about a critical security issue being found on the Nano S. This is incorrect. The issues found are serious (that’s why we highly recommend the update), but NOT critical. Funds have not been at risk, and there was no demonstration of any real life attack on our devices. We will disclose all technical details after March 20th.

I haven't heard of any issues with KeepKey.

The reason why no one found security issues on KeepKey is probably due to the small userbase they have compared to Trezor and Ledger nano S.

klaaas
Hero Member
*****
Offline Offline

Activity: 1064
Merit: 532



View Profile
March 22, 2018, 10:26:06 AM
 #5

These kind of hardware wallets will grow stronger with time.
A indestructible and safe wallet is a very hard thing to accomplish.
bitmover
Hero Member
*****
Offline Offline

Activity: 630
Merit: 1068



View Profile
March 22, 2018, 10:50:18 AM
 #6

I have been warning people about hardware wallets for years. Bitcoin is the most personal store of value. Don't break it by using untrusted third party soft/hardware:

https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

Worth mentioning, that the guy who found this exploit is 15 ys young.

This is a problem, and was already fixed by a firmware update.

I think it's also worth mentioning that this vulnerability, although scary, occurs only if the the attacker has physical access before setup of the seed.

It's nothing you need to really worry about if you buy directly from Ledger.
And if you care at least a minimum about security, you would never buy a Ledger Wallet from third party re-sellers.

TLDR: ledger hardwallet is still pretty safe, much safer than any hot wallet. Unless you have an airgapped PC, hardwallet is still a good choice.

DaveF
Hero Member
*****
Offline Offline

Activity: 1603
Merit: 802



View Profile WWW
March 22, 2018, 02:03:31 PM
Merited by DarkStar_ (2), AGD (1)
 #7

This is a problem, and was already fixed by a firmware update.

I think it's also worth mentioning that this vulnerability, although scary, occurs only if the the attacker has physical access before setup of the seed.
Not 100% true, from what he said it was vulnerable to the "Evil Maid attack"
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/


This is a problem, and was already fixed by a firmware update.
Which took them close to 4 months to put out and still is not properly alerting & forcing users to update.

And if you care at least a minimum about security, you would never buy a Ledger Wallet from third party re-sellers.
Assuming you can trust everyone who handled the package from when it left their shipping dock till when it wound up in your mailbox.

TLDR: ledger hardwallet is still pretty safe, much safer than any hot wallet. Unless you have an airgapped PC, hardwallet is still a good choice.

THAT I agree with. And pretty safe is good for most people. But it's still not REALLY REALLY REALLY safe.

Just because you are paranoid does not mean that there are not people out to get you.....

-Dave




.




  ▄▄▄▄▄▄▄▄▄▄▄▄▄
▄████████▀▀▀▀███▄
███████▀     ████
███████   ███████
█████        ████
███████   ███████
▀██████   ██████▀
  ▀▀▀▀▀   ▀▀▀▀▀

  ▄▄▄▄▄▄▄▄▄▄▄▄▄
▄██▀▀▀▀▀▀▀▀▀▀▀██▄
██    ▄▄▄▄▄ ▀  ██
██   █▀   ▀█   ██
██   █▄   ▄█   ██
██    ▀▀▀▀▀    ██
▀██▄▄▄▄▄▄▄▄▄▄▄██▀
  ▀▀▀▀▀▀▀▀▀▀▀▀▀

            ▄▄▄
█▄▄      ████████▄
 █████▄▄████████▌
▀██████████████▌
  █████████████
  ▀██████████▀
   ▄▄██████▀
    ▀▀▀▀▀

    ██  ██
  ███████████▄
    ██      ▀█
    ██▄▄▄▄▄▄█▀
    ██▀▀▀▀▀▀█▄
    ██      ▄█
  ███████████▀
    ██  ██




               ▄
       ▄  ▄█▄ ▀█▀      ▄
      ▀█▀  ▀   ▄  ▄█▄ ▀█▀
███▄▄▄        ▀█▀  ▀     ▄▄▄███       ▐█▄    ▄█▌   ▐█▌   █▄    ▐█▌   ████████   █████▄     ██    ▄█████▄▄   ▐█████▌
████████▄▄           ▄▄████████       ▐███▄▄███▌   ▐█▌   ███▄  ▐█▌      ██      █▌  ▀██    ██   ▄██▀   ▀▀   ▐█
███████████▄       ▄███████████       ▐█▌▀██▀▐█▌   ▐█▌   ██▀██▄▐█▌      ██      █▌   ▐█▌   ██   ██          ▐█████▌
 ████████████     ████████████        ▐█▌    ▐█▌   ▐█▌   ██  ▀███▌      ██      █▌  ▄██    ██   ▀██▄   ▄▄   ▐█
  ████████████   ████████████         ▐█▌    ▐█▌   ▐█▌   ██    ▀█▌      ██      █████▀     ██    ▀█████▀▀   ▐█████▌
   ▀███████████ ███████████▀
     ▀███████████████████▀
        ▀▀▀█████████▀▀▀
FIND OUT MORE AT MINTDICE.COM
AGD
Legendary
*
Offline Offline

Activity: 1848
Merit: 1058


Keeper of the Private Key


View Profile
March 22, 2018, 02:08:59 PM
 #8

So what ways of keeping bitcoins safe do you recommend then? Many people consider hardware wallets as something that is not possible to breach because they were told so. In both Ledger and TREZOR there were discovered vulnerabilities which allowed potential attacker to extract the seed. I haven't heard of any issues with KeepKey. I was thinking of using an air-gapped computer for storing large amount of BTC and a hardware wallet in case I needed to travel and have some bitcoin with me just in case. Have you ever used any hardware wallet?

I think it is good to reduce the attack vectors to a minimum.
Bitcoin Core for example is a software that I trust. It is open source and some of the best developers (that I trust) are revisiting the code. So if you use an encrypted Bitcoin Core wallet with a very strong password for your cold storage, you should feel a lot safer, than with any hardware solution.

Of course, the fact that we have to use closed source computers to run Bitcoin Core, makes it impossible to be 100% safe esp. against state actors.

Bitcoin is not a bubble, it's the pin!
+++ GPG Public key FFBD756C24B54962E6A772EA1C680D74DB714D40 +++ http://pgp.mit.edu/pks/lookup?op=get&search=0x1C680D74DB714D40
bitmover
Hero Member
*****
Offline Offline

Activity: 630
Merit: 1068



View Profile
March 22, 2018, 02:15:39 PM
Last edit: March 22, 2018, 02:30:42 PM by bitmover
Merited by DarkStar_ (2)
 #9

This is a problem, and was already fixed by a firmware update.

I think it's also worth mentioning that this vulnerability, although scary, occurs only if the the attacker has physical access before setup of the seed.
Not 100% true, from what he said it was vulnerable to the "Evil Maid attack"
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/


This is a problem, and was already fixed by a firmware update.
Which took them close to 4 months to put out and still is not properly alerting & forcing users to update.

And if you care at least a minimum about security, you would never buy a Ledger Wallet from third party re-sellers.
Assuming you can trust everyone who handled the package from when it left their shipping dock till when it wound up in your mailbox.

TLDR: ledger hardwallet is still pretty safe, much safer than any hot wallet. Unless you have an airgapped PC, hardwallet is still a good choice.

THAT I agree with. And pretty safe is good for most people. But it's still not REALLY REALLY REALLY safe.

Just because you are paranoid does not mean that there are not people out to get you.....

-Dave


Well, this evil maid attack is even less risky. How would a hacker access my hardwallet, inside my house?
If he can get inside your house , well, he can force you to give your btc to him even on an airgapped PC using Bitcoin core, he doesn't even need to be a hacker, he just needs a weapon.

When you buy a ledger nano they come securely closed, and if the seal was violated you should discard it, as ledger recommendation. You don't need to trust anyone who handles the package..


If the user is the problem (like using infected pendrives, using violated hardwallets), any method is unsafe

Any other wallet on desktop or smartphone is exposed to the risk of keyloggers, Trojans... Hardwallets are not. Unless you have an airgapped PC , they are the best option. Even Bitcoin core on a daily use computer is not as safe.

But this discussion is pretty worthless.. it's a selected Paranoia. Hardwallets are safe enough. Ledger nano is also open source.

kbdwarrior
Newbie
*
Offline Offline

Activity: 7
Merit: 1


View Profile
March 22, 2018, 02:26:09 PM
Merited by ebliever (1)
 #10

I have been warning people about hardware wallets for years. Bitcoin is the most personal store of value. Don't break it by using untrusted third party soft/hardware:

https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

Worth mentioning, that the guy who found this exploit is 15 ys young.

Also worth mentioning, he says a hardware wallet is still the safest practice unless you're top 1% of infosec experts.

Source: https://twitter.com/aantonop/status/976633545136443392
DaveF
Hero Member
*****
Offline Offline

Activity: 1603
Merit: 802



View Profile WWW
March 22, 2018, 02:32:30 PM
 #11

Well, this evil maid attack is even less risky. How would a hacker access my hardwallet, inside my house?
If he can get inside your house , well, he can force you to give your btc to him even on an airgapped PC using Bitcoin core, he doesn't even need to be a hacker, he just needs a weapon.

When you buy a ledger nano they come securely closed, and if the seal was violated you should discard it, as ledger recommendation. You don't need to trust anyone who handles the package..

But this discussion is pretty worthless.. it's a selected Paranoia. Hardwallets are safe enough.

If the user is the problem (like using infected pendrives, using violated hardwallets), any method is unsafe

That's why it's called the evil maid, we can call it dishonest butler, sneaky plumber, corrupt cable tech.
Whatever. WE are human, we make mistakes, you left it siting next to your PC for whatever reason instead of putting it away. Under 3 minutes and a netbook. That's all they need.

When you buy a ledger nano they come securely closed, and if the seal was violated you should discard it, as ledger recommendation. You don't need to trust anyone who handles the package..
They actually did not



And I think that set me off more then anything. They badmouthed other places for saying that their taper tape was worthless, while putting out a product that a 15 year old (yes a very smart one) cracked by himself.

Beyond this, I am dropping out of this thread. I doubt either one of us is going to change the others mind.

-Dave







.




  ▄▄▄▄▄▄▄▄▄▄▄▄▄
▄████████▀▀▀▀███▄
███████▀     ████
███████   ███████
█████        ████
███████   ███████
▀██████   ██████▀
  ▀▀▀▀▀   ▀▀▀▀▀

  ▄▄▄▄▄▄▄▄▄▄▄▄▄
▄██▀▀▀▀▀▀▀▀▀▀▀██▄
██    ▄▄▄▄▄ ▀  ██
██   █▀   ▀█   ██
██   █▄   ▄█   ██
██    ▀▀▀▀▀    ██
▀██▄▄▄▄▄▄▄▄▄▄▄██▀
  ▀▀▀▀▀▀▀▀▀▀▀▀▀

            ▄▄▄
█▄▄      ████████▄
 █████▄▄████████▌
▀██████████████▌
  █████████████
  ▀██████████▀
   ▄▄██████▀
    ▀▀▀▀▀

    ██  ██
  ███████████▄
    ██      ▀█
    ██▄▄▄▄▄▄█▀
    ██▀▀▀▀▀▀█▄
    ██      ▄█
  ███████████▀
    ██  ██




               ▄
       ▄  ▄█▄ ▀█▀      ▄
      ▀█▀  ▀   ▄  ▄█▄ ▀█▀
███▄▄▄        ▀█▀  ▀     ▄▄▄███       ▐█▄    ▄█▌   ▐█▌   █▄    ▐█▌   ████████   █████▄     ██    ▄█████▄▄   ▐█████▌
████████▄▄           ▄▄████████       ▐███▄▄███▌   ▐█▌   ███▄  ▐█▌      ██      █▌  ▀██    ██   ▄██▀   ▀▀   ▐█
███████████▄       ▄███████████       ▐█▌▀██▀▐█▌   ▐█▌   ██▀██▄▐█▌      ██      █▌   ▐█▌   ██   ██          ▐█████▌
 ████████████     ████████████        ▐█▌    ▐█▌   ▐█▌   ██  ▀███▌      ██      █▌  ▄██    ██   ▀██▄   ▄▄   ▐█
  ████████████   ████████████         ▐█▌    ▐█▌   ▐█▌   ██    ▀█▌      ██      █████▀     ██    ▀█████▀▀   ▐█████▌
   ▀███████████ ███████████▀
     ▀███████████████████▀
        ▀▀▀█████████▀▀▀
FIND OUT MORE AT MINTDICE.COM
bob123
Legendary
*
Offline Offline

Activity: 1050
Merit: 1568



View Profile WWW
March 22, 2018, 06:27:15 PM
 #12

This is a problem, and was already fixed by a firmware update.
Which took them close to 4 months to put out and still is not properly alerting & forcing users to update.

What is the source for the 4 months? As far as i know this has been fixed pretty fast..



Assuming you can trust everyone who handled the package from when it left their shipping dock till when it wound up in your mailbox.

You don't have to trust anyone. You can verify everything yourself (hardware + firmware).
The ledger team has published a guide: https://support.ledgerwallet.com/hc/en-us/articles/115005321449-How-to-verify-the-security-integrity-of-my-Nano-S-



Of course, the fact that we have to use closed source computers to run Bitcoin Core, makes it impossible to be 100% safe esp. against state actors.

You don't have to use a closed source OS. You have decided for yourself to use closed source software.
Everyone is free to use the software he wants. There are a lot of open source linux distributions available on the internet.

achow101
Staff
Legendary
*
Offline Offline

Activity: 1918
Merit: 2860


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
March 22, 2018, 07:02:31 PM
Merited by vlom (1)
 #13

Just because there are vulnerabilities found does not mean that they are inherently insecure. Do you say the same things about software wallets too (many of which have had vulnerabilities found and patched, just like with these hardware wallets)? Do you say the same thing about the general purpose computer you use which you don't even know how it works? Every piece of software and many pieces of hardware will have some vulnerability found in them; given enough time, it's almost inevitable.

Worth mentioning, that the guy who found this exploit is 15 ys young.
That's slightly misleading. This 15 year old has dedicated a lot of time into working on hardware wallets, particularly in their firmware. He's been involved in numerous other vulnerability discoveries in the past with Trezors (and possibly Ledgers). The kid is very smart, probably smarter than you when it comes to hardware wallets. He's not just some random 15 year old who found this; he actually dedicated a lot of time into learning about how hardware wallets work and has been working with them for years.

Not 100% true, from what he said it was vulnerable to the "Evil Maid attack"
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/
I don't think you understand what an evil maid attack is. It is, by definition, a physical access attack. You need to have physical access to the device in order to perform any of the known vulnerabilities (which have since been patched). An evil maid attack means literally that someone (like a maid) enters your room physically and does something malicious to a device (hence an evil maid).

Which took them close to 4 months to put out and still is not properly alerting & forcing users to update.
Vulnerabilities take time to fix and release. They can't just publish that there is a vulnerability or details about the vulnerability before a fix is available. It probably took them 4 months to figure out a solution. Also, Ledger can't force users to update, and there has been plenty of alerting (which, by the way, also cannot be forced).

Assuming you can trust everyone who handled the package from when it left their shipping dock till when it wound up in your mailbox.
There's a hardware and software attestation process that you can go through to ensure that your Ledger has not been tampered with.

What is the source for the 4 months? As far as i know this has been fixed pretty fast..
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/
Scroll down to "Disclosure timeline"

AGD
Legendary
*
Offline Offline

Activity: 1848
Merit: 1058


Keeper of the Private Key


View Profile
March 22, 2018, 08:03:38 PM
 #14

Just because there are vulnerabilities found does not mean that they are inherently insecure. Do you say the same things about software wallets too (many of which have had vulnerabilities found and patched, just like with these hardware wallets)? Do you say the same thing about the general purpose computer you use which you don't even know how it works? Every piece of software and many pieces of hardware will have some vulnerability found in them; given enough time, it's almost inevitable.

Worth mentioning, that the guy who found this exploit is 15 ys young.
That's slightly misleading. This 15 year old has dedicated a lot of time into working on hardware wallets, particularly in their firmware. He's been involved in numerous other vulnerability discoveries in the past with Trezors (and possibly Ledgers). The kid is very smart, probably smarter than you when it comes to hardware wallets. He's not just some random 15 year old who found this; he actually dedicated a lot of time into learning about how hardware wallets work and has been working with them for years.

...

Yes, I think hardware wallets are indeed inherently insecure, just like any SPV wallet. I also call every cryptocurrency exchange inherently insecure even though it might not have been hacked until now.

I don't know how you come to the conclusion, that I don't know how a computer works, but anyway ... just the knowledge about how it works, might still not be enough to trust it 100%, but I guess we have not much of choice until we see open source chip production. One good example is the latest Intel issue and I am sure there will be more to follow. Btw I have addressed this one already a few postings before in this topic:

....
Of course, the fact that we have to use closed source computers to run Bitcoin Core, makes it impossible to be 100% safe esp. against state actors.



...
Of course, the fact that we have to use closed source computers to run Bitcoin Core, makes it impossible to be 100% safe esp. against state actors.

You don't have to use a closed source OS. You have decided for yourself to use closed source software.
Everyone is free to use the software he wants. There are a lot of open source linux distributions available on the internet.

I didn't say 'closed source OS' but 'closed source computers'. No problem. Misreading can happen.

Bitcoin is not a bubble, it's the pin!
+++ GPG Public key FFBD756C24B54962E6A772EA1C680D74DB714D40 +++ http://pgp.mit.edu/pks/lookup?op=get&search=0x1C680D74DB714D40
RGBKey
Hero Member
*****
Offline Offline

Activity: 854
Merit: 629


rgbkey.github.io/pgp.txt


View Profile WWW
March 22, 2018, 10:27:36 PM
 #15

I think that hardware wallets happen to be very much so in the spotlight right now. Let's not forget that there was also an Electrum vulnerability found and patched recently. I believe that part of this has to do with how long hardware wallets have existed compared to their software counterparts, and how much time people have spent researching them.

Personally, I trust hardware wallets more than software wallets still. I'm not sure they're inherently insecure, but I don't believe they're perfect either. I think as far as security versus convenience, they rank pretty high up there on my list.
seven2smoke1
Full Member
***
Offline Offline

Activity: 546
Merit: 128


View Profile
March 22, 2018, 10:32:52 PM
 #16

I have been warning people about hardware wallets for years. Bitcoin is the most personal store of value. Don't break it by using untrusted third party soft/hardware:

https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

Worth mentioning, that the guy who found this exploit is 15 ys young.
I was amazed by this news, I thought that hardware wallets are top secure for saving our bitcoins, Indeed, I thought to buy one in the future, but after reading this PDF. I will keep my bitcoin in some web wallets as I don't have too much, in the same time, I will search for the secure wallet from now on.
RGBKey
Hero Member
*****
Offline Offline

Activity: 854
Merit: 629


rgbkey.github.io/pgp.txt


View Profile WWW
March 22, 2018, 10:37:12 PM
 #17

I have been warning people about hardware wallets for years. Bitcoin is the most personal store of value. Don't break it by using untrusted third party soft/hardware:

https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

Worth mentioning, that the guy who found this exploit is 15 ys young.
I was amazed by this news, I thought that hardware wallets are top secure for saving our bitcoins, Indeed, I thought to buy one in the future, but after reading this PDF. I will keep my bitcoin in some web wallets as I don't have too much, in the same time, I will search for the secure wallet from now on.


Web wallets are much worse. Just use Bitcoin Core, or other similar software. Web wallets have many more attack vectors than local software.
bitmover
Hero Member
*****
Offline Offline

Activity: 630
Merit: 1068



View Profile
March 22, 2018, 10:39:07 PM
Last edit: March 22, 2018, 11:11:46 PM by bitmover
 #18

I thought that hardware wallets are top secure for saving our bitcoins, Indeed, I thought to buy one in the future, but after reading this PDF. I will keep my bitcoin in some web wallets as I don't have too much, in the same time, I will search for the secure wallet from now on.


Yeah, this is the problem with posts like this, spreading fud and misinformation about hardwallets......  that wasn't any critical bug, as the attacker need physical access..... But New comers may not understand that clearly enough and think web wallets are safer...

squatter
Hero Member
*****
Offline Offline

Activity: 1246
Merit: 931


STOP SNITCHIN'


View Profile
March 22, 2018, 10:54:02 PM
 #19

So what ways of keeping bitcoins safe do you recommend then? Many people consider hardware wallets as something that is not possible to breach because they were told so.

Yes, and that was irresponsible marketing. Most security-minded people know better than to blindly trust software/hardware just because it hasn't been broken yet. I believe exploits will continue to emerge when it comes to hardware wallets. Accordingly, users should tread with caution.

As for what I recommend -- traditional cold storage for most coins:
I still treat hardware wallets as experimental -- perhaps safer than a typical hot wallet setup, but nowhere near the safety of actual cold storage. Keeping all private keys on one or two devices that plug into online computers just feels way too risky to me. I use tried-and-true cold storage methods (paper wallets, encrypted offline .dat) for 80-90% of my coins. I know that compromising those keys from me would take an extremely targeted attack on me -- the likelihood of that is low. Whereas, I believe that hardware wallets are generally a very big target for hackers, and methods for remote exploits are now emerging.

The biggest takeaway from this report, I think, is don't put all your eggs in one basket.

The only alternative I can think of would be paper wallets but, these are not suitable for spending on a regular basis.

How about an air-gapped PC? Or an encrypted wallet on thumb drive? One of the points here is that nobody should be storing all (or most) of their coins in the same wallet they regularly spend from.

I still think hardware wallets are fine for day-to-day spending. But I would treat them like a hot wallet and be on the lookout for social engineering tactics.

Spendulus
Legendary
*
Online Online

Activity: 2394
Merit: 1189



View Profile
March 23, 2018, 02:18:16 AM
 #20

So what ways of keeping bitcoins safe do you recommend then? Many people consider hardware wallets as something that is not possible to breach because they were told so.

Yes, and that was irresponsible marketing. Most security-minded people know better than to blindly trust software/hardware just because it hasn't been broken yet. I believe exploits will continue to emerge when it comes to hardware wallets. Accordingly, users should tread with caution.

As for what I recommend -- traditional cold storage for most coins:
I still treat hardware wallets as experimental -- perhaps safer than a typical hot wallet setup, but nowhere near the safety of actual cold storage. Keeping all private keys on one or two devices that plug into online computers just feels way too risky to me. I use tried-and-true cold storage methods (paper wallets, encrypted offline .dat) for 80-90% of my coins. I know that compromising those keys from me would take an extremely targeted attack on me -- the likelihood of that is low. Whereas, I believe that hardware wallets are generally a very big target for hackers, and methods for remote exploits are now emerging.

The biggest takeaway from this report, I think, is don't put all your eggs in one basket.

The only alternative I can think of would be paper wallets but, these are not suitable for spending on a regular basis.

How about an air-gapped PC? Or an encrypted wallet on thumb drive? One of the points here is that nobody should be storing all (or most) of their coins in the same wallet they regularly spend from.

I still think hardware wallets are fine for day-to-day spending. But I would treat them like a hot wallet and be on the lookout for social engineering tactics.


It's worth noting that paper wallets have also been seen to have defects, and those have been corrected, and modern paper wallets are more secure than early ones were.
Pages: [1] 2 3 4 5 6 7 8 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!