It is NOT secure to use hardware wallets (and it never was)

[nullius]

How about an air-gapped PC?

This.  With the proviso that this means a dedicated machine which is never connected to a network, and has hardware capable of non-contact connections (such as wifi and bluetooth) physically removed.  I state this explicitly, for I’ve observed that many people mistakenly believe that rebooting their network machines with a live CD/USB makes for an “airgap”.

Part of the advantage of an airgap machine is that the hardware can be purchased anonymously.  For ordinary individuals, buying an inexpensive laptop (sufficient for Bitcoin, PGP, etc.) off the shelf for cash is the only practical means I know for precluding any chance of a targeted supply-chain attack.  Wherefore this part of the Ledger vulnerability disclosure blog post caught my attention (boldface is in the original):

In this disclosure, we will focus primarily on the case of supply chain attacks. That is: whether or not you can trust your hardware wallet when you purchase it from a reseller or third party. But, as I explain briefly at the beginning of this article, the methods described here can be applied to the other two attack vectors.

Well, that was always my biggest problem with hardware wallets!  How do I get one?

A company garners my distrust when it not only fails to adequately address this question, but gives its customers advice so irresponsible as to verge on negligence (archive.is link corrected to https):

Ledger’s CTO even goes as far as to tell users that it is completely safe to purchase from eBay (archive.is / archive.org).

Do they claim their hardware to be unhackable!?

The first rule of computer security is physical security.  If an attacker comes into physical possession of your hardware, then you must thence permanently consider that hardware to be compromised.

My understanding of tamper-resistant hardware wallets was always that they would resist extraction of keymat already stored on the device—backward-looking protection of data at rest.  Not that they would guarantee forward safety of the device after it had been in possession of an adversary.

An airgap PC with properly⁰ encrypted disks will also protect your coins against thieves who steal the device—but with the difficulty that this only moves the key management problem from one place to another:  How do you secure your disk encryption keys?  Tamper-resistant hardware could be quite helpful here; I’ve had some relevant thoughts, but of course, that would require obtaining uncompromised tamper-resistant hardware.

(Of course, an airgap PC which has been stolen and recovered must be treated as permanently compromised.)

0. Don’t get me started.

[Kogs]

Do they claim their hardware to be unhackable!?

More or less they were claiming that it's unhackable, and that's my only issue with them.
https://www.ledger.fr/2015/03/27/how-to-protect-hardware-wallets-against-tampering/

There is absolutely no way that an attacker could replace the firmware and make it pass attestation, without knowing the Ledger private key.

This claim was proven false now.

Nevertheless in my opinion I still think a hardware wallet is more secure than any other wallets when used safely.
Just that hardware wallets do have security issues does not make any other type of wallet which have MORE security issues suddenly better.

My ranking of wallets in terms of security would be the following

• Hardware wallets
  If you don't take them outside of your home and attacker don't get physical access they are pretty safe -> with physical access as proven now it might not be safe
• Paper wallets
  If they are kept hidden in a secret place -> but with physical access by an attacker -> no security at all.
  If people carry them around I consider them worse than any mobile wallets (they do at least have a pin to secure the wallet).
• Airgapped PCs
  Pretty safe as long as an attacker don't get pyhsical access. I consider them worse than a hardware wallet because a PC/MAC/whatever even if not connected to the big world has a much bigger attack vector than a hardware wallet if getting pyhsical access.
• Any local hot wallets on PC/MAC
  With spyware or other malicious software these wallets can be easily compromised. No physical access necessary
• Any mobile wallets
  The security of such wallets is usually quite bad. Usually very short pin-codes are used to secure the wallet. As it's easy to lose them an attacker can get physical access to it.
• Online wallets where you control the private keys
• Online wallets where you don't control the private keys

Did I miss any type of wallet?

Beside of my listed ranking anyone can (and should) improve the security by combining several methods above and use multi signature addresses. In this case it is not possible to steal funds if just one of the methods is compromised.

Would be interested if someone has a different ranking than me.

[AGD]

Do they claim their hardware to be unhackable!?

More or less they were claiming that it's unhackable, and that's my only issue with them.
https://www.ledger.fr/2015/03/27/how-to-protect-hardware-wallets-against-tampering/

There is absolutely no way that an attacker could replace the firmware and make it pass attestation, without knowing the Ledger private key.

This claim was proven false now.

Nevertheless in my opinion I still think a hardware wallet is more secure than any other wallets when used safely.
Just that hardware wallets do have security issues does not make any other type of wallet which have MORE security issues suddenly better.

My ranking of wallets in terms of security would be the following

• Hardware wallets
  If you don't take them outside of your home and attacker don't get physical access they are pretty safe -> with physical access as proven now it might not be safe
• Paper wallets
  If they are kept hidden in a secret place -> but with physical access by an attacker -> no security at all.
  If people carry them around I consider them worse than any mobile wallets (they do at least have a pin to secure the wallet).
• Airgapped PCs
  Pretty safe as long as an attacker don't get pyhsical access. I consider them worse than a hardware wallet because a PC/MAC/whatever even if not connected to the big world has a much bigger attack vector than a hardware wallet if getting pyhsical access.
• Any local hot wallets on PC/MAC
  With spyware or other malicious software these wallets can be easily compromised. No physical access necessary
• Any mobile wallets
  The security of such wallets is usually quite bad. Usually very short pin-codes are used to secure the wallet. As it's easy to lose them an attacker can get physical access to it.
• Online wallets where you control the private keys
• Online wallets where you don't control the private keys

Did I miss any type of wallet?

Beside of my listed ranking anyone can (and should) improve the security by combining several methods above and use multi signature addresses. In this case it is not possible to steal funds if just one of the methods is compromised.

Would be interested if someone has a different ranking than me.

You indeed did forget the most important and still the most secure: Bitcoin Core and all the other open source software where you download the entire blockchain and where you can encrypt the wallet.

Just a few additions:

Paper Wallets can be encrypted, which makes it more secure than cash, but still is open to a regular robbing with weapon use (Tell the password or die), but the main problem I think is that it can be destroyed very easy.

An encrypted wallet.dat fie can be renamed into Michael_Jackson-Earthsong.mp3 and you carry it around (or send it around). Place another unchanged and unencrypted wallet.dat file with a low amount for plausible deniabiity. There are other plausible deniability solutions like hidden partitions etc. Multiple backups make a file pretty much undestroyable.

[Lucius]

You indeed did forget the most important and still the most secure: Bitcoin Core and all the other open source software where you download the entire blockchain and where you can encrypt the wallet.

Just a few additions:

Paper Wallets can be encrypted, which makes it more secure than cash, but still is open to a regular robbing with weapon use (Tell the password or die), but the main problem I think is that it can be destroyed very easy.

An encrypted wallet.dat fie can be renamed into Michael_Jackson-Earthsong.mp3 and you carry it around (or send it around). Place another unchanged and unencrypted wallet.dat file with a low amount for plausible deniabiity. There are other plausible deniability solutions like hidden partitions etc. Multiple backups make a file pretty much undestroyable.

I do not consider Core in a any way "most secure" in comparison with paper wallet or hardware wallets.Let's say user have Core on his PC,first he/she need to download 100+ GB of data and then encrypt wallet with strong password.If this user does not take care about online security(no or bad antivirus/firewall/antimalware...) it is very easy target for hackers(RAT,keylogger,malware,ransomware...).Also regular robbing will work in this case also,a gun pointing to your head will force you to decrypt your Core wallet or to give your paper wallet.

I think we can still consider hardware wallets pretty secure if they are ordered directly from the manufacturer what is possible with Ledger&Trezor.For now it is not known that someone has lost coins with hardware wallets(and that this is caused by security flaws in them),but there are countless examples of losing coins with almost all other methods of keeping coins.

[pawanjain]

In my opinion, there is nothing that is 100%  perfect in nature. As the time goes by, developments take place and this is how it leads to a better economy. So if there is a vulnerability in the hardware wallet, it will get rectified in the future developments. It is obviously not 100% secure but then it is way better than any other wallets. We can consider it as a best secure device to hold our cryptocurrencies.

[bitmover]

Paper Wallets can be encrypted, which makes it more secure than cash, but still is open to a regular robbing with weapon use (Tell the password or die), but the main problem I think is that it can be destroyed very easy.

Also regular robbing will work in this case also,a gun pointing to your head will force you to decrypt your Core wallet or to give your paper wallet.

Ledger Nano S has a feature to protect you against a regular robbing (like tell your private key or die).
It's called Alternative Pin or Hidden Account.

How to set up and/ or recover a hidden passphrase and alternate PIN on your Ledger Nano S?

The hidden passphrase is used for two reasons

1. Protection of your 24 words recovery phrase if your accounts are behind a passphrase then you are protected.

2. "Plausible deniability" is a security feature that combats the risk of being threatened and/or forced to enter your PIN code. With this option, you can manage two PIN codes, unlocking two separate accounts:

- Your first PIN code provides access to your main wallet, like a basic account, with low amounts used for daily payments and small transactions.

- Second PIN code, linked to a specific passphrase you need to set up, opens an hidden account, to save large amounts, which will only be used occasionally. With this option, in case you are forced to recover a wallet from your 24-word backup, only the main wallet will be displayed, and the second account will remain hidden, as long as you don't reveal the attached passphrase.

It works like this: You you will have 2 PIN. So if someone gets inside your house and say "give me your bitcoin or die" you can unlock just the basic wallet with your PIN. The other one is totally hidden, only unlockable with the second PIN.

This is a feature which not many users know... But pretty useful.

[Kogs]

You indeed did forget the most important and still the most secure: Bitcoin Core and all the other open source software where you download the entire blockchain and where you can encrypt the wallet.

Just a few additions:

Paper Wallets can be encrypted, which makes it more secure than cash, but still is open to a regular robbing with weapon use (Tell the password or die), but the main problem I think is that it can be destroyed very easy.

An encrypted wallet.dat fie can be renamed into Michael_Jackson-Earthsong.mp3 and you carry it around (or send it around). Place another unchanged and unencrypted wallet.dat file with a low amount for plausible deniabiity. There are other plausible deniability solutions like hidden partitions etc. Multiple backups make a file pretty much undestroyable.

I consider the Bitcoin Core Client is a normal hot wallet. In terms of security it is not better or worse than any other hot wallet without the full blockchain. Of course there are clients which have better security than other. but from security perspective I throw all hot wallets into the same pot.

To have a full node instead of using a SPV client is indeed better but both wallets store the private keys in a similar way so they are the same for me in this regard.

You are right that paper wallets can be encrypted, but as you also say with force from an attacker none of the available wallets/key-stores would safe your coins.

The best security is when no one knows that you own any bitcoins. And you also don't have any traces on your PC/phone which might let anyone think you have some bitcoins (like installed bitcoin clients). This could be achieved in parts with an encrypted OS running inside a virtual machine which runs the bitcoin client.

The question is always, how paranoid you wanna be to secure the bitcoins. This also depends on how much you have to secure.

Your idea to encrypt and rename the wallet.dat (security by obscurity) might only work as long as you don't need it. If you want to create a transaction from this wallet.dat you need to encrypt it and load it with the bitcoin client. And when your PC is infected with malicious software it will not help you.

[vlom]

an other problem with hardware wallets is that it could be possible that user feel safe. and because of that they forget to be careful while handling with their coins. in short: hw wallets could lead to a false security.

[HCP]

Honestly, the same could be said of almost ANY wallet... hardware, software, online...

Just because there aren't any KNOWN vulnerabilities in any given wallet... doesn't mean that their aren't ANY vulnerabilities in any given wallet. I'm also a little unsure about the claim that an attacker can extract private keys/seed from a hacked device.

Looking at the the specifics of Saleem's detailed explanation and Ledger's write up... it would seem that a "supply chain" attacker can essentially set the device to output a specific "known" seed... rather than using a random one. That's not really "extracting" seeds/private keys... as the attacker already knows what the seed is.

Saleem claims in his write up:

Physical access after setup

This is commonly known as an “Evil Maid attack”. This attack would allow you to extract the PIN, recovery seed and any BIP-39 passphrases used, provided the device is used at least once after you attack it.

As before, this does not require malware on the computer, nor does it require the user to confirm any transactions. It simply requires an attacker to install a custom MCU firmware that can exfiltrate the private keys without the user’s knowledge, next time they use it.

However, I don't actually see any "proof" of the viability of this attack... the report write up was completely focused on how he managed to trick the Secure Element into accepting his modified MCU firmware by being able to reconstruct the image of the legit firmware by taking parts from multiple sources in the device.

Was it simply because you could theoretically load a keylogger that logged all the key presses from you entering your PIN and BIP39 passphrase and possibly the seed that was displayed on the screen?


In any case, Ledger are claiming that an update to 1.4.1 prevents this attack vector as it removes the ability to load and spoof custom MCU firmware... I guess the usual disclaimers that NOTHING is 100% secure apply!

[prjcoin]

Ledger nano is safe.

[Nikolya]

I also agree that it is not safe to use hardware wallets. Several methods of protection are needed, combined protection against new threats that hackers from all over the world come up with.

[Kprawn]

In the end it comes down to ease of use and convenience and also flexibility. You do not want to install Bitcoin Core on every

computer, wherever you go. It is quite handy to have a secure hardware wallet in your pocket, when you move around a lot.

I can quickly pop in my hardware wallet at a friends house {non-bitcoiner} and have access to my coins to do a transaction

or to show him/her how it works. It is more secure than online wallets and more convenient than paper wallets. 

[ijeb]

This kid was briliant 

[BardonMe]

Pretty impressive for a 15 year old kid to find an exploit like this.

[Spendulus]

....
Ledger’s CTO even goes as far as to tell users that it is completely safe to purchase from eBay (archive.is / archive.org).....

Then he's an innocent babe and wrong, or a liar.

On second thought maybe he's qualified his statements some kind of way, but that's really beside the point.

What happens if you buy "A Ledger" on eBay is that you get something that might look like a Ledger, and it might act like a Ledger, but it might actually be something very different.

There was a con recently on eBay concerning Trezor IIRC which involved "last minute instructions" included with the package shipped to the gullible mark. Several people lost their funds on that.

[kimochidesh]

I have been warning people about hardware wallets for years. Bitcoin is the most personal store of value. Don't break it by using untrusted third party soft/hardware:

https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

Worth mentioning, that the guy who found this exploit is 15 ys young.

All Digital assets are unsecure in some way or another. Blockchain can't be hacked but cryptocurrency can be stolen from wallets, exchange etc. If you have large asset then don't store all of it in one medium like wallet, exchange etc.

[Spazzer]

Nothing is perfect. With the recent Ledger vulnerability the devs response and transparency was good. The security might not be perfect, but it will improve overtime.

[Wind_FURY]

How about an air-gapped PC?

This.  With the proviso that this means a dedicated machine which is never connected to a network, and has hardware capable of non-contact connections (such as wifi and bluetooth) physically removed.  I state this explicitly, for I’ve observed that many people mistakenly believe that rebooting their network machines with a live CD/USB makes for an “airgap”.

Part of the advantage of an airgap machine is that the hardware can be purchased anonymously.  For ordinary individuals, buying an inexpensive laptop (sufficient for Bitcoin, PGP, etc.) off the shelf for cash is the only practical means I know for precluding any chance of a targeted supply-chain attack.  Wherefore this part of the Ledger vulnerability disclosure blog post caught my attention (boldface is in the original):

That's too extreme. In most cases, use Bitkey https://bitkey.io/.

It would take someone familiar with Linux to use it, but all the information needed on how to make a bootable USB, use, and configure it are available online. There is no excuse for a newbie Bitcoiner not to learn.

[Elemco.in]

Nothing is perfect. With the recent Ledger vulnerability the devs response and transparency was good. The security might not be perfect, but it will improve overtime.

As much as I hate McAfee, you can't argue with what he said: As long as there is technology in our daily lives, there will be hackers there, waiting on the sidelines, to break inside it. [Paraphrase]

As long as companies like Ledger and Trezor work quickly to patch any security vulnerabilities, we should be fine.

[aliashraf]

So what ways of keeping bitcoins safe do you recommend then? Many people consider hardware wallets as something that is not possible to breach because they were told so. In both Ledger and TREZOR there were discovered vulnerabilities which allowed potential attacker to extract the seed. I haven't heard of any issues with KeepKey. I was thinking of using an air-gapped computer for storing large amount of BTC and a hardware wallet in case I needed to travel and have some bitcoin with me just in case. Have you ever used any hardware wallet?

Of course, the fact that we have to use closed source computers to run Bitcoin Core, makes it impossible to be 100% safe esp. against state actors.

I'm not objecting just confused: Is it about firmware, BIOS, fucking NVIDIA device drivers or what? We have Linux and Free BSD, don't we? Is it impossible to have Core's wallet running on top of a clean installed Linux?

I'm seriously interested in your term 'closed source computer', actually it is my main research topic for the last couple of years, I'm just wondering how deep is your interpretation of this concept and whether you have developed any idea as an alternative?