Bitcoin Forum
October 22, 2019, 07:21:37 AM *
News: Latest Bitcoin Core release: 0.18.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 [4] 5 6 7 8 »  All
  Print  
Author Topic: It is NOT secure to use hardware wallets (and it never was)  (Read 1941 times)
Samarkand
Sr. Member
****
Offline Offline

Activity: 630
Merit: 278


View Profile
March 30, 2018, 10:53:10 AM
 #61

...
I think that hardware wallets are still one of the safest ways for safe storage of private keys,although from time to time a security vulnerability appears,but also very quickly after that we have update which fix the problem.This is something quite normal,not only with hardware wallets,but with any other device or operating system which exists today.

...

I would say that 4 months isn´t "very quickly" and definitely too long when it comes to a Bitcoin
hardware wallet.

In general I would simply advise people to spread their risk by using different ways of Bitcoin storage
simultaneously. E.g. keep a few Bitcoins in a hardware wallet, a few Bitcoins in a paper wallet where
parts of the mnemonic seed are stored at different locations, a few BTC in a  traditional wallet or a SPV client,
a few mBTC in one of the better mobile wallets (I´d recommend Samouraiwallet).
The only thing that I wouldn´t really recommend is storing Bitcoins on a computer that is often used
to browse the internet and is running a Windows OS. Storing Bitcoins on an exchange is also in general
a bad idea as the numerous exchange hacks in the past illustrate.

It is extremely unlikely that all of these different storage solutions are compromised simultaneously, which
makes it nearly impossible for you to lose all your funds. This is preferable to storing all your crypto wealth
in a single hardware wallet, because this puts you in the uncomfortable position where you are at risk
of losing 100 % of your coins if a serious vulnerability in Ledger/Trezor is discovered and exploited by
malicious actors.

On the other hand you are only risking a fraction of your Bitcoins if you heed my advice of spreading
your risk. In the long run losing 20 % of your Bitcoin stash due to a vulnerability or a lost/destroyed paper wallet
may prove to be inconsequential anyway, because 80 % of your Bitcoin stash will still be enough to make
you either financially independent or filthy rich (depending on the actual size of your BTC stash)  Cheesy

All in all, I´d suggest that you should not trust any hardware wallet with 100 % of your funds and
that you should instead spread the risk by using several storage solutions.
1571728897
Hero Member
*
Offline Offline

Posts: 1571728897

View Profile Personal Message (Offline)

Ignore
1571728897
Reply with quote  #2

1571728897
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1571728897
Hero Member
*
Offline Offline

Posts: 1571728897

View Profile Personal Message (Offline)

Ignore
1571728897
Reply with quote  #2

1571728897
Report to moderator
1571728897
Hero Member
*
Offline Offline

Posts: 1571728897

View Profile Personal Message (Offline)

Ignore
1571728897
Reply with quote  #2

1571728897
Report to moderator
1571728897
Hero Member
*
Offline Offline

Posts: 1571728897

View Profile Personal Message (Offline)

Ignore
1571728897
Reply with quote  #2

1571728897
Report to moderator
Carlton Banks
Legendary
*
Offline Offline

Activity: 2520
Merit: 1991



View Profile
March 30, 2018, 11:02:22 AM
Last edit: March 30, 2018, 11:45:26 AM by Carlton Banks
Merited by AGD (1)
 #62

There's more to a computer than just the OS. A lot of firmware such as processor microcode are closed source. So it doesn't matter whether the OS you use is open source; if the firmware for your hardware and the hardware itself is closed source, then you are at risk of that closed source being malicious or containing something that can be exploited. One example of this is the Intel Management Engine which could allow someone to remotely access and control your computer and there's no way to disable it because it is baked into the hardware and firmware, both of which are also closed source.

Right, although the "someone" who has unfettered access to a computer with Intel ME is Intel themselves (and anyone else holding the code signing key for executing code on the ME processor). I think exploits were discovered last year where an attacker circumvented the use of the Intel code signing key, but I forget the specifics.


tldr: Intel owns your computer. Stop using Intel (AMD won't help you, they have a similar tech on newer CPUs too)


As of Intel's ME, there are solutions to  neutralize or disable it people even suggest not to use Intel processors made since 2008 and AMDs since 2013.

There's alot of skepticism about whether ME cleaning/disabling is of any real benefit. It's better than nothing, but the ME and it's firmware either still partly exists after cleaning (only something like 95% of the ME firmware can be flashed, otherwise the CPU refuses to initialise hardware components so the BIOS can load), or still exists completely after disabling (disabling is a feature that Intel designed, we're essentially trusting that the feature does what Intel claims it does).

Intel defined several negative numbered control rings for the ME to use. This means that the ME can function like a rootkit that forms an intentional part of an x86 computer's design. It cannot be removed completely, and so all Intel machines should be considered compromised hardware. The ME could lie to you about anything your machine is really doing, and surveill what happens on your machine. So the Intel ME could be used to steal all Bitcoins from every machine with an Intel ME, one can only speculate Intel must have those ME code signing keys under very limited access and very close supervision within the company.

Ironically (considering the title of this thread), hardware wallets mitigate this attack vector, as Bitcoin private keys on a hardware wallet shouldn't be accessible to the ME if a hardware wallet is secure enough. But don't let that comfort you too much, i reiterate: Intel are behaving in bad faith with their ME tech, please stop using Intel CPUs.


tldr; This should be (and may eventually become) a far more controversial scandal than Facebook selling user data to 3rd parties; Intel can collect ALL data from your machine, not just some of it. And Intel can lie to you about what your computer is really doing.

Vires in numeris
Karartma1
Legendary
*
Offline Offline

Activity: 1820
Merit: 1073


Be Revolutionary Or Die Trying


View Profile WWW
April 05, 2018, 02:16:38 PM
 #63

If that's the case what can we do then? What kind of microprocessor is your machine using? I mean f*c*ing intel is everywhere! I am about to change my old 2010 laptop (amd)? Do you have any suggestions?

I am not interested in preserving the status quo; I want to overthrow it. Niccolò Machiavelli
Coin_trader
Hero Member
*****
Online Online

Activity: 1120
Merit: 518


CryptoTalk.Org - Get Paid for every Post!


View Profile WWW
April 05, 2018, 02:56:25 PM
 #64

I thought that using those hardware wallets is the most secure way of storing Bitcoins but now I am doubting, i guess i will keep my BTC on my online wallets with a password that i put on a safe place. But still i am planning to buy a ledger nano to try myself the security of that hardware wallet.

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
.CryptoTalk.org.|.MAKE POSTS AND EARN BTC!.🏆
bob123
Legendary
*
Offline Offline

Activity: 1050
Merit: 1568



View Profile WWW
April 05, 2018, 03:36:21 PM
 #65

I thought that using those hardware wallets is the most secure way of storing Bitcoins but now I am doubting, i guess i will keep my BTC on my online wallets with a password that i put on a safe place.

While a hardware wallet is not 100% secured (nothing is 100% secured) it is definetely better than an online wallet.
The attack surface of a web wallet is by far bigger than the attack surface of a hardware wallet.

The point is: If you decide to stop using your hardware wallet and put it in a safe place.. your coins are safe. Regardless of a vulnerability.
But a web wallet on the other hand can be attacked 24/7. Not that you just have to trust the developer of the wallet, you also have to trust they
are able to secure their whole infrastructure good enough.

While hardware wallets may not be the most secured storage option, it definetely can be regarded as more secured than an online wallet.

Carlton Banks
Legendary
*
Offline Offline

Activity: 2520
Merit: 1991



View Profile
April 05, 2018, 04:16:43 PM
Merited by AGD (1), Karartma1 (1), butka (1), Anti-Cen (1)
 #66

If that's the case what can we do then? What kind of microprocessor is your machine using? I mean f*c*ing intel is everywhere! I am about to change my old 2010 laptop (amd)? Do you have any suggestions?

1. Keep that AMD laptop

Best advice right now is to keep pre-2013 AMD and (I think) pre-2007 Intel hardware (which in a stroke of irony are not receiving patches for those kernel memory access exploits that made the news for Intel recently).  


Alternative options to Intel/AMD (which are all compromises of some kind, and all involve more computing skills than x86 platforms):
  • ARM chips (not open designs or fully user controllable, & ARM are beginning to introduce anti-features similar to those that Intel and AMD have, so careful research needed)
  • IBM POWER chips (which are expensive, & not well supported, but the platform is fully user controllable AFAIK)
  • RISC V chips (which are expensive, immature, & not at all widely used, although the design is more open than IBM POWER, and like POWER, whole tech platform is user controllable)

Intel and Microsoft are slowly turning the whole Wintel concept into something closer to owning a Nintendo console than using a proper computer. Using some kind of Unix style operating system on non-Intel hardware will be the only option, eventually.

Vires in numeris
bekkioPEK
Member
**
Offline Offline

Activity: 355
Merit: 12


View Profile
April 05, 2018, 04:24:06 PM
 #67

hardware wallets certainly  can not give you 100% security, but I think they are the ones that are closer to total security. web wallets are definitely the worst in terms of security, paper wallet still has its risks (you can lose it, it can get damaged, it can be destroyed in the time), the dekstop wallet if you have a computer infected with a virus is dangerous. probably there is no totally safe method.

Anti-Cen
Member
**
Offline Offline

Activity: 210
Merit: 26

High fees = low BTC price


View Profile
April 05, 2018, 04:26:07 PM
Last edit: April 05, 2018, 04:55:48 PM by Anti-Cen
 #68

Right, although the "someone" who has unfettered access to a computer with Intel ME is Intel themselves (and anyone else holding the code signing key for executing code on the ME processor). I think exploits were discovered last year where an attacker circumvented the use of the Intel code signing key, but I forget the specifics.

You see we can agree on somethings but few MS developers have woken up to the fact that Microsoft is locking them
out from the OS all over the place let alone are spying on every byte of data they can see.

Who would ever had thought that you would be getting a merit from me and take it from me, I don't get many to
give away but I am stuck with MS because it's all I know.

I suspect Goolge on Android devices is nearly as bad, they both have a bad track record, both work for the CIA/NSA

Mining is CPU-wars and Intel, AMD like it nearly as much as big oil likes miners wasting electricity. Is this what mankind has come too.
vnck25
Member
**
Offline Offline

Activity: 378
Merit: 11


View Profile
April 05, 2018, 10:59:37 PM
 #69

I agree with many of the comments made here. Hardwear wallets (cold storage devices) are much safer than online wallets, and my personal view is that paper wallets are the safest if you are in it for the long haul. Just make sure to purchase the desired hardwear wallet from the manufacturer, NOT from 3rd party sellers ( especially the ones you find on eBay ). 
AGD
Legendary
*
Offline Offline

Activity: 1849
Merit: 1058


Keeper of the Private Key


View Profile
April 06, 2018, 06:53:07 AM
 #70

I agree with many of the comments made here. Hardwear wallets (cold storage devices) are much safer than online wallets, and my personal view is that paper wallets are the safest if you are in it for the long haul. Just make sure to purchase the desired hardwear wallet from the manufacturer, NOT from 3rd party sellers ( especially the ones you find on eBay ). 

Everything is safer than online wallets...

Bitcoin is not a bubble, it's the pin!
+++ GPG Public key FFBD756C24B54962E6A772EA1C680D74DB714D40 +++ http://pgp.mit.edu/pks/lookup?op=get&search=0x1C680D74DB714D40
Lucius
Legendary
*
Offline Offline

Activity: 1568
Merit: 1356


Fortis Fortuna Adiuvat


View Profile WWW
April 06, 2018, 10:13:49 AM
 #71

...
I think that hardware wallets are still one of the safest ways for safe storage of private keys,although from time to time a security vulnerability appears,but also very quickly after that we have update which fix the problem.This is something quite normal,not only with hardware wallets,but with any other device or operating system which exists today.

...

I would say that 4 months isn´t "very quickly" and definitely too long when it comes to a Bitcoin
hardware wallet.

In general I would simply advise people to spread their risk by using different ways of Bitcoin storage
simultaneously. E.g. keep a few Bitcoins in a hardware wallet, a few Bitcoins in a paper wallet where
parts of the mnemonic seed are stored at different locations, a few BTC in a  traditional wallet or a SPV client,
a few mBTC in one of the better mobile wallets (I´d recommend Samouraiwallet).
The only thing that I wouldn´t really recommend is storing Bitcoins on a computer that is often used
to browse the internet and is running a Windows OS. Storing Bitcoins on an exchange is also in general
a bad idea as the numerous exchange hacks in the past illustrate.

It is extremely unlikely that all of these different storage solutions are compromised simultaneously, which
makes it nearly impossible for you to lose all your funds. This is preferable to storing all your crypto wealth
in a single hardware wallet, because this puts you in the uncomfortable position where you are at risk
of losing 100 % of your coins if a serious vulnerability in Ledger/Trezor is discovered and exploited by
malicious actors.

On the other hand you are only risking a fraction of your Bitcoins if you heed my advice of spreading
your risk. In the long run losing 20 % of your Bitcoin stash due to a vulnerability or a lost/destroyed paper wallet
may prove to be inconsequential anyway, because 80 % of your Bitcoin stash will still be enough to make
you either financially independent or filthy rich (depending on the actual size of your BTC stash)  Cheesy

All in all, I´d suggest that you should not trust any hardware wallet with 100 % of your funds and
that you should instead spread the risk by using several storage solutions.

I agree that it took them a long time to make new firmware from first warning,but you have to consider that public info about vulnerability and time after Ledger released a new firmware was pretty short.That's how things work,the time required for something like this is always too long for users,and too short for company.In any case, they should react much faster there is no doubt about it.

Your advice to spread the risk to multiple wallets is good,and I think many users do just that.I personally never believed that the hardware wallet was absolutely safe,but that provides me very good security for storage and everyday use.But one should always keep in mind,it was made by humans and humans can hack it.

Karartma1
Legendary
*
Offline Offline

Activity: 1820
Merit: 1073


Be Revolutionary Or Die Trying


View Profile WWW
April 06, 2018, 06:05:15 PM
 #72

If that's the case what can we do then? What kind of microprocessor is your machine using? I mean f*c*ing intel is everywhere! I am about to change my old 2010 laptop (amd)? Do you have any suggestions?

1. Keep that AMD laptop

Best advice right now is to keep pre-2013 AMD and (I think) pre-2007 Intel hardware (which in a stroke of irony are not receiving patches for those kernel memory access exploits that made the news for Intel recently).  

Thanks, I'll do my best to make my old laptop a long lasting machine. It's not going to be easy but everything I need is backed on my hard drives. So sad this is the situation we are in.

I am not interested in preserving the status quo; I want to overthrow it. Niccolò Machiavelli
nokati
Full Member
***
Offline Offline

Activity: 278
Merit: 102



View Profile WWW
April 07, 2018, 09:26:52 PM
 #73

A hardware wallet can be safe, just cut the connection. That's what DigiSafeGuard is working on right now. There is no 100% security, but its as secure as it can get. At least as secure as a paper wallet.
https://www.digisafeguard.com

Any other hardware wallet having a usb connection or relaying on a chip security is not safe enough to put more than 5000 usd on it.

Spendulus
Legendary
*
Offline Offline

Activity: 2394
Merit: 1189



View Profile
April 08, 2018, 05:34:56 PM
 #74

Right, although the "someone" who has unfettered access to a computer with Intel ME is Intel themselves (and anyone else holding the code signing key for executing code on the ME processor). I think exploits were discovered last year where an attacker circumvented the use of the Intel code signing key, but I forget the specifics.

You see we can agree on somethings but few MS developers have woken up to the fact that Microsoft is locking them
out from the OS all over the place let alone are spying on every byte of data they can see.

Who would ever had thought that you would be getting a merit from me and take it from me, I don't get many to
give away but I am stuck with MS because it's all I know.

I suspect Goolge on Android devices is nearly as bad, they both have a bad track record, both work for the CIA/NSA

Just take an old laptop, load your favorite wallet and coins, then break or disable the wireless networking. Then break or disable the wired networking.

Although hardware wallets may have some issues, those issues are nothing compared to the problems of binding a machine to the greater world, uploading data and reporting in fashions the user is not privy to, and requiring downloading of supposed "updates" that are not comprehensible.
chennan
Legendary
*
Offline Offline

Activity: 1316
Merit: 1004


View Profile
April 08, 2018, 07:41:46 PM
 #75

These kind of hardware wallets will grow stronger with time.
A indestructible and safe wallet is a very hard thing to accomplish.

Right, and honestly I like that these hardware wallets are being heavily scrutinized, broken down, rebuilt, and broken down again while Bitcoin and other cryptocurrencies are still relatively early in the game and not that many people are actively using cryptos.

Having the simplicity and "security" of hardware wallets are crucial for mainstream adoption.

chennan
Legendary
*
Offline Offline

Activity: 1316
Merit: 1004


View Profile
April 08, 2018, 07:48:36 PM
 #76

Right, although the "someone" who has unfettered access to a computer with Intel ME is Intel themselves (and anyone else holding the code signing key for executing code on the ME processor). I think exploits were discovered last year where an attacker circumvented the use of the Intel code signing key, but I forget the specifics.

You see we can agree on somethings but few MS developers have woken up to the fact that Microsoft is locking them
out from the OS all over the place let alone are spying on every byte of data they can see.

Who would ever had thought that you would be getting a merit from me and take it from me, I don't get many to
give away but I am stuck with MS because it's all I know.

I suspect Goolge on Android devices is nearly as bad, they both have a bad track record, both work for the CIA/NSA

Just take an old laptop, load your favorite wallet and coins, then break or disable the wireless networking. Then break or disable the wired networking.

Although hardware wallets may have some issues, those issues are nothing compared to the problems of binding a machine to the greater world, uploading data and reporting in fashions the user is not privy to, and requiring downloading of supposed "updates" that are not comprehensible.

Yeah, but you don't want just any old laptop to do that on.  Like if you were to get one of your old laptops from 10 years ago that you were downloading a whole bunch of sketchy stuff on through limewire, I wouldn't think to recommend using something like that.  The most secure way is to buy a cheap laptop that has no wireless or bluetooth capabilities, and then load trusted/gpg verified files on the computer through booting it on a live-USB.

Kumic
Full Member
***
Offline Offline

Activity: 476
Merit: 100



View Profile
April 08, 2018, 10:56:05 PM
 #77

I would still use it. Of course that they can make the modifications on hardware wallet and steal your coins after you use it.
So buy it from the official seller and update it if needed.

DeepOnion    ▬▬  Anonymous and Untraceable  ▬▬    ENJOY YOUR PRIVACY  •  JOIN DEEPONION
▐▐▐▐▐▐▐▐   ANN  Whitepaper  Facebook  Twitter  Telegram  Discord    ▌▌▌▌▌▌▌▌
Get $ONION  (✔Cryptopia  ✔KuCoin)  |  VoteCentral  Register NOW!  |  Download DeepOnion
faultunfmuzzled8
Copper Member
Newbie
*
Offline Offline

Activity: 168
Merit: 0


View Profile
April 09, 2018, 12:59:21 AM
 #78

No it doesnt worth mentioning that it was found by whom because whoever have found it just awsome discovery
justmyname
Sr. Member
****
Offline Offline

Activity: 383
Merit: 250


View Profile
April 09, 2018, 01:18:19 AM
 #79

I haven't heard of anyone losing coins in a hardware wallet yet. Other than a device that already had been previously opened. They set the seed words and password. Then sent the device and a copy of the seeds words-password to the new owner. The new owner thought he bought a new device and didn't reset it. The crooks just waited until the coins were in the wallet and stole them.   
bob123
Legendary
*
Offline Offline

Activity: 1050
Merit: 1568



View Profile WWW
April 09, 2018, 08:36:22 AM
 #80

Yeah, but you don't want just any old laptop to do that on.  Like if you were to get one of your old laptops from 10 years ago that you were downloading a whole bunch of sketchy stuff on through limewire, I wouldn't think to recommend using something like that.  The most secure way is to buy a cheap laptop that has no wireless or bluetooth capabilities, and then load trusted/gpg verified files on the computer through booting it on a live-USB.

Using an old processor doesn't also mean you have to use your old (non-wiped) hard drive.
An old laptop with a formatted hard drive and wireless adapter removed does its job very well.

There is also no need for running an OS as live version from an USB stick. It is absolutely fine to install an OS to your hard drive.
No connection adapters mean no connection. Regardless of the OS you are running and from how you boot it.

Pages: « 1 2 3 [4] 5 6 7 8 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!