airgapped wallets and private key theft

[desioner]

If you are not using a HD wallet, anytime you sign a transaction, your wallet.dat will be unencrypted in RAM, or more specifically, the decryption key to decrypt the wallet.dat file will be in RAM, along with the private key(s) of what you are using to sign. If an attacker has access to your RAM when you are signing a transaction, all of your money is effectively stolen.
If you are using an HD wallet, anytime you sign a transaction, the private key(s) used to sign the transaction will be stored in RAM. An attacker could use the private key along with the xpubkey (which will always be in an unencrypted state), to be able to calculate the rest of your private keys in your wallet.
Also, an attacker is likely able to monitor what you enter into your keyboard, so they can get your passphraise anyway, so an attacker could simply copy your wallet.dat and use what you typed as your passphraise.

The part I highlighted in red is where my questions focuses. I apologize if it sonds n00b… I'm not very well versed with the core wallet and such.
Suppose I have an airgap PC that I want to use to sign a transaction with but the wallet is passphrase protected. I assume that the wallet can't sign the transaction if it's kept locked correct? Therefore keeping it safe. The issue is once the wallet is opened the info is then sent to RAM and then it's game over.
I'm also wondering what malware they created to be able to pull this off!? Super scary stuff!!

[1714141495]

1714141495

[1714141495]

1714141495

[1714141495]

1714141495

[achow101]

Please do not post in a thread that is long dead. I have moved your post into it's own thread.

If you are not using a HD wallet, anytime you sign a transaction, your wallet.dat will be unencrypted in RAM, or more specifically, the decryption key to decrypt the wallet.dat file will be in RAM, along with the private key(s) of what you are using to sign.

The part I highlighted in red is where my questions focuses. I apologize if it sonds n00b… I'm not very well versed with the core wallet and such.

That part you have highlighted is also partially incorrect. The HD-ness of a wallet does not matter, the decryption key is always held in RAM when your wallet is unlocked,

Suppose I have an airgap PC that I want to use to sign a transaction with but the wallet is passphrase protected. I assume that the wallet can't sign the transaction if it's kept locked correct? Therefore keeping it safe. The issue is once the wallet is opened the info is then sent to RAM and then it's game over.

Yes, your private keys are encrypted until you unlock your wallet. When your wallet is unlocked, the private keys are not actually held unenecrypted but rather the decryption key is.

However it is not necessarily game over even if you have malware. The decryption key is held in memory, but other software cannot typically access the memory of other programs unless it is executed with special permissions.

I'm also wondering what malware they created to be able to pull this off!? Super scary stuff!!

It's really not that special. In fact, the malware is probably something that is extremely simple because the wallet in the video is not even encrypted!. It just needs to read the wallet file in order to get the private key, and then encode that into an audio file and play that audio. It's not that scary and not very special. In fact, that paper itself is nothing new nor is it anything special. It is a well known fact that air gapped wallets are not foolproof and that there are non-networking methods of getting keys off of air gapped machines. Everything that they describe are methods long known before hand. The methods seems scary, but they really aren't as they all require a some fairly targeted attacks in order to pull off (i.e. they need to target you specifically and be somewhat physically close).

[Quickseller]

If you are not using a HD wallet, anytime you sign a transaction, your wallet.dat will be unencrypted in RAM, or more specifically, the decryption key to decrypt the wallet.dat file will be in RAM, along with the private key(s) of what you are using to sign. If an attacker has access to your RAM when you are signing a transaction, all of your money is effectively stolen.
If you are using an HD wallet, anytime you sign a transaction, the private key(s) used to sign the transaction will be stored in RAM. An attacker could use the private key along with the xpubkey (which will always be in an unencrypted state), to be able to calculate the rest of your private keys in your wallet.
Also, an attacker is likely able to monitor what you enter into your keyboard, so they can get your passphraise anyway, so an attacker could simply copy your wallet.dat and use what you typed as your passphraise.

The part I highlighted in red is where my questions focuses. I apologize if it sonds n00b… I'm not very well versed with the core wallet and such.
Suppose I have an airgap PC that I want to use to sign a transaction with but the wallet is passphrase protected. I assume that the wallet can't sign the transaction if it's kept locked correct? Therefore keeping it safe. The issue is once the wallet is opened the info is then sent to RAM and then it's game over.
I'm also wondering what malware they created to be able to pull this off!? Super scary stuff!!
[/quote]I would not call it “game over” especially if you are using an air gapped computer.

You are correct in that your wallet cannot sign a transaction as long as your wallet is “locked” however your private keys may still be vulnerable if you have a weak pass phrase- if someone can gain access to your wallet and you have a weak pass phrase, they could guess the pass phrase and access your private keys.

As a general rule, if your computer is infected with malware, there is a fairly high chance any private keys on your computer will leak unless you catch this quickly and know what to do.

[Kakmakr]

I think you highlighted the wrong section, I am more concerned with this " Also, an attacker is likely able to monitor what you enter into your keyboard, so they can get your passphraise anyway, so an attacker could simply copy your wallet.dat and use what you typed as your passphraise. "

Keyloggers are quite common and I think if you timed your attack correctly and you remote to the persons computer, whilst he/she is logged into the wallet and idle for some time or if you can lock the screen, then you can quickly transfer the coins to your wallet, before he/she reboots the computer.