Hardware Wallet Hacked?

[The Sceptical Chymist]

To put things into the simplest terms, hardware wallets have never been hacked remotely (assuming no attacker ever got their hands on it in transit) due to the way they were designed. Things could easily change in the future<snip>

You think?  I'd hate to live in a world where a hardware wallet could be hacked remotely, as in if it's sitting in my safe not connected to any device.  Hopefully that will never become possible, but the pessimist in me kinda sorta believes that it could happen.

My pea-brain understanding of hardware wallets is that the device itself is needed to sign transactions and that's it.  All the coins are stored within the seed phrase--but of course if someone gets their hands on that, they'd have the ability to do anything they wanted with them.  Someone correct me if I'm wrong, because I'm not a tech guy by any means.

The most important thing I've learned with my Ledger is to keep that seed phrase safe.  I could flush that beautiful Ledger down the toilet, but I'd still have access to my coins as long as I had the phrase.  But the problem is that the thing on which the seed phrase is written down is subject to everything else that can be stolen or destroyed--theft, fire, whatever.  That's the only way I can think of that a hardware wallet can be "hacked" short of a keylogger or some sort of malware in the mix.

[o_e_l_e_o]

I'd hate to live in a world where a hardware wallet could be hacked remotely, as in if it's sitting in my safe not connected to any device.

There is (currently) no conceivable way that could happen without someone being able to open your safe and physically get their hands on your device. But having said that...:

The only system which is truly secure is one which is switched off and unplugged locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn't stake my life on it.

My pea-brain understanding of hardware wallets is that the device itself is needed to sign transactions and that's it.  All the coins are stored within the seed phrase--but of course if someone gets their hands on that, they'd have the ability to do anything they wanted with them.

I wouldn't say the coins are stored within the seed phrase. Coins are stored on the blockchain.* The hardware wallet simply stores your private keys, which give you permission to make transactions with the associated coins. The seed phrase is a more human-readable encoding of your seed number, which is a 256 bit number (256 zeros and ones). All your private keys can be derived from your seed number, which is why it acts as back up access to all of your coins.


*Actually, the blockchain stores transaction data. "Coins" are an abstract concept and not actual "things" which need to be stored, but this doesn't change how we think about how hardware wallets work.

[TimDavis]

Can hardware wallets like Ledger Nano be hacked and their coins stolen?

In this link, you will find the 35C3 presentation that discusses and demonstrates how popular hardware wallets can be hacked - https://wallet.fail/

However, do note that physical access to the hardware wallet is necessary for such an attack to even take place. Some hardware wallets ensure that a physical attack will erase all the data contained within it. Hardware wallet makers ensure that they provide secure solutions to every form of attack, such as authentication to assure you that the device you receive has not been compromised on the supply chain or hidden wallets to circumvent a $5 wrench attack. Air-gapped hardware wallets that use QR codes for transactions are also available. Hardware wallets like ColdCard, Ledger, Cobo Vault use a secure element that ensures that your private key never leaves your hardware wallet, even if your phone or software is compromised.

Hardware wallets are not 100% immune to hacks especially when it involves instances where someone else manages to get their hands on your seed phrase because you failed to store it somewhere safe.

[Lucius]

Hardware wallets are not 100% immune to hacks especially when it involves instances where someone else manages to get their hands on your seed phrase because you failed to store it somewhere safe.

I would not call hacking if someone is not careful enough in handling their backup, it would be pure negligence used by someone to simply gain access to another person's private keys. It is the same with fake hardware wallets sites that are trying to trick inexperienced users into entering their seed online, or if a user is sharing his seed with someone else (we see such example on this forum), and another person is just clean all accounts.

To hack hardware wallet hacker actually need physical access, which in most cases is an impossible mission. What would be far more dangerous is a remote attack, but it would have to somehow exploit the vulnerabilities of the user interface and the hardware wallet itself, possibly combined with some vulnerability of the operating system.

I'm not going to say it's impossible, but pulling a seed out of a hardware wallet with a remote attack sounds like science fiction at the moment.

[o_e_l_e_o]

I would not call hacking if someone is not careful enough in handling their backup

I'd tend to agree. There is no wallet in the world which can be 100% safe from user error. You can have your bitcoins stored in a wallet generated by flipping a coin on an airgapped machine inside a faraday cage inside a safe inside a nuclear bunker. None of that matters if you are going to type your seed phrase in to some random website promising to airdrop you some useless token. Suggesting this is a flaw specifically of hardware wallets, rather than all wallets, is inaccurate at best.

Hardware wallets are not 100% immune to hacks

It's worth pointing out that no wallet is 100% immune to being hacked. Every wallet has its own unique vulnerabilities, and the best way to be safe is to learn about and appreciate the different vulnerabilities and take steps to mitigate them.

[jerry0]

So someone can't brute force it using software?  Im very surprised by this since ppl said there is like how many words again that is used?