Hardware wallets as a measure of mainstream adoption....?

[DireWolfM14]

As we have to trust Exchanges, maybe we can trust a well known company ? But I'm 100% with you when it comes to say : not your keys, not your coins !

I don't think that trusted companies like Trezor and Ledger would bother to do such a thing and earn a little on comission. Trezor introduced Trezor Buy which helps less experienced users to choose a good exchange to buy Bitcoin from. It's even easier to exchange coins thanks to the integration with major swap platforms.

Can someone know what's the cheapest hardware wallet (real one, not a cold storage one) on the market ? (My question is business oriented as I'm part of a hardware wallet startup).  

Ledger HW.1 is the cheapest one, but it's no longer supported. I have seen Ledger rep on Reddit giving a discount on Nano S for users who still haven't upgraded from the HW.1. In Europe, Archos Safe-t mini seems to be the cheapest hardware wallet with built-in screen. It's basically a Trezor One in a different chassis.

I think it might be a sale price, but the KeepKey is selling for $24.99 on Amazon right now, a dollar cheaper than the Ledger HW-1.  The Trezor One is $51, and the Ledger nano S is $59.  If I was in the market right now I'd buy a Trezor One, even though it's twice as pricey as the KeepKey I think it's the more secure and versatile choice.

[Tibu]

We would like to sell our product at 25$ including worldwide shipping.
It might do the trick 

But yes, hardware wallets are great things and can get more attraction from lambda people 👌

[o_e_l_e_o]

If I was in the market right now I'd buy a Trezor One, even though it's twice as pricey as the KeepKey I think it's the more secure and versatile choice.

The recently publicized cheap (less than $100) and successful physical attack on Trezor devices concerns me. Even though I always use long and complex passphrases which would completely mitigate against this attack, I still don't like the fact that it was even possible, and was for years before Ledger publicized it. It makes me concerned about other potential unknown vectors of attack. Disclaimer: I own and use Ledger devices., and I fully accept that there could very well be unknown vectors of attack against them as well.

Still, if you are thinking of getting another hardware device non-urgently, then in previous years both Ledger and Trezor have put on Black Friday deals. If you can wait a couple of months until the end of November, you might save yourself some cash.

[DireWolfM14]

The news of this attack vector concerns me as well, as it should everyone.  The wallet does need to be physically accessible to the hacker, so in the event of a loss or theft of a hardware wallet one must look at a strong passphrase as a little time bought, not as a fail-safe.  However, if my Ledger were lost or stolen I would still feel the same way.

My comments above were really just a comparison of the KeepKey and the Trezor One, since both suffer from the same vulnerability.  And if I'm not mistaken, all open source wallets are open to this attack vector.  That's something to consider when shopping for a wallet as well.

I must admit I'm still a fan of the Trezor T, it's my go to wallet.  I did add a much stronger passphrase recently to buy myself some time if anything does happen to it.

[figmentofmyass]

Even if that were to happen, any tampering would be overwritten by a firmware update.  As long as you confirm the firmware is sourced from the actual manufacture (i.e. Ledger Live, Trezor.io/Satoshi Labs, etc.) you'll be safe.  There's still a risk that the hardware wallet as a whole is a forgery or a counterfeit, but if so it would not likely connect to the real manufacturer's apps, and should be easy to spot.

thanks for clarifying re supply chain attacks. how common do you think noobs checking device authenticity is? do they tend to use ledger live when they get a ledger vs wallets like electrum or MEW?

i've received counterfeit electronics from amazon (especially when fulfilled by amazon prime) several times so i sometimes worry about this attack vector. there's probably a lot of low hanging fruit out there. shitcoin investors seem particularly vulnerable because this may cause them to skip right over downloading ledger live:

[o_e_l_e_o]

so in the event of a loss or theft of a hardware wallet one must look at a strong passphrase as a little time bought, not as a fail-safe.

That's actually a very good point. I know if I physically lost my Ledger wallet, I would be transferring everything out of it as soon as I possibly could, including everything I have hidden behind the various passphrases I use. I'm not actually counting on the wallet or the passphrase to be permanently secure; all I actually need is them to be secure for a maximum of a few hours until I can sweep my wallets.

When you put it like that, the passphrases I use are massive overkill. I use enough characters to make them similar to a 24 word seed (or 2^256) in terms of entropy, when in reality, far less than that would be sufficient to buy me the time I need. Still, better safe than sorry. I did want to get another hardware wallet to use as an off-site back-up, but then I would probably only be checking it once or twice a month to see if it had been accessed. Do I trust the wallet to remain secure that long, even with my passphrases? I'm not sure.

[LTU_btc]

I haven't saw things like hardware wallets in local shops. Probably there is just not enough demand to sell it, pretty much same thing why shops aren't accepting Bitcoin. But I think it's possible that in future we will see hardware wallets in physical shops. I saw some shops selling it online - it doesn't hurt them to keep some hardware wallets in their warehouse. But there is simply no reason to keep it on every physical shop of their network when it's no guarantees that someone will buy it.
About possible risks - I don't think that it would be risky to buy hardware walket from physical shop - it's same like to buy from official reseller online.