Hardware wallets, types, security and safety

[doshj]

Understanding the difference between a custodial and a non-custodial wallet is crucial for understanding a wallets security.

"A non-custodial wallet (also known as a light wallet) is simply a piece of software on your own computer or phone that puts you in full control of your cryptocurrency holdings. You hold your own private keys, which means no one else is able to make a transaction on your behalf." Meanwhile, if you use a custodial wallet your private key is stored by a third party.

If you are indeed using a hardware wallet than it is non-custodial/light wallet, which is certainly the most secure type of wallet.

Sources:
https://atomicwallet.io/custodial-non-custodial-wallets-comparison
https://www.cryptovantage.com/guides/custodial-vs-non-custodial-wallets/
https://medium.com/guarda/%EF%B8%8Fcustodial-vs-non-custodial-wallet-s-%EF%B8%8F-benefits-of-light-wallets-87cf701054d1

[jseverson]

This is a lot helpful. But you said, it is inconvenient. It is also can not be safe like the recommended HW wallets.

If your only intention is to keep your private keys offline, I would argue that it could be just as safe, since it does exactly the same thing.

One of the main advantages of hardware wallets, in addition to keeping your keys permanently offline, is that if they fall in to an attacker's hands your coins are still safe (or at least, safe for long enough for you to recover your backs ups and send them to a new wallet). Your set up misses out this important protection, unless you are also encrypting the USB drive.

Strong wallet passwords could also help, so it's not entirely vulnerable in the hands of a potential attacker. I mean, we've all heard about people getting locked out of their Electrum wallets, so you can possibly make this work in your favor. Hardware wallets are definitely better in this area though.

One advantage it has though, is the attacker won't necessarily know the flash drive is holding coins (you could just be using it as an OS installer after all, like majority of the populace) unlike hardware wallets, so they could be less prone to thievery.

[madnessteat]

~snip~

Even if an attacker is able to distinguish a USB flash drive from a hardware wallet, it will not be easy to use it. Let's say the attacker took possession of my hardware wallet (Ledger Nano S), which has an eight-digit password.  In the case of three wrong combinations, the hardware wallet resets all settings to the initial state and the attacker simply can not get my coins.

[Lucius]

Even if an attacker is able to distinguish a USB flash drive from a hardware wallet, it will not be easy to use it. Let's say the attacker took possession of my hardware wallet (Ledger Nano S), which has an eight-digit password.  In the case of three wrong combinations, the hardware wallet resets all settings to the initial state and the attacker simply can not get my coins.

Device will reset if wrong PIN is entered 3 times in a row, but smart hacker will not try to obtain your PIN in that way. They will try to hack it with brute force, and 8 digit PIN is very limited in number of combination. I'm not sure what kind of equipment is needed and whether Ledger has some protection to prevent such hacking attempts (in case your wallet is stolen).

But let's say a PIN of 8-10 digits is small joke for any supercomputer or botnet :

To demonstrate the importance of password complexity, let's start with a pincode password such as "123456789". In this case, the character set (0123456789) consists of 10 characters. For a 9 digit password using this character set, there are 10^9 possible password combinations. Therefore, it will take (1.7*10^-6 * 10^9) seconds / 2, or 14.17 minutes, to break this password on average. On a supercomputer or botnet, we divide this by 100000, so it would take 0.0085 seconds to break a password.

Because of facts above, using of passphrase on hardware wallet is very desirable. Of course, only if the user knows what he is doing.

https://support.ledger.com/hc/en-us/articles/115005214529-Advanced-passphrase-security

[o_e_l_e_o]

One advantage it has though, is the attacker won't necessarily know the flash drive is holding coins (you could just be using it as an OS installer after all, like majority of the populace) unlike hardware wallets, so they could be less prone to thievery.

This is true, but I still wouldn't rely on the thief not discovering the coins for their safety. If you are storing coins on a plain USB drive, you should be encrypting it.

I'm not sure what kind of equipment is needed and whether Ledger has some protection to prevent such hacking attempts (in case your wallet is stolen).

There has been no demonstrated successful physical attack against Ledger products, but that is not to say one doesn't exist. With an electron microscope and enough time and expertise, then it is like that even the secure element will be crackable and the seed able to be extracted, but we are now probably talking about in the order of weeks at a cost of several hundred thousand dollars. This differs obviously from Trezor wallets which can have the seed extracted for less than a hundred dollars in the space of a few minutes. Any hardware wallet shouldn't be viewed as infallible, but rather as a mechanism to buy you (hopefully plenty of) time to move your coins to new addresses.

[jseverson]

Even if an attacker is able to distinguish a USB flash drive from a hardware wallet, it will not be easy to use it. Let's say the attacker took possession of my hardware wallet (Ledger Nano S), which has an eight-digit password.  In the case of three wrong combinations, the hardware wallet resets all settings to the initial state and the attacker simply can not get my coins.

Oh definitely, in the same way that a USB drive with coins in it wouldn't necessarily be easy to break into. I was just saying that if a random thief with the capability to steal your coins gets into your home, he's more likely to take your hardware wallet than a random USB drive (if not both lmao).

This is true, but I still wouldn't rely on the thief not discovering the coins for their safety. If you are storing coins on a plain USB drive, you should be encrypting it.

No arguments here; if a precaution can make storing your coins safer, you should definitely avail of it. I'll edit my post and credit you. I was just pointing out that an attacker getting his hands on it wouldn't necessarily mean he'd be able to steal what's in it.

[Lucius]

There has been no demonstrated successful physical attack against Ledger products, but that is not to say one doesn't exist.

Those who have been following the development of hardware wallets for a long time know about the case of Side channel attack which is released back in 2018. This attack demonstrated the possibility of a remote hack of user PIN, and it was successful (Ledger Blue). But PIN is of no use without physically accessing the device, so this vulnerability was declared "less dramatic" and I think it was fixed in next firmware.

Roth explained that they started by analysing the hardware architecture of the Blue. They noticed that there was a fairly long connection between the secure element and another processor. In other words, the wire that connected these two components was physically quite long, due to their physical distance apart on the circuit board (each on other side of the device’s relatively large battery).
So they built a small robotic device to press a button over and over while their antennae listened and logged data. This was used to build up training data for an artificial intelligence system to analyze.
They were able to get a very high likelihood of identifying each digit on a PIN on the tested device.

[greenvie99]

Thanks for information! Right now I'm looking for hardware wallet

[breadginger56]

This is a good reference for newbies that is curious about hardware wallets. Aside from some articles in the web that also talks about hardware wallets. I might make a topic in the future and refer this topic as a point of info. Also having a hardware wallet is a must if you are into crypto for security purposes also in longevity.

[MrcMrc]

There has been no demonstrated successful physical attack against Ledger products, but that is not to say one doesn't exist. With an electron microscope and enough time and expertise, then it is like that even the secure element will be crackable and the seed able to be extracted, but we are now probably talking about in the order of weeks at a cost of several hundred thousand dollars. This differs obviously from Trezor wallets which can have the seed extracted for less than a hundred dollars in the space of a few minutes. Any hardware wallet shouldn't be viewed as infallible, but rather as a mechanism to buy you (hopefully plenty of) time to move your coins to new addresses.

That is why I prefer the ledger nano products, although I prefer two, he ledger nano x and s. Trezor is good too but I have read about some people saying cloning trezor is more common than cloning ledger nano.

[Polina_21]

In addition to the wallets listed above, I have come across other hardware wallets like Coldcard and Archos Safe-T Mini.

Coldcard is the cheapest bitcoin hardware wallet. Coldcard lets you store and submit your transactions by revealing your private keys like other cryptocurrencies. You’ll need to confirm all your transactions on this external device physically.

Archos Safe-T Mini is a hardware altcoin wallet that is portable. It also has an offline private key storage using an encrypted chipset memory. It has a very easy setup and also multiple cryptocurrency support.

Read here to know more about these hardware wallets. I am sharing it as I came across that even these hardware wallets can be used which are not heard of much.