Cold Storage scam

[Sanugarid]

This is a friendly reminder for every one in here that is planning to buy cold storage Ledger nano X, Ledger S, Trezor hardware and others. If you guys are going to buy hardware like these, make sure you buy it from the direct supplier or manufacturer. There are already some cases of stolen funds from the cold storage, and what does it mean?

It means that the cold storage is already opened, seed phrases are set up and save by someone who owned it first and would just apply as a seller to online markets like Amazon or Ebay. Then us, who wants to save little bit we tend to buy the items at the lower price than what it should be, the boxes are pretty easy to reseal again that it would look brand new as if nothing was tamper.

Or, if you guys already ordered one of these make sure that you factory reset it first before using. I wish this reminder of mine can help 

[cryptomaniac_xxx]

For the record though, there are official amazon retailers for Ledger: https://shop.ledger.com/pages/retailers/

And for Trezor: https://trezor.io/resellers/

First thing to check in the hologram but if you suspect that your device might be compromise, then you have to immediately contact their support.

[pawanjain]

If anybody is to buy a hardware wallet there are some things that he should do:


1. Buy it from a trusted source
2. Once received lookout if the product is not tampered
3. Look for it's serial key and check if the product is genuine
4. Reset the firmware and upgrade it
5. Consider using new seed phrases/keys by regenerating the keys at least 2-3 times

[MrcMrc]

Or, if you guys already ordered one of these make sure that you factory reset it first before using. I wish this reminder of mine can help 

This can just be an option but not wise, there are some that can be cloned in a way that even reseting will not work. Better buy directly from the company is the best.

[crwth]

Or, if you guys already ordered one of these make sure that you factory reset it first before using. I wish this reminder of mine can help 

This can just be an option but not wise, there are some that can be cloned in a way that even reseting will not work. Better buy directly from the company is the best.

Why would you even buy it from another source? That's already the problem. You got to go to the official ones to avoid getting scammed. For sure there are a lot of people who want to buy it "cheaper" but it's going to be a risk compared to the official one. (I'm guessing that they are buying it at a lower price compared to the official store)

[hugeblack]

Not only is the device restored to factory mode, but rather that all parts are intact and their parts are not tampered with. Many scammers open the device and add some physical parts that enable them to change some things and thus access your currencies.

This is one of the explanations that enable you to hack a hardware wallet if you have physical access^[1].
check also ----> https://youtu.be/Y1OBIGslgGM
So be careful.

[1] https://www.kaspersky.com/blog/hardware-wallets-hacked/25315/

[gentlemand]

Not only is the device restored to factory mode, but rather that all parts are intact and their parts are not tampered with. Many scammers open the device and add some physical parts that enable them to change some things and thus access your currencies.

I've never heard of a hardware wallet arriving with hardware tampered with. Can you provide some examples?  We have of course heard of wallets arriving with printed seeds. Physical access after you've created your seed on it seems to have ways in but that's not a factor for most people.

[taufik123]

Not only is the device restored to factory mode, but rather that all parts are intact and their parts are not tampered with. Many scammers open the device and add some physical parts that enable them to change some things and thus access your currencies.

if the scammer has done something as far as modifying the inside, to open the device and add some components that make it possible to access the user's currency easily without being noticed, this is very dangerous.
Modified devices are usually sold at cheap prices.

Better to buy authentic products at official Ledger stores or trusted online stores with authentic guaranteed products.

Too risky to buy a used hardware wallet or at a low price below the market price.

[DdmrDdmr]

The usual guidance is to always purchase these devices from the official website, being very, very careful to actually land on the official website (instead of some cloned name-alike scam stunt). If they do not deliver to your region and/or wish to go for a local store, always check the official website for the official reseller list.

There have been some laboratory hardware tamper attempts which were successful to some degree, and in some cases led to a firmware patch (were feasible) just in case, but the case scenarios were often more in line with attempting to bypass the pin protection by some hardware means.

The case above cited by @hugeblack allowed the "ethical hackers" to load snake onto the Ledger Nano S, by exploiting a weakness in the flash memory address mapping and loading a flag that indicated that their "snake firmware" was a verified image (therefore avoiding the image being really verified). That vulnerability should have been solved: https://www.ledger.com/chaos-communication-congress-in-response-to-wallet-fails-presentation/

They succeeded to install a custom firmware on the MCU. This is actually a feature: the JTAG (debug interface) is still active on this chip, so it’s possible to load the MCU using JTAG and run it in bootloader mode. However, they loaded it using software which was not featured. They used a bug in the firmware update function to perform this. This bug has been solved in the next firmware version. Nevertheless, this bug does not allow anything more than the JTAG.

(quote as of December 2018).

In general, the most plausible scams are:
-   Selling you an empty box (or nothing at all) on a fake website.
-   Selling you a legit product, but with the 24 mnemonic prefilled on the card (it should be blank).
-   Selling you a cloned similar device (I read a case or two some time ago where Trezor hardware wallets were cloned and sold through ebay or such. I do not though know the extent of this practice, and if it currently is still performed).

[seoincorporation]

This is a friendly reminder for every one in here that is planning to buy cold storage Ledger nano X, Ledger S, Trezor hardware and others. If you guys are going to buy hardware like these, make sure you buy it from the direct supplier or manufacturer. There are already some cases of stolen funds from the cold storage, and what does it mean?

It means that the cold storage is already opened, seed phrases are set up and save by someone who owned it first and would just apply as a seller to online markets like Amazon or Ebay. Then us, who wants to save little bit we tend to buy the items at the lower price than what it should be, the boxes are pretty easy to reseal again that it would look brand new as if nothing was tamper.

Or, if you guys already ordered one of these make sure that you factory reset it first before using. I wish this reminder of mine can help 

Thanks for the warning Sanugarid, i have read a lot about this kind of hardware wallets, but i like more the old school way, vanity gen and paper wallet. But i write because i have a couple of cuestions about this Cold Storages...

Can the users change the private keys at any time they want?
Can users load a secret key generated in vanitygen?

[o_e_l_e_o]

But i write because i have a couple of cuestions about this Cold Storages.

First of the, the terms cold storage and hardware wallets are not synonymous. Cold storage is essentially anything which keeps your private keys permanently offline. Permanently airgapped machines and paper wallets are the classical cold storage. Hardware wallets are kind of a semi-cold storage - although the private keys never leave the device, the device is still connected directly to a device with internet access, so they can't be thought of as true cold storage.

So to answer your questions:

Can the users change the private keys at any time they want?

With a hardware wallet, you can either "change" your private key by generating a new receiving address in the same wallet, by using a different passphrase to access a new set of wallets with the same seed phrase, or by resetting the device and generating a whole new seed altogether.

Can users load a secret key generated in vanitygen?

Not as far as I am aware. Certainly the major hardware wallets (Ledger, Trezor) only let you generate or restore from a seed phrase. You cannot import individual private keys or addresses.

[seoincorporation]

...
So to answer your questions:

Can the users change the private keys at any time they want?

With a hardware wallet, you can either "change" your private key by generating a new receiving address in the same wallet, by using a different passphrase to access a new set of wallets with the same seed phrase, or by resetting the device and generating a whole new seed altogether.

Can users load a secret key generated in vanitygen?

Not as far as I am aware. Certainly the major hardware wallets (Ledger, Trezor) only let you generate or restore from a seed phrase. You cannot import individual private keys or addresses.

Thanks for the information o_e_l_e_o, it would be nice if they implement a brain wallet feature with the option of save the address. But maybe that could be a new project.

As you say, bot are different things, so i should try to get one of those hardware wallets this year just to learn more about Bitcoin.

[o_e_l_e_o]

it would be nice if they implement a brain wallet feature with the option of save the address.

I think that's a bad idea.

The whole point of a hardware wallet is to create and store your keys in a secure manner. One of these things without the other is pointless. Creating keys securely and then storing them insecurely (such as in a web wallet) is obviously a bad idea, but so too is securely storing keys (such as on a hardware wallet) which have been created insecurely.

A brain wallet creates insecure keys. There is no two ways about it. Humans are bad at being random and bad at generating entropy. Tens of thousands of brain wallets have been brute forced and had their coins stolen. Nobody should be using a brain wallet. It doesn't matter if you store the keys to your brain wallet in the most secure method imaginable, as since they have been created insecurely, they will always be vulnerable.

[Lucius]

I've never heard of a hardware wallet arriving with hardware tampered with. Can you provide some examples?  We have of course heard of wallets arriving with printed seeds. Physical access after you've created your seed on it seems to have ways in but that's not a factor for most people.

I also didn't remember anyone confirm that he had received a hardware wallet with some modified components, and there are certainly at least two reasons why this does not happen. The first is that not everyone can do it, and it does require some technical knowledge and skill. The second reason is that such a modified hardware wallet can get in the hands of anyone, so the question is how much such a fraud is worth if someone buys such a device and puts $100 or less on it?

On the other hand, anyone can perform scam with a predefined seed - and there are quite enough naive people who are not even aware of their actions. There is always a chance when you buy used hardware devices, or those that are not purchased from authorized resellers that something is wrong with them - but the risk exists with completely legal purchase, it can be a corrupt employee, or anyone in the delivery chain.

While on the one hand it is very easy to check that the device is genuine (software check), if one chooses to check hardware integrity, it will mean that such a device will no longer be refundable or exchangeable. At least this is case with Ledger.

[o_e_l_e_o]

Second, you might learn to like second hand Ledgers.

I wouldn't recommend it, even if you consider that the user will reset the device before using it (which we know from previous successful attacks that many don't).

As discussed above, I'm also not aware of any successful attack where an attacker has managed to tamper with the physical hardware inside a Ledger device and steal the user's coins in that way, but that's not to say a potential attack doesn't exist and we simply aren't aware of it yet. It seems ridiculous to me to take such a risk to save yourself probably somewhere in the region of $20, for a device you are going to be using to secure hundreds or thousands of dollars worth of bitcoin.

I would only ever buy direct from the manufacturer.

[gentlemand]

I have two devices , one was bought directly from manufacturer while  the other (as back-up) - on the second hand market for the third of price. The "second hand"  was tuned up as described above.  Both have the same SEED + 25th  password  and manifest the same set of addresses when cope with particular crypto. I'm using them  alternately, so far so good.

A third of the price is only a difference of 30-50 bucks with certain devices. Though I'm not convinced the hardware tampering thing is a realistic risk I would still pay that to completely extinguish any doubt. You might one day be storing the equivalent of hundreds of thousands of dollars on there.

[KrisAlex18]

Great advise mate, always be wise when purchasing hardware wallet, do not buy it on some strangers who is offering smaller price of it because he might have it from stealing from other people. Always buy on the direct seller or some familiar store so you may assure yourself that you are using an original hardware wallet. Always be vigilant when doing some stuffs especially when it talks about cryptocurrency because there are so many people that might fool you.

If anybody is to buy a hardware wallet there are some things that he should do:


1. Buy it from a trusted source
2. Once received lookout if the product is not tampered
3. Look for it's serial key and check if the product is genuine
4. Reset the firmware and upgrade it
5. Consider using new seed phrases/keys by regenerating the keys at least 2-3 times

Great job, it seems like you are also using hardware wallet because you know what to do when someone buy's it. For all the beginners out there ayou may use this advise if you want.

[Cobo_Vault]

We have a solution to supply chain attacks we would like the community to know about because it uses the same cryptographic algorithm using in Bitcoin to make sure the Secure Element isn't bypassed when it gets to you (and you end up with private keys that someone else has access to).

This is how it works:

Each hardware wallet has a pair of public and private keys pre-installed in the Secure Element during manufacturing that is used solely for the purpose of Web Authentication. This pair of keys has nothing to do with the public and private master key pair generated from physical entropy by the Secure Element for the HD wallet during initialization of the device. We will call this pair of public and private keys Web Authentication keys.

The backend of the Web Authentication page is operated by a hardware security module (HSM) server, which is a highly secure cryptoprocessing service offered by AWS. Like a Secure Element, it also has a pair of public and private keys. Each device’s Secure Element knows the public key of the HSM server, while the HSM server knows that device’s Web Authentication public key.

On the Web Authentication page, you will be prompted to scan a QR code. This QR code is a random string of numbers generated by the HSM which has been encrypted with your device’s Web Authentication public key and then signed by the HSM’s private key. When you scan this QR code, your hardware wallet will first use the HSM’s public key to verify the HSM server’s signature of the message. This is to ensure that the QR code you are looking at is from the official Web Authentication page, and not the victim of a phishing scam.

The device will then use its Web Authentication private key to decrypt the message that was encrypted with its public key by the HSM server. This results in the 8 digits you are asked to enter into the Web Authentication page after scanning the QR code. The HSM system will then check to see whether the digits align with the original random string it generated. If Web Authentication fails, you will not want to use your device at all. A failure message indicates that either your device is not operating the Secure Element it was manufactured with, or that your device was swapped out for a counterfeit entirely.