IRS now wants to Hack Hardware Wallets

[LoyceV]

Ledger is stupid enough and they are storing passphrase on their device combining it with PIN code, but Trezor is not storing passphrase anywhere and you can verify that because they are fully open source.

A simple but slightly expensive method would be to just shred and burn the Ledger each time you've entered the passphrase. When you need it again, you restore your seed and password a new device.
If you're hiding a few billions from the IRS that might be a small price to pay.

[1714056660]

1714056660

[1714056660]

1714056660

[1714056660]

1714056660

[ranochigo]

They don't even need to have access to hardware wallet factory and workers, and all they need is backdoor in closed source secure element chips like they are doing with smartphones and NDA would protect everyone.
That is why we need to have open source hardware wallets with open source secure elements to reduce risk as much as possible.

How do you audit the chips though? It can be open source but there is nothing you can possibly do if you can't verify that the chip follows the schematics exactly, evil maid attacks, etc. You would also lose some parts of the security; reason why most chips aren't open source is because they provide security through obscurity. Whether you can maintain a similar level of security with open source chips would probably be debatable.

[dkbit98]

A simple but slightly expensive method would be to just shred and burn the Ledger each time you've entered the passphrase.

Just microwave it

How do you audit the chips though? It can be open source but there is nothing you can possibly do if you can't verify that the chip follows the schematics exactly, evil maid attacks, etc. You would also lose some parts of the security; reason why most chips aren't open source is because they provide security through obscurity. Whether you can maintain a similar level of security with open source chips would probably be debatable.

Let's wait and see what Trezor devs will do with TropicSquare TASSIC project and $4m for making open source chip, and most users will probably never going to verify anything, but other developers will do it.
You can have evil made and other attacks with any device, but you will not be buying cat in a bag like you are doing with closed source chips that can have hidden Chinese or irs backdoors and you will never know it.

[int03h]

The US government is doing what I consider illegal to attack people's personal wallets. What am I going to do with my money now that I don't know much about the units that store cryptocurrencies? The wallets are only third-party entities that help store Bitcoin. Should I bring all my Bitcoins to a mixer or convert them to Monero?

[LoyceV]

Should I bring all my Bitcoins to a mixer or convert them to Monero?

That doesn't change a thing if the US government gets their hands on your hardware wallet.

[PrivacyG]

That doesn't change a thing if the US government gets their hands on your hardware wallet.

This is a fact and it unfortunately applies to almost any kind of hardware.  The US government has managed to plant at least one backdoor in most of the recent hardware available as customer-end products.  It would surprise me quite a bit if I knew they cannot get past an encrypted disk, for which reason even fully encrypted airgapped computers may not be the perfect solution to this type of abuse.

Best solution for this issue may still be paper.  It is undetectable by professional equipment and you can laminate and hide it just anywhere, as opposed to hardware wallets which may already have who-knows-what kind of flaws and backdoors inside them.  Since they have been specifically created with cryptocurrency cold storage as a purpose, expect anything and everything from them.  I am talking particularly about Ledger, as it has closed-source components inside.

Hide a seed on a piece of paper in two different locations and choose two other separate spots to hide the seed's very long, random passphrase at.  Should they ever get to own your piece of paper, they will find out it contains a balance of exactly zero Bitcoins inside.

-
Regards,
PrivacyG

[riiiiising]

Unless they store that too, but since you can use as many different passwords as you want, that must have a limitation.

Ledger is stupid enough and they are storing passphrase on their device combining it with PIN code, but Trezor is not storing passphrase anywhere and you can verify that because they are fully open source.

Lesson of the day: when you give up your freedom for safety, you lose both

They first take away all your freedom and lock you, than they offer you solution to make you free in future if you accept some new restrictions... sounds familiar?
Good thing is there are more and more people who are waking up and working for freedom and not against it.

It is sad to read this but they will make it happen and indeed a backdoor in hardware wallets being developed b the IRS themselves is a true threat. If you work at the IRS and you know how to get access to a specific type of wallet, what will keep you from abusing that knowledge when the opportunity coms up? That's a real issue

They don't even need to have access to hardware wallet factory and workers, and all they need is backdoor in closed source secure element chips like they are doing with smartphones and NDA would protect everyone.
That is why we need to have open source hardware wallets with open source secure elements to reduce risk as much as possible.

Yes but brings up the next problem: all users have to be equally educated about which wallet to use and why. If there are people using a hardware wallet who interact with those using an open source secure wallet both parties are exposed. In a sense you would have to ask the other party if she sends the Bitcoin from an open source wallet or else you refrain from transacting with each other. The hard part is to get all users develop the understanding of the advantageous of open source wallets. Frankly speaking, is that even possible?

[dkbit98]

This is a fact and it unfortunately applies to almost any kind of hardware.  The US government has managed to plant at least one backdoor in most of the recent hardware available as customer-end products.  It would surprise me quite a bit if I knew they cannot get past an encrypted disk, for which reason even fully encrypted airgapped computers may not be the perfect solution to this type of abuse.

You still need to use paper or metal plate even for hardware wallets because this devices worth nothing without your backup phrase.
Airgapped computers are not the best solution for most of the people and average tiktok generation with short attention span, and they can also have even more backdoors, because they have more chips and other electronic parts, including more complex operating system.
I have nothing against airgap and all options are viable and possible but masses want something simple and shewed up.

[zanezane]

The US government is doing what I consider illegal to attack people's personal wallets. What am I going to do with my money now that I don't know much about the units that store cryptocurrencies? The wallets are only third-party entities that help store Bitcoin. Should I bring all my Bitcoins to a mixer or convert them to Monero?

As if that's a new thing, they have been spying on their citizens remember? They also have been instilling dictatorship in third-world countries for a long time, have a lot of black sites to torture prisoners and innocent people, and hacking hardware wallets of their citizens is just a walk in the park compared to all that they did so no surprises there. If it ever comes to that point, you better hide your HW somewhere like a drug trafficker.

[PrivacyG]

You still need to use paper or metal plate even for hardware wallets because this devices worth nothing without your backup phrase. (..)

Very true.  However, the closed-source components may store basic yet crucial information about your hardware wallet such as passphrases and seeds.  Paper wallets do not have a memory to store sensitive information on without your knowledge.  In consequence, a backdoor-enabled device may enable a security agent to see what a paper wallet would not be able to show.

-
Regards,
PrivacyG

[dkbit98]

Very true.  However, the closed-source components may store basic yet crucial information about your hardware wallet such as passphrases and seeds.  Paper wallets do not have a memory to store sensitive information on without your knowledge.  In consequence, a backdoor-enabled device may enable a security agent to see what a paper wallet would not be able to show.

FYI all chips in your airgap computer are closed source, they can have backdoors, and you still need to import paper wallet at some point of time or take it with you in your grave and afterlife.

Trezor HW is open source, they are not storing passphrases anywhere, and they are actively working on open source secure element for their next generation hardware wallet.

[LoyceV]

FYI all chips in your airgap computer are closed source, they can have backdoors, and you still need to import paper wallet at some point of time or take it with you in your grave and afterlife.

The proper way to spend funds from a paper wallet is by creating a transaction, and signing it offline. If you're truely paranoid you can verify the signed transaction with different software on a different offline computer before broadcasting. If you're worried about hardware backdoors: you can probably find a computer older than Bitcoin for a few bucks on Craigslist.

[PrivacyG]

FYI all chips in your airgap computer are closed source, they can have backdoors, and you still need to import paper wallet at some point of time or take it with you in your grave and afterlife.

Trezor HW is open source, they are not storing passphrases anywhere, and they are actively working on open source secure element for their next generation hardware wallet.

I was particularly talking about Ledger, see one of my previous posts:

(..) Since they have been specifically created with cryptocurrency cold storage as a purpose, expect anything and everything from them.  I am talking particularly about Ledger, as it has closed-source components inside. (..)

Moreover, the previously mentioned issue does not apply in the case of importing paper wallets.  IRS wants to unlock your hardware wallet after getting their hands on it.  They want to either alter your device or have backdoors in order to get to your keys.

As a result, encrypted paper wallets are way more safe than hardware wallets as long as the passphrase(s) are stored securely.  You cannot alter a paper in an attempt to get a passphrase out of it that does not exist.  In consequence, getting their hands on your paper wallet will be in vain.

Upon importing the seed or private key, its safety depends solely on the user's behavior.  Main threat implies a closed-source piece of hardware storing a seed and passphrases.  A paper wallet combined with a legitimate open-source hardware wallet like Trezor is definitely the best combo for hardware cold storage today.

-
Regards,
PrivacyG

[leea-1334]

This makes it now even more and more important to trust only open source wallets,,, and also as much as possible all the Ledgers and Trezors you ever bought, if you used your personal details you can be sure their databases are not only now vulnerable to hacker attacks (as we have already seen happen) but also to government requests.

[riiiiising]

This makes it now even more and more important to trust only open source wallets,,, and also as much as possible all the Ledgers and Trezors you ever bought, if you used your personal details you can be sure their databases are not only now vulnerable to hacker attacks (as we have already seen happen) but also to government requests.

Old Trezors may also become obsolete or need updates. Don't forget that these state led agencies also buy hidden stakes in these companies. We may not even get to know if an organization like the CIA or NSA is involved in any particular way when it comes to hardware wallets.

[dkbit98]

I was particularly talking about Ledger, see one of my previous posts

Yes I know about ledger and they are my biggest concern for hardware wallets along with safepal hardware wallet who is even more shady and they can easily have some hidden chinese backdoor.

Moreover, the previously mentioned issue does not apply in the case of importing paper wallets.  IRS wants to unlock your hardware wallet after getting their hands on it.  They want to either alter your device or have backdoors in order to get to your keys.

Let's imagine scenario of some government agency busting your home and finding hardware wallet and your paper wallet that are not connected with each other.
What do you think would be easier way for them to confiscate your coins, from paper wallet or hardware wallet?
They don't need to hack paper wallet but they already have private key written on it.

A paper wallet combined with a legitimate open-source hardware wallet like Trezor is definitely the best combo for hardware cold storage today.

I would agree with this and maybe this is not the perfect solution, but it is most simple for average users.

[PrivacyG]

(..) What do you think would be easier way for them to confiscate your coins, from paper wallet or hardware wallet?
They don't need to hack paper wallet but they already have private key written on it. (..)

To be completely honest with you, I think it would be easier for them to confiscate coins from a hardware wallet IF the paper wallet has a strong enough password.  One requires brute forcing, the other may require only a coding or hardware flaw.

Moreover, an initialized hardware wallet hints out that it contains a seed inside.  If a professional finds your initialized hardware, they will most likely think it is not an empty seed.  Otherwise, you would have not owned a hardware wallet in the first place.  Therefore, spending resources to crack it may be worth it.  A seed printed or hand-written on a paper that retrieves an empty balance without the proper passphrase gives absolutely zero hints that it may have a balance inside.

I am not sure there is a limit on the number of characters a passphrase could have.  However, you can only imagine how long a 70-char random passphrase brute forcing has to take.  After enough time spent trying to brute force it, I think it is likely they will give up.

I wonder, is it absolutely impossible that even an open-source hardware wallet does NOT temporarily store a passphrase inside its memory that may be retrievable if a weak security point is found through physical tampering?  I reckon getting the right strong password of a paper wallet is a harder job.

-
Regards,
PrivacyG

[leea-1334]

Old Trezors may also become obsolete or need updates. Don't forget that these state led agencies also buy hidden stakes in these companies. We may not even get to know if an organization like the CIA or NSA is involved in any particular way when it comes to hardware wallets.

Some hidden and some not so hidden. All these states ask banks to look at the underlying companies who own money transactions but the truth is there is a lot of "good states" who are as dark as the non-state rogue actors.

If we think Ledger and Trezor etc do not already share our data directly,,, we are such fools:)

[Kittygalore]

This makes it now even more and more important to trust only open source wallets,,, and also as much as possible all the Ledgers and Trezors you ever bought, if you used your personal details you can be sure their databases are not only now vulnerable to hacker attacks (as we have already seen happen) but also to government requests.

I wouldn't worry too much about it at this point because if you think about it, the government probably has all the information needed to control and spy on you already, even before your introduction to cryptocurrency so no point worrying, they won't probably go rogue suddenly if you are living in a first world country.

[Welsh]

It's disgusting that the state are that desperate to know everyone's worth that they stoop down to such low levels to find it. Attempting to crack wallets without permission, is something a "normal" person would likely go to prison for.

This doesn't only just apply to closed sourced software, though. Open source hardware wallets now need to be monitored more frequently for changes in code, since they could try, and sneak something in without anyone noticing. We shouldn't be complacent, and trust something just because its open source.

the irs doesnt need private keys or the seed to achieve their main objective; all the need is a list of addy you control. at that point they have all the info they need as they can then monitor those addys.

Yeah, I don't believe that they intend to take anything, unless they can lawfully take it by coming to the conclusion that someone hasn't declared the correct amount of tax.

Cracking seed phrases? Are they insane, simple word, it's robbery.

I guess it's only robbery if they actually take anything. Their intentions might be to try, and break in, and determine whether someone has been paying the correct amount of tax or just general surveillance, because as we know from the Snowden leaks they love to monitor pretty much everything that they can, and they don't mind breaking some laws to do that.

I wouldn't worry too much about it at this point because if you think about it, the government probably has all the information needed to control and spy on you already, even before your introduction to cryptocurrency so no point worrying, they won't probably go rogue suddenly if you are living in a first world country.

Absolutely, if someone has evaded the government completely then I would be extremely impressed. Since, our world revolves around using mega companies such as Google, Facebook, and other Monopolies its just easy for them to gain access. I believe there was several USA phone service providers who were sharing data with the government, and that was also exposed by Snowden.