Check Integrity of Hardware Wallets

[dkbit98]

When you purchase a new hardware wallet device you don't expect to receive modified fake device with malicious code, but that is always possible as one of many Attack Vectors for Hardware Wallets.

Important thing is to order hardware wallets only from official website or official resellers , but you should do few more steps to verify integrity of hardware wallet, packaging and content inside, to avoid being scammed with fake device.

First follow the link Check if your Ledger wallet device is genuine and take a good look for content inside, recovery sheet paper should always be blank with space for 24 seed words.

Box for Ledger Nano S box is containing a wallet, cable, 3 paper cards, Getting started card, Did you notice card with blank Recovery sheets; keychain and a lanyard:



Box for Ledger Nano X box is containing a wallet, cable, 5 paper cards, Getting started card, Use, Care and Regulatory Statement; blank Recovery sheets, keychain and stickers:



You can also Check hardware integrity but last time I checked images of PCB boards on website, they didn't match the latest update and state on actual hardware device.


Trezor packaged their hardware wallets in such way that you must destroy the box to open it and use Trezor device, so it's very hard for scammers to repack and resale it, unless they make their own boxes.

Trezor packaging timeline is showing evolution of their boxes and they tried with various holographic seals that scammers easily made fake and sold as original, and In 2018 Trezor wrote an article to address fake devices and packages  

Trezor Model One is containing the wallet, cable, 2 Recovery seed cards and stickers:



Trezor Model T Box is containing the wallet, magnetic dock, cable, 2 Recovery seed cards and stickers:



You can check Unboxing page and Tamper-evident hologram to avoid fake devices.

If you have any doubt with hardware wallet you purchased, directly contact wallet manufacturers support and ask them to confirm if device is authentic.


ColdCard wallet is using several supply chain protections, like tamper-evident plastic bag with unique number matching the number onsecure element, they have clear plastic case and inside is filled with eopxy material that makes it much harder or remove chips and change anything inside.




Example of FAKE hardware wallet devices:
- Ledger fake device Warning!

[Pmalek]

Trezor packaging timeline is showing evolution of their boxes and they tried with various holographic seals that scammers easily made fake and sold as original, and In 2018 Trezor wrote an article to address fake devices and packages

The fact that holographic seals can easily be cloned is the reason that Ledger doesn't use any on their packages. If it hadn't been for their other security/privacy vulnerabilities, one could say that's the way to go.
There are also various ways to open a box or electronic gadget without damaging the holographic seal. Here is just one short video that explains how it can be done.

[bitmover]

Trezor packaging timeline is showing evolution of their boxes and they tried with various holographic seals that scammers easily made fake and sold as original, and In 2018 Trezor wrote an article to address fake devices and packages

The fact that holographic seals can easily be cloned is the reason that Ledger doesn't use any on their packages. If it hadn't been for their other security/privacy vulnerabilities, one could say that's the way to go.
There are also various ways to open a box or electronic gadget without damaging the holographic seal. Here is just one short video that explains how it can be done.

I saw this message when I bought mine, and it is also written in their website:

Anti-tamper seals
Ledger deliberately chooses not to use anti-tamper seals on its packaging. These seals are easy to counterfeit and can, therefore, be misleading. Rather, genuine Ledger devices contain a secure chip that prevents physical tampering: this provides stronger security than any sticker possibly could.
https://support.ledger.com/hc/en-us/articles/4404389367057-Check-if-the-device-is-genuine-?support=true

As those devices are not expensive, I think the most secure is to buy directly from ledger/trezor website. When you buy from any third party seller, you are "trusting" that this person did not physically altered the device.

All those hardware wallet have some vulnerabilities against physical attacks, so you are way more secure when buying straight from the manufacturer.

[dkbit98]

There are also various ways to open a box or electronic gadget without damaging the holographic seal. Here is just one short video that explains how it can be done.

Sure you can remove holographic seals without much problem, but trying to open those Trezor boxes without destroying them is almost impossible, and you have to experience it to know what I am talking about 
Than again, you can always create your own box that is near identical to original if you plan to scam someone with fake device.
 

All those hardware wallet have some vulnerabilities against physical attacks, so you are way more secure when buying straight from the manufacturer.

It's not going to fully protect you from this attacks as wallet is not directly delivered by manufacturers, but it is going through customs, crossing borders and exchanging hands.
Of course, buying from amazon, ebay or some unofficial reseller is always a much higher risk than buying from official website.

[SFR10]

@dkbit98
Great thread but why stop there and not expand it to cover other known hardware wallets?
Need help with an issue:

• Is it worth the risk to purchase a different brand of hardware wallet ^{[e.g. coolwallet, ledger hardware wallets]} from what the official reseller is known for ^{[local reseller of trezor hardware wallets]}?

[dkbit98]

Great thread but why stop there and not expand it to cover other known hardware wallets?

It's not easy to find this information for other hardware wallets, especially when you don't exactly own them, but everyone is welcome to contribute to this topic and post this info.

[DaveF]

ColdCard does a good job IMO of making sure that the unit you get has not been tampered with.
From their site https://coldcardwallet.com/ about 3/4 of the way down the page.

Supply Chain Protections

Getting an uncompromised product into your hands is a challenge:
Bag Number

First and foremost, we use a tamper-evident plastic bag to package the product. Each bag is unique and coded with a number. That "bag number" is written into the Coldcard's secure element as it's put into that bag. That value cannot be changed, and we ask your to verify the bag number when the Coldcard is powered-up for the first time at your location.
Clear Case

The clear plastic case on Coldcard is an important feature as well. There have been demonstrations of inserting custom hardware inside a competitor's hardware wallet to capture key-presses.
Epoxy Globs of Love

We cover the secure element, and other sensitive parts of the Coldcard with epoxy. This makes it harder to remove those chips, or change the wiring around them.

It has to be noted however, that if you are targeted by someone or some entity (government / business / whatever) none of this matters.
You can get bags or boxes made. You can get holograms duplicated. You can spin your custom hardware to get someone.

But, the cost involved is going to be so stupid high that unless you are sitting on a lot of BTC / crypto it's just not going to be worth it.

-Dave

[DaveF]

I was discussing some things with another member of the forum IRL about some of this stuff and since @dkbit98 started this I think it's kind of important to discuss in public.
If you watch enough TV or read enough news it's fairly evident that at times even people you trust a lot can steal from you. Friends / family / whatever.
Keep in mind HARDWARE WALLETS ARE NOT SECURE AGAINST THIS KIND OF THING.

The attacks that hardware wallets keep you safe against are, from the software side not having to worry about a virus / trojan on your PC and the like.
From the hardware side so long as you have a secure pin. You do not having to worry about someone getting a hold of your hardware wallet and getting all your BTC. Or getting your hardware wallet and taking it apart to get to some secure part of it to get to all your BTC

They do NOT prevent someone from the long con or attack. A 9 digit PIN is pointless for security if you enter it 40 times over a period of weeks in front of them.
Having your seed words in a very secure location is just as secure as writing them on the wall if someone has weeks and weeks if not months of time to search for where they are. Or if they know where they are, but you think it's secure, if they have unlimited (once again months and months) of time to gain access to them.

And so on.

You know your Trezor / ColdCard / Ledger was perfect when you took it out of the bag / box. Once it's out of it. That's on you.

-Dave

[dkbit98]

ColdCard does a good job IMO of making sure that the unit you get has not been tampered with.
From their site https://coldcardwallet.com/ about 3/4 of the way down the page.

Thanks, I updated the first post and added information about ColdCard, and I asked you because I know you said that you own this hardware wallet, so you can confirm if those things about number on bags and epoxy are true or not.

If you watch enough TV or read enough news it's fairly evident that at times even people you trust a lot can steal from you. Friends / family / whatever.

There are multiple point of attacks when you own crypto and hardware wallets, and those attacks can come from places you least expect them, like your friends and family.
That is why we have a saying in crypto Don't trust, verify and we can use multisig and passphrases as additional level of protection.

[Pmalek]

<Snip>

All those security measures wont help if the people producing and packaging the original devices become untrustworthy as we have seen in the Ledger/Shopify fiasco where rogue members of the support leaked or sold customer data and introduced backdoors into company databases. A genuine bag number wont help in that scenario.

Hardware tempering will be harder to recognize in the future. We have already seen examples by dkbit98 from a few weeks ago where an identical looking fake device was created with a modified chip inserted into it. Inspecting the hardware components doesn't do much in that case.

[DaveF]

<Snip>

All those security measures wont help if the people producing and packaging the original devices become untrustworthy as we have seen in the Ledger/Shopify fiasco where rogue members of the support leaked or sold customer data and introduced backdoors into company databases. A genuine bag number wont help in that scenario.

Hardware tempering will be harder to recognize in the future. We have already seen examples by dkbit98 from a few weeks ago where an identical looking fake device was created with a modified chip inserted into it. Inspecting the hardware components doesn't do much in that case.

True. What I would really like to see is one of these wallet manufacturers figure out a way to and then release a stand alone utility that verifies the the hardware you have came from them. This way you boot from the USB stick with the utility and plug in the wallet and get a legit or not answer.

Does not matter if your OS is compromised or not since you are not booting from it.

Again, if someone has that much access to your PC and the skill to do bios / hardware modifications, to the point of being able to fool a stand alone device. And the ability to make sure that you got the phony device. Then you are in trouble no matter what else you do.

-Dave