How secure are the hardware wallet sold online in the market?

[_BlackStar]

I'm interested in knowing a little bit of information regarding the hacking vulnerabilities that online hardware wallet sellers are doing in the marketplace. It is natural to have good security as long as we use a hardware wallet to store some bitcoin. Can we find out the wallet has been manipulated by the seller by injecting a virus that is not detected by the user?

[1714026498]

1714026498

[1714026498]

1714026498

[DaveF]

Check out this post https://bitcointalk.org/index.php?topic=5321850.0
Although it does not cover all the possibilities it gives you an idea of what can happen.

The biggest vulnerabilities are still user mistakes, if you don't pay attention no matter how secure your wallet is it will not matter, and deliberate attacks against someone.
If someone knows you have 2500BTC sitting somewhere you are a much bigger target then someone who only has 0.1BTC
 
-Dave

[Lucius]

If you buy such devices directly from the manufacturer, then you reduce that risk to a minimum as you throw out intermediaries (resellers) from the supply chain. Yet there is still the possibility that someone may intercept the package, open it, and modify the firmware or hardware.

As for hardware integrity checking, what I do know is that Ledger has instructions for doing that, but also that this procedure means that the device can no longer be replaced in case of damage during the procedure. Also when installing the firmware Ledger checks to ensure the authenticity of the firmware as well as whether the device is genuine.

Apart from the possible modification of the hardware, the biggest danger is in the pre-configured devices, but because of that each device should be reset and re-initialized if we want to be completely safe.

[Pmalek]

Whatever hardware wallet you end up buying (if you do), just make sure you follow the official security documentation that tells you how to verify the software and hardware components of it.

But it is worrying that criminals have found ways to create identical devices with replacement chips that contain fake firmware. You wouldn't notice a physical difference if you compared it to a genuine device. But such a fake device has to communicate with a fake software as well. If you connected it to Ledger Live to install an app for your coin, it wouldn't be able to connect to Ledger servers.

[dkbit98]

Can we find out the wallet has been manipulated by the seller by injecting a virus that is not detected by the user?

You can't find that if anything like that exist in code if hardware wallets are closed source like ledger or safepal, that can have dormant and hidden backdoor or malware for years before activation,
in similar way like fbi created and sold fake privacy phones.
It is important that you always order hardware wallets only from official website or from authorized reseller, and after that follow instructions to Check Integrity of Hardware Wallets.
Fake devices can be sent to people when leaked database exist, like in case with ledger, so scammers can modify device like it happened recently:
https://bitcointalk.org/index.php?topic=5344317.0

[BlackHatCoiner]

Just like you should always verify the authenticity of an open-source software wallet, you should do it for a hardware wallet too. You must never download a software wallet, even open-source, outside its official site unless you've verified the binaries. Even if you've downloaded from the official site, you ought to verify the signature using the public key of the creator in case the website is temporarily compromised. The exact same thing happens with the firmware of the hardware wallets.

For instance, @Pmalek describes how to verify the downloaded version of a Ledger Live: https://bitcointalk.org/index.php?topic=5355418.0

[_BlackStar]

Just for your information, I haven't bought any wallet so far and only used electrum to store my bitcoin. My question above is a form of my doubts about the potential scams committed by online hardware wallet sellers in the marketplace. Even I don't know how to operate a wallet nowadays, so I think I should learn a lot about it.

The biggest vulnerabilities are still user mistakes, if you don't pay attention no matter how secure your wallet is it will not matter, and deliberate attacks against someone.

I read somewhere online that bitcoin has high security features if the user can do the right practices to secure it. This means that the fault is not with the bitcoin, but on the users themselves who fail to secure their bitcoin with proper practices.

Apart from the possible modification of the hardware, the biggest danger is in the pre-configured devices, but because of that each device should be reset and re-initialized if we want to be completely safe.

Resetting and reinstalling it, won't it break the functionality of the wallet itself, or won't it affect anything on the device and the device will return to factory settings?

Whatever hardware wallet you end up buying (if you do), just make sure you follow the official security documentation that tells you how to verify the software and hardware components of it.

I will buy it in the future, but I really have to learn it from now on. To verify, I hope I can find the correct toturial later.

You can't find that if anything like that exist in code if hardware wallets are closed source like ledger or safepal, that can have dormant and hidden backdoor or malware for years before activation,
in similar way like fbi created and sold fake privacy phones.
It is important that you always order hardware wallets only from official website or from authorized reseller, and after that follow instructions to Check Integrity of Hardware Wallets.
Fake devices can be sent to people when leaked database exist, like in case with ledger, so scammers can modify device like it happened recently:
https://bitcointalk.org/index.php?topic=5344317.0

That's a clear example of why I asked about potential online seller scams. Buying it from the official site would be the core solution to clear my doubts.

Just like you should always verify the authenticity of an open-source software wallet, you should do it for a hardware wallet too.

Thanks for reminding me, I'll start learning little by little before buying it.


Sorry I don't have anything to share with you for a helpful answer. But I see someone has given you enough for that. Thank you The Pharmacist.

[BlackHatCoiner]

I read somewhere online that bitcoin has high security features if the user can do the right practices to secure it. This means that the fault is not with the bitcoin, but on the users themselves who fail to secure their bitcoin with proper practices.

You almost eliminate them if you buy a hardware wallet. Basically, the folks who use non-custodial wallets such as electrum have a background behind this technology or have learnt the dangers when you, own, yourself Bitcoin[1]. Indeed, we must be aware of keyloggers, viruses or any other malicious application that may gain access to our private keys. Especially if the device isn't air gapped.


Good for you that you aren't buying before you understand how it works. Few do it. Once you download some softwares such as Bitcoin Core which is a bitcoin client (you're running a node), or Electrum that I mentioned above, you'll feel more familiar.

[1] Apparently, saying that you own bitcoins isn't sufficient anymore. It could bring confusion if you hold them into an exchange. Saying you own yourself may be clearer. 

[Pmalek]

I read somewhere online that bitcoin has high security features if the user can do the right practices to secure it. This means that the fault is not with the bitcoin, but on the users themselves who fail to secure their bitcoin with proper practices.

That's exactly right. The Bitcoin protocol does exactly what it's supposed to do. It's the end user who makes mistakes and then blames it on the coin, wallet, exchange, etc. When people suffer financial losses they call the features that bitcoin possesses weaknesses. But irreversibility is not a weakness. Those who are used to traditional banking don't understand that once your transaction is confirmed, that's it. There is no customer support to turn to to fix it or say you were hacked.

If you send coins to the wrong address - Bitcoin worked as advertised, it was you who made a mistake.
If you don't backup your seed properly or at all and you lose access to your coins - Bitcoin still functions the way it's supposed to. You just didn't do what was necessary to protect what you have.   
If you overpay the transaction fees by 500% - Bitcoin didn't scam. It did what you wanted it to do. 

Resetting and reinstalling it, won't it break the functionality of the wallet itself, or won't it affect anything on the device and the device will return to factory settings?

No, that just wipes the device clean and resets it to the state it was in when you first bought it. You can use multiple seed phrases with the same device if you wanted to. But it would be tiring having to recover different wallets from seed if you do that often.

I will buy it in the future, but I really have to learn it from now on. To verify, I hope I can find the correct toturial later.

A getting started guide would either come with the package or it will point you towards the correct link where you can read more about it.

[ranochigo]

Please do not purchase second-hand or used hardware wallets. It is possible for someone to modify the wallet physically that might not be immediately evident. Most hardware wallets are sealed and sold in tamper-proof bag and for a very good reason. It is possible for someone to fabricate something that could communicate in the same manner and be functionally the same, might be a bit difficult but it can still be possible.

Factory-reseting the device merely wipes the device but might not be sufficient to guarantee security. Considered it compromised if the tamper-proof bag(if any) has been tampered with. There isn't a very easy way to validate the authenticity of the wallet without cracking it open to inspect the PCBs and validate the firmware either.

Your wallets, if it is unmodified, are designed to only accept updates signed by the manufacturer. Assuming your device is guaranteed to not be tampered with and the signers are not compromised, then you should be fairly safe. I'll probably load up an update to make sure. There were cases of some lame social engineering techniques which tricked the user into using keys that were generated by the previous users. Just be aware of that.

[o_e_l_e_o]

Resetting and reinstalling it, won't it break the functionality of the wallet itself, or won't it affect anything on the device and the device will return to factory settings?

As Pmalek has said, resetting the device will simply wipe your data from it - it won't break the device. Note, however, that it does not necessarily reset it to "factory settings" or guarantee your safety. If an attacker has pre-initialized the device and set up a malicious seed phrase, then yes, resetting the device will wipe that and let you initialize it again from scratch. If, however, an attacker has been successful in swapping out some of the hardware or flashing their own malicious firmware, then resetting it will likely achieve nothing. The better thing to do is to update the device with firmware you have downloaded and verified.

There isn't a very easy way to validate the authenticity of the wallet without cracking it open to inspect the PCBs and validate the firmware either.

dkbit98 shared a video a little while ago in this post which shows someone replacing the chip in a hardware wallet with an identical looking chip which mounts itself as external storage with malware designed to steal seed phrases. You still have to be pretty naive to fall for it (since it involves running software and entering your seed phrase), but physically inspecting the hardware is not a completely reliable method.

[ranochigo]

dkbit98 shared a video a little while ago in this post which shows someone replacing the chip in a hardware wallet with an identical looking chip which mounts itself as external storage with malware designed to steal seed phrases. You still have to be pretty naive to fall for it (since it involves running software and entering your seed phrase), but physically inspecting the hardware is not a completely reliable method.

Ahh thanks! That's quite interesting indeed.

I wasn't aware of this for Ledger. To be fair, any process that requires you to open up your hardware wallet to inspect already compromises the integrity of it so i wouldn't recommend it regardless. I'm wondering if ColdCard's boot check with the LEDs can prevent scenarios like these.

[o_e_l_e_o]

I'm wondering if ColdCard's boot check with the LEDs can prevent scenarios like these.

My understanding of the ColdCard boot check (and please correct me if I'm wrong), is that the checksum is verified on the secure element itself, and the secure element controls the red/green LEDs directly. Given that, could an attacker not replace some hardware which would feed a fake checksum to the secure element for verification? Or they could simply decouple the LEDs from the secure element altogether?

As bitcoin gets more valuable and more popular, I'm sure we will start to see more and more advanced attacks.

[dkbit98]

Resetting and reinstalling it, won't it break the functionality of the wallet itself, or won't it affect anything on the device and the device will return to factory settings?

There is no way to return hardware wallet to exact factory settings, and chip memory could in theory still hold some of your old seed words.
If you want to be totally sure that there are no leftovers in your hardware wallet device you should first do a reset and then used good old tool called hammer and smash your device to pieces.
100% guaranteed nobody will be able to extract anything after this.

I'm wondering if ColdCard's boot check with the LEDs can prevent scenarios like these.

I don't think any boot check can prevent this but Coldcard now adds epoxy glue to it's components inside, so it's harder for anyone to replace chips.
Scammers can always try to do it or build their own cloned device with their components that also has epoxy, but this operation won't be cheap  

[DaveF]

I don't think any boot check can prevent this but Coldcard now adds epoxy glue to it's components inside, so it's harder for anyone to replace chips.
Scammers can always try to do it or build their own cloned device with their components that also has epoxy, but this operation won't be cheap  

Years ago, there was a company (nothing crypto related) that tried something years ago for tamer proofing security electronics like this.

It was a blob of one type of epoxy blob over the component, a piece of metal on top of it, then another different type of epoxy on top of that and on top a different piece of metal.

The theory was that with all the different characteristics of the metals & epoxy getting it off would do so much damage that tampering would be obvious. Didn't work. Just took longer to get it apart.

Which is why you need to secure your hardware wallet and know where it is all the time. A lot of people forget this rule. Because if a bad person has access to it for 5 minutes you are in a lot less trouble then if they have it for 5 weeks and you don't even notice.

-Dave




 

[ranochigo]

My understanding of the ColdCard boot check (and please correct me if I'm wrong), is that the checksum is verified on the secure element itself, and the secure element controls the red/green LEDs directly. Given that, could an attacker not replace some hardware which would feed a fake checksum to the secure element for verification? Or they could simply decouple the LEDs from the secure element altogether?

You can't feed a fake checksum, the pairing secret is also hashed and cross checked by the secure element.

I agree with both your assessment though. It isn't impossible to fool the users using methods like these which is also why most hardware wallets are either shipping with tamper evident bags or seals at the very least. Acquiring a second hand device just means that the user would be completely bypassing it.

[_BlackStar]

There is no way to return hardware wallet to exact factory settings, and chip memory could in theory still hold some of your old seed words.
If you want to be totally sure that there are no leftovers in your hardware wallet device you should first do a reset and then used good old tool called hammer and smash your device to pieces.
100% guaranteed nobody will be able to extract anything after this.

Seriously, I almost peed my pants when I read your best advice for getting 100% security out of a hardware wallet. LOL

As Pmalek has said, resetting the device will simply wipe your data from it - it won't break the device. Note, however, that it does not necessarily reset it to "factory settings" or guarantee your safety. If an attacker has pre-initialized the device and set up a malicious seed phrase, then yes, resetting the device will wipe that and let you initialize it again from scratch. If, however, an attacker has been successful in swapping out some of the hardware or flashing their own malicious firmware, then resetting it will likely achieve nothing. The better thing to do is to update the device with firmware you have downloaded and verified.

Your answer made me understand the steps better, it helped me enough to understand it quickly. Sorry that I'm still fairly new here to be still pretty dumb at understanding hardware wallets and how to deal with vulnerabilities to their security.

I'm glad to see all of you coming to this thread to help me understand vulnerabilities to fraudulent attempts by online hardware wallet sellers and how I can deal with them. In essence I can understand that there are always vulnerabilities to the security of our bitcoins even if we store them in a hardware wallet if we can't verify the authenticity and security of the over-the-counter devices online. The only way to avoid seller manipulation is to buy it from the official site, and that's the conclusion.

I will be glad if you all come back on another occasion in my other thread to answer and improve my knowledge about bitcoin, thank you all.

[Pmalek]

Hardware wallet usually have reseller though, for example Trezor mention their official reseller at https://trezor.io/resellers/. But obviously using official site is better option as long as they ship to your country and you could handle import paperwork/fee (if the shipping service doesn't do it for you).

I partially agree. Buying from the official site should be a bit safer. Although I don't think any official resellers are malicious and would attempt to modify the devices they receive. Anyways, it all boils down to trust. Do you trust those who manufacture the wallet, and if you do, do you also trust that they selected good partners to be their resellers, or you don't.

Whether or not to buy from the official site also depends on your location. Trezor is from the Czech Republic, so I assume they ship all their devices from there as well. If you are in Vietnam, Canada, UAE, or some other distant location, you might save some money on shipping by buying from a local reseller who might be just around the corner rather than shipping your product from a different continent. Some might say you shouldn't save money on security, but I still thin it's a valid point. 

[o_e_l_e_o]

Although I don't think any official resellers are malicious and would attempt to modify the devices they receive.

It's not so much that the company themselves are malicious, but rather that it adds in many more people who will handle your device before you receive it. If you buy directly from the manufacturer, then it gets wrapped up and shipped by the manufacturer, and provided no one en route opens your package, then the only other person to touch it is you. If you buy from a reseller, it goes from manufacturer to reseller, the reseller needs to unload them all from the truck, unpack the boxes they came in, process them through their inventory system, potentially package them back up for distribution to individual stores or reshipping locations (in which case you can repeat all the previous steps again), then either go on display in a store or get packaged for shipment to you. That's a lot of extra people in the supply chain. Sure, the reselling company may be entirely legit, but are you confident about every single one of those additional people they employ?

[20kevin20]

It's not so much that the company themselves are malicious, but rather that it adds in many more people who will handle your device before you receive it.

And then, the only advantage you really get is that in case customer data is leaked again, there's no way anyone would know yu specifically bought a HW from these resellers. Saving yourself from both situations of data leaks and intermediaries is so easy to do: order on a fake name at a PO box and there you go. Now you got a product coming straight from the manufacturer with no risks of your personal data leaking out. I think it's more efficient than going through resellers and so.