How secure are the hardware wallet sold online in the market?

[PrimeNumber7]

Please do not purchase second-hand or used hardware wallets. It is possible for someone to modify the wallet physically that might not be immediately evident. Most hardware wallets are sealed and sold in tamper-proof bag and for a very good reason. It is possible for someone to fabricate something that could communicate in the same manner and be functionally the same, might be a bit difficult but it can still be possible.

I would go a step further and say that someone could replicate a HW wallet, but use entirely different equipment and firmware. A reseller could purchase their own tamper-proofevident bags/seals to make it appear the HW wallet came from the stated manufacturer. The fake HW wallet may look very similar to HW wallets produced by the claimed manufacturer and may interact with wallet software the same way.

My understanding of the ColdCard boot check (and please correct me if I'm wrong), is that the checksum is verified on the secure element itself, and the secure element controls the red/green LEDs directly. Given that, could an attacker not replace some hardware which would feed a fake checksum to the secure element for verification? Or they could simply decouple the LEDs from the secure element altogether?

You can't feed a fake checksum, the pairing secret is also hashed and cross checked by the secure element.

An attacker would not need to fake the checksum. An adversary could simply produce a device that looks for a different checksum.

[Pmalek]

I would go a step further and say that someone could replicate a HW wallet, but use entirely different equipment and firmware. A reseller could purchase their own tamper-proofevident bags/seals to make it appear the HW wallet came from the stated manufacturer. The fake HW wallet may look very similar to HW wallets produced by the claimed manufacturer and may interact with wallet software the same way.

This can also happen if your purchase hardware wallets from the official manufacturers. The chances are lower but all it takes is 1 or 2 rogue employees. The same kind of rogue employees that leaked or backdoored the databases of Ledger and Shopify and created a lot of mess because of it. I agree with you and o_e_l_e_o though. The more people that are in contact with the device, the bigger the chance that something bad can happen. Rogue employees are a serious threat model. I think we don't understand how big.

[o_e_l_e_o]

A reseller could purchase their own tamper-proofevident bags/seals to make it appear the HW wallet came from the stated manufacturer.

I have never understood people's faith in tamper-proof sticks, seals, bags, boxes, or whatever. These are incredibly easy to fake. Hell, I can go on Amazon and buy 500 generic tamper proof stickers for 20 bucks. There are hundreds of companies which will create custom designs for you for not that much more. And if an attacker is sophisticated enough to either replace a chip inside a hardware wallet or build a fake replica from scratch, why would they not be sophisticated enough to fake a tiny sticker?

Rogue employees are a serious threat model. I think we don't understand how big.

Unless you have a build-it-yourself hardware wallet with open source hardware and open source firmware running open source software on your attached computer, then the risk will never be zero, regardless of how many checks and verifications the wallet goes through. It's part of the reason I'm moving more and more towards encrypted cold storage devices instead as time goes on.

[PrimeNumber7]

A reseller could purchase their own tamper-proofevident bags/seals to make it appear the HW wallet came from the stated manufacturer.

I have never understood people's faith in tamper-proof sticks, seals, bags, boxes, or whatever. These are incredibly easy to fake. Hell, I can go on Amazon and buy 500 generic tamper proof stickers for 20 bucks. There are hundreds of companies which will create custom designs for you for not that much more. And if an attacker is sophisticated enough to either replace a chip inside a hardware wallet or build a fake replica from scratch, why would they not be sophisticated enough to fake a tiny sticker?

There mere presence of a tamper-evident seal means very little. The presence of a tamper-evident seal provides more value when the person checking for the seal is familiar with the seal, what it should look like unbroken, and what it should look like broken. They provide additional value when there is a serial number on the seal that needs to match some kind of log that was received separately.

There is less security added when someone is receiving an item on a one-time basis that has a tamper-evident seal. As you noted, these can be faked, I don't think it is as trivial as you say, but it is probably not terribly difficult for a sophisticated attacker. I would say that using a security sticker is probably better than not using one, and I don't think there is much more that can be done to ensure the HW wallet is not tampered with.

[o_e_l_e_o]

The presence of a tamper-evident seal provides more value when the person checking for the seal is familiar with the seal, what it should look like unbroken, and what it should look like broken.

Sure, but as you say, almost everyone buying a hardware wallet is going to be unfamiliar with the exact design of the seal being used. Any documents put inside the box showing what the seal should look like or linking to a webpage showing what the seal should look like can also be manipulated by an attacker.

They provide additional value when there is a serial number on the seal that needs to match some kind of log that was received separately.

This is a good idea. Are there any hardware wallet providers which do this? Although it still doesn't stop an attacker who can print their own tamper proof seals from intercepting your package, manipulating your hardware wallet, and then immediately printing and attaching an identical seal.

[PrimeNumber7]

They provide additional value when there is a serial number on the seal that needs to match some kind of log that was received separately.

This is a good idea. Are there any hardware wallet providers which do this? Although it still doesn't stop an attacker who can print their own tamper proof seals from intercepting your package, manipulating your hardware wallet, and then immediately printing and attaching an identical seal.

I don't think so. I was describing a common practice that some banks use when shipping cash.

I don't think it is trivial to print or print on a tamper-evident seal. Although as I previously posted, it is probably not difficult to procure a tamper-evident seal that looks a particular way. This means the attacker would need to have the specific serial number in advance or order a particular serial number seal after he obtains possession of the HW wallet.

The advantage of using a serial number seal is that an attacker will need to take additional time to forge the seal. The delay should set off red flags to the end-user.

*I also specifically use the term "tamper-evident" not "tamper-proof" as these types of devices cannot guarantee they have not been tampered with, and it is possible to defeat the device.

[Kakmakr]

You are saying ..."sold online in the market" ..so I presume that you are referring to second hand hardware wallets? The new hardware wallets that you buy directly from the hardware manufacturer are safe, but you have to check if the hardware wallet was tampered with in transit to you.

The second hand hardware wallets that are being sold online (as new) should NEVER be trusted, because the previous owner had access to the Seed and can easily monitor the wallet to see if coins are being stored on it and then he/she can use that Seed to steal those coins from you... (common scam)

They seal the package as if it was sealed at the manufacturer, so you will think that it is new. They will say something like.. "Won in a raffle, brand new"... etc.. etc.  

[Pmalek]

The second hand hardware wallets that are being sold online (as new) should NEVER be trusted, because the previous owner had access to the Seed and can easily monitor the wallet to see if coins are being stored on it and then he/she can use that Seed to steal those coins from you... (common scam)

You should never trust a hardware wallet that is shipped to you with an already pre-configured seed no matter where it comes from. If that is the case, the wallet should be reset to factory settings and you have to create a new seed. Unless the hardware was also manipulated and you are tricked into using a fake phishing software, that device shouldn't be able to connect to genuine Ledger/Trezor software, for example.   

[HCP]

I doubt I would trust any "second hand" hardware wallet... configured with a seed or not. Unless you're willing to crack it open and inspect the hardware (and there are sources available to indicate whether it has been tampered with) and you can reflash the entire firmware, one could never be sure exactly whether or not the unit had been modified in some way.

I think i'd be approaching Jerry levels of paranoia if I purchased a 2nd hand hardware wallet!

[Lucius]

I think i'd be approaching Jerry levels of paranoia if I purchased a 2nd hand hardware wallet!

You can try, but he is still in a separate category that hardly anyone can achieve - although I would not call it just paranoia, there is much more to it...

The new hardware wallets that you buy directly from the hardware manufacturer are safe, but you have to check if the hardware wallet was tampered with in transit to you.

Define safe? It doesn't have to be that someone in the supply chain was naughty, the device can be messed up even in the company's factory or warehouse. In addition, it is not realistic to expect users to open devices and check hardware without doing even more damage, not to mention that this procedure voids the warranty. I think it has become a bit naive today to keep all the eggs in the same basket, referring to the fact that one should not trust one producer unreservedly regardless of reputation.

What to say with those who want to save a few $ and buy a used HW or a new one from the black market and then fall for the cheap trick of pre-generated seed? Unfortunately, nothing can save them from their own stupidity, their loss is someone's gain, cruel but true.

[DaveF]

Non wallet but...Years ago, we used to receive security dongles that were vacuum packed with custom plastic with a serial number. Inside there was a dongle and a scratch off card. The card had 3 numbers on it.
#1 was the serial number of the bag

#2 was was a code that had to be entered to activate the dongle. Once that code was entered in the dongle it never needed it again so you knew if someone got it and activated it.

#3 was one you could enter online that would then display a 6 digit number there were some button pushes you would do on the dongle and if it was not tampered with should display that same number.

No idea how secure it really was, but it did give you that warm feeling that they were trying.

-Dave