AirGapped Hardware Wallets

[dkbit98]

AirGapped devices by definition are never directly connected to internet or to any other devices that are connected to the internet.
However, most devices including computers and hardware wallets still have USB connections and that is the easiest way to breach airgapped machine, but not the only one.
Airgap malware exist today that are using acoustic or other type of signaling like light, magnetic, thermal or radio frequency, so we know that AirGapped devices are not providing perfect protection.

Hardware wallets are never directly connected to the internet and most of them are using USB connection with secure device-to-device FIDO protocol,
but if we want better protection we should look for True Airgapped wallets, and remove any USB connection with computer.
There are currently only a few Airgapped hardware wallets, but I expect this trend will grow in near future with better devices and better protection.
Always choose Open Source and tested hardware wallets.

Airgapped Hardware wallets:

• Keystone
• Coldcard
• Passport
• Jade (soon)
• Safepal
• Ellipal
• Ngrave

- Safepal is closed source, claims it is airgapped, but you need to connect it with USB cable for every update.
- Ellipal is closed source.
- Ngrave is unknown source (they plan to be mostly open source)

DIY Airgapped Hardware wallets:

• Specter DIY Wallet
• SeedSigner DIY Wallet*
• Krux DIY Wallet*

* Signing Device

Most of this wallets are communicating with QR codes or SD cards and they have their own flaws.
Nothing is perfect so do your own research before using any of this wallets.

[1714977660]

1714977660

[Charles-Tim]

Hardware wallets are never directly connected to the internet and most of them are using USB connection with secure device-to-device FIDO protocol,
but if we want better protection we should look for True Airgapped wallets, and remove any USB connection with computer.

I think we need to define what airgapped devices are.

For example, I can set up Electrum airgapped device and be using its watch-only wallet to connect to it through QR code or USB stick, that does not mean it is not airgapped.

I know you are trying to bring up something but making use of airgapped may not be appropriate.

Hardware wallets like Trezor and Ledger Nano that make use of USB code can not be said they are not airgapped, they are actually airgapped devices, they are completely seperate from wallet extension that are used to operate them while making transactions, even is there any malware that can reveal their seed phrase or keys? I doubt that, if wrong you can correct me with proves.

Only the malware I know that can attack reputed hardware wallet this way are clipboard or QR code malware which can change recipient's address to hacker's address while making transaction. The reason we should make sure we protect our hardware wallet extension that we use to operate it from malware, also checking and rechecking the bitcoin address we are sending bitcoin to.

Reputed hardware wallets like Trezor and Ledger Nano are airgapped too, but I understood what you meant, but airgapped should not be the appropriate term.

[dkbit98]

OMG...

I think we need to define what airgapped devices are.

No we don't, because I defined them in first few sentences.

I know you are trying to bring up something but making use of airgapped may not be appropriate.

Sorry but you have zero authority to talk anything about airgapped devices.

Hardware wallets like Trezor and Ledger Nano that make use of USB code can not be said they are not airgapped, they are actually airgapped devices, they are completely seperate from wallet extension that are used to operate them while making transactions, even is there any malware that can reveal their seed phrase or keys? I doubt that, if wrong you can correct me with proves.

Have you actually read what I wrote before or you just blabing like this without any sence?
I literally said they are using secure USB over FIDO protocol so no need to repeat like a parrot.

Reputed hardware wallets like Trezor and Ledger Nano are airgapped too, but I understood what you meant, but airgapped should not be the appropriate term.

No they are not trully airgapped and even those manufacturers don't claim that, but maybe you can teach them better  

[RapTarX]

According to the website, coldcard is only for bitcoin. Don't it require any upgrade? For instance; supporting LN may require an upgrade? I'm not sure though.
In case of Safepal, upgrade is optional. You can still go with current one all the time but that wouldn’t give you the benefit of using the latest coin edition in wallet. Other than that, that's okay to use as airgapped wallet. I haven’t use it yet but seen one review in youtube and seems fine as it doesn’t require you to be connected with any other device directly.

[bitmover]

I think we need to define what airgapped devices are.

AirGapped devices by definition are never directly connected to internet or to any other devices that are connected to the internet.

I think this definition is quite accurate. I looked on wikipedia and found this:

Air gap (networking)
From Wikipedia, the free encyclopedia
Jump to navigationJump to search
An air gap, air wall, air gapping[1] or disconnected network is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network.[2] It means a computer or network has no network interfaces connected to other networks,[3][4] with a physical or conceptual air gap, analogous to the air gap used in plumbing to maintain water quality.

https://en.wikipedia.org/wiki/Air_gap_(networking)

Hardware wallets like Trezor and Ledger Nano that make use of USB code can not be said they are not airgapped, they are actually airgapped devices, they are completely seperate from wallet extension that are used to operate them while making transactions, even is there any malware that can reveal their seed phrase or keys? I doubt that, if wrong you can correct me with proves.

I tend to agree with this, but I am not an specialist.

I was reading ledger website, and I found this:

Hardware wallets are not connected to the Internet when they plug into a smartphone or computer, meaning that they do not share or communicate any critical information to the machine out of an abundance of caution. The same goes for hardware wallets that connect to smartphones. Hardware wallet devices are physically secured
from both the public internet and unsecured local area networks.

Looks like Ledger and Trezor are airgapped.

On the other hand, is it true that removing USD we really achieve an extra protection? are people safer using Cold Wallet than using Ledger Nano or Trezor? I don't know, and I have never heard such claim before, this is new to me. I am currently satisfied with my ledger, AFAIK.


It is also true that you insert a Ledger and Trezor into an infected computer that the virus will be unable to extract your private keys (ofc you shouldn't do that on purpose). You can see this comment from Trezor team on Reddit:

-johoe
·
3y
Distinguished Expert
You shouldn't use a known infected machine, but the Trezor is designed to keep your keys safe. However, make sure you always keep your firmware updated; there is a known bug in previous firmware <= 1.5.2 that is exploitable by malware (and maybe the bug in 1.6.1 is also exploitable).
https://www.reddit.com/r/TREZOR/comments/987jri/using_trezor_with_infected_machine/

[n0nce]

Hardware wallets like Trezor and Ledger Nano that make use of USB code can not be said they are not airgapped, they are actually airgapped devices, they are completely seperate from wallet extension that are used to operate them while making transactions, even is there any malware that can reveal their seed phrase or keys? I doubt that, if wrong you can correct me with proves.

EVERYONE in the field refers to a device that is plugged via USB as non-airgapped. You may define your definitions however you want or even start a discussion, but this won't change the commonly accepted terminology.

As for the malware examples; not sure whether there was an attack already, but if there was none so far, it's easy to understand how the attack surface is smaller when you're not physically attached but merely exchange QR codes. Also just because an attack was not carried out yet, doesn't mean it's not possible. That's why we migrate to secure encryption schemes before quantum computing is able to break RSA and not after it will have happened, for example.^{in case it's not clear, airgap has nothing to do with quantum computing or breaking asymmetric encryption}

Looks like Ledger and Trezor are airgapped.

They're not, because they are connected to an online PC via USB directly. In theory, the communication protocol can be hacked and e.g. address be replaced before being sent to the device to be signed.

That's the whole point of air gap: a gap of air between your hardware wallet and your online device which publishes the signed transaction. This highly minimizes the attack surface.

@dkbit98: thanks for this topic, I really enjoy these 'wallet lists'! Always great to have them bookmarked and check from time to time to see what's available.
Suggestion: add next to each device an info on the type of airgap it uses: QR/Cameras, SD cards, etc.... (not sure of other ways).

For me, it seems way better to have the QR Code + camera way because on one hand I feel plugging an SD card in, bears potential risk as well (see viruses that spread via USB sticks..) and also because if you have a QR + camera type wallet, you can use it with any PC or phone which has a webcam. This is one limitation of USB wallets that really bugs me; they don't work on iOS. And I will certainly not use a HW wallet that communicates over Bluetooth either..

[Chikito]

Looks like Ledger and Trezor are airgapped.

Yes,

we can generate a wallet without being connected to the internet. With ledger nano s we can generate a wallet using power bank, but still, need a ledger Live application to download the Bitcoin aplication.

maybe Trezor is real air-gapped, with a new update, we can generate a wallet without using the internet (suite)

[Charles-Tim]

As for the malware examples; not sure whether there was an attack already, but if there was none so far, it's easy to understand how the attack surface is smaller when you're not physically attached but merely exchange QR codes.

I have read about QR code malware before which will be similar to clipboard malware, or is this type of malware not possible?

For me, it seems way better to have the QR Code + camera way because on one hand I feel plugging an SD card in, bears potential risk as well (see viruses that spread via USB sticks..)

This is what I am implying, what makes SD card special, can SD card not be attacked/affected also with malware?

Any report that the seed phrase of Trezor or Ledger Nano was revealed through malware? What signs transaction, it is the private key, the private key which is offline and remain offline and the hardware wallet is detachable from the computer that makes hardware wallet to be airgapped, hackers can not use their malware to reveal the seed phrase or private key even while making use of hardware wallet for signing, even if possible, no report of such yetr you can bring up proves that against this.

Do you think it is not important to be careful of a malware that can change recipient's address to a hacker address in which hackers address is what will be sent to the SD card or which will be in the QR code sent for signing?

[Pmalek]

maybe Trezor is real air-gapped, with a new update, we can generate a wallet without using the internet (suite)

That's now possible with the latest Trezor Suite and/or firmware, but Ledger still uses USB cables, which could represent a possible attack vector. You are still connecting your Trezor hardware wallet to an online computer through its USB port.

[o_e_l_e_o]

I have read about QR code malware before which will be similar to clipboard malware, or is this type of malware not possible?

Yes, it is possible. All a QR code does in the context of hardware wallets is to take an address or a transaction and encode it in a specific format which can be easily scanned by a camera. Any malware which can edit the information being encoded will result in a QR code being displayed which can potentially send all your coins to an attacker if you do not double check everything prior to signing and broadcasting. Further, you can still be a victim of clipboard malware on your internet connected device with any airgapped wallet, resulting in you pasting in an incorrect address before turning the unsigned transaction in to a QR code for your hardware wallet to scan.


Ledger and Trezor devices, when used in the "normal" manner, are not airgapped. But it is entirely possible to use them both in an airgapped manner by only connecting them to an airgapped computer, and using a separate online computer to run a watch only wallet. Although if you a have a secure, encrypted, properly airgapped computer anyway, then adding a hardware wallet on top of that might be a bit of overkill.

[dkbit98]

According to the website, coldcard is only for bitcoin. Don't it require any upgrade?

You can upgrade Coldcard with SD card but you are limited to mk version you are using.
They are now working on mk4 version, that would probably mean that you can't use that firmware on mk3 or mk2 Coldcard wallets.

For instance; supporting LN may require an upgrade?

Lightning Network is not supported on any hardware wallet, and I doubt it will be supported any time soon.

In case of Safepal, upgrade is optional.

Safepal is cheap Chinese closed source junk and I would never use it for anything.
Simple checking of firmware changelog I can see bunch of important PIN and security changes, meaning you have to upgrade to use it:
https://safepalsupport.zendesk.com/hc/en-us/articles/360047263792

Looks like Ledger and Trezor are airgapped.

They are not true airgapped devices, otherwise both of this manufacturers would write huge bragging AIR-GAPPED letters on their website, especially those amateurs from French village.
If there is USB connection there is always a chance of some leak or using malware cables that are connecting to computer with internet connection.

Suggestion: add next to each device an info on the type of airgap it uses: QR/Cameras, SD cards, etc.... (not sure of other ways).

Thanks, that is a good idea.
I think QR codes are better for security, but NOT if you are using some mambo jambo hidden QR codes like Safepal is doing.

[n0nce]

For instance; supporting LN may require an upgrade?

Lightning Network is not supported on any hardware wallet, and I doubt it will be supported any time soon.

Yes, because it makes no sense; a hardware wallet is by definition an offline device that is only connected to a PC (or not - in case of airgapped wallets..) when it's needed.
However, a lightning node needs to always be able to sign transactions if it wants to route payments, so it would need a constant access to the hardware wallet. This is why it doesn't make much sense to support LN with a hardware wallet. Also, if you use a passphrase ^{(to use it or not, is a whole different topic)} you would need to enter it multiple times a day: every time a payment shall be routed.

If there is USB connection there is always a chance of some leak or using malware cables that are connecting to computer with internet connection.

This reminds me of the O.MG Cable.. 
I mean yeah, you can replace QR codes on the host just as you can replace the data packets sent via USB to a non-airgapped wallet, but that's just one attack vector on the USB connection of hardware wallets.

Suggestion: add next to each device an info on the type of airgap it uses: QR/Cameras, SD cards, etc.... (not sure of other ways).

Thanks, that is a good idea.
I think QR codes are better for security, but NOT if you are using some mambo jambo hidden QR codes like Safepal is doing.

I fully agree!!

[PrimeNumber7]

QR codes

When you communicate via QR codes, you are essentially using an image to send information to another device instead of using a USB cable. Unlike a USB cable, a QR code will transmit data at a much lower frequency, and the data will only be transmitted at your specific request.

While more difficult, it is possible to transmit malware via a QR code. Such malware would likely be targeted at you specifically. Malware could potentially cause your airgapped computer to sign your transaction in a way that reveals a portion of your seed and/or private key to someone who knows where to look based on the malware. To anyone else, the transaction would look completely normal.

A Hardware wallet such as a trezor for example offers much better security against malware. There are some potential security concerns with a trezor if an adversary were to have physical access to the device, but most people are more vulnerable to a $5 wrench attack, IMO.

[Charles-Tim]

If there is USB connection there is always a chance of some leak or using malware cables that are connecting to computer with internet connection.

Do no mind my post. There is a malware which is very similar or the same as clipboard malware which is QR code malware, this type of malware can be rear but yet possible. The malware originate from the wallet software used to operate hardware wallet which would have changed the original transaction to a hacker's transaction in which the address would have changed to a hacker's address.

That was why I asked the question that the type of malware I know that is able to penetrate hardware wallet like Trezor and Ledger Nano through the USB stick are the clipboard malware which makes the seed phrase yet not to be revealed to the hackers because it is completely offline, but recipient address can be changed to a hacker's address through clipboard malware.

It would highly be appreciated if you can give us more breakdown of what you meant, when it is claimed that the seed phrase is completely offline while only clipboard malware is most possible which is also possible while using the QR code, then what disadvantage is the USB connection having again in relation to malware.

With what bitmover posted above with links, using USB connection, removable SD card and QR code to differentiate airgapped hardware wallet will always raise a debate. With what DroomieChikito posted and Pmalek answer to it that Trezor with Trezor firmware which is capable of generating keys and addresses even without depending on the wallet extension can also result to another debate.

I always gain from your hardware wallet's posts and you are very good in that area, but that does not mean everything you bring about hardware is what I will accept, while you can still correct me with proves.

[dkbit98]

Malware could potentially cause your airgapped computer to sign your transaction in a way that reveals a portion of your seed and/or private key to someone who knows where to look based on the malware. To anyone else, the transaction would look completely normal.

That is only fantasy talking unless you can show me some proof of that ever happening, and there is no way that seed words or private key could be exposed with QR codes.

A Hardware wallet such as a trezor for example offers much better security against malware. There are some potential security concerns with a trezor if an adversary were to have physical access to the device, but most people are more vulnerable to a $5 wrench attack, IMO.

Wrong.
Trezor wallet is fine for general use but it does not offer ''much better'' security against any malware, and it is inferior to any airgapped device, and this is not just my fantasy thinking.

There is a malware which is very similar or the same as clipboard malware which is QR code malware, this type of malware can be rear but yet possible.

Please show me one example for this QR malware, because I see you know a lot about this subject  
Stop telling me that QR codes are not perfect, in first post I explained that all airgapped devices have flaws and malware could exists for everything.
Use whatever wallet you want, and believe whatever you want.

[NeuroticFish]

While more difficult, it is possible to transmit malware via a QR code. Such malware would likely be targeted at you specifically. Malware could potentially cause your airgapped computer to sign your transaction in a way that reveals

Well, for that the QR reading part of airgapped wallet software, the one that should read the QR and treat is as an unsigned transaction, for example, will have to treat it as executable. For that it should be incredibly badly written in the first place.
Really, that's greatly unrealistic.

[bitmover]

maybe Trezor is real air-gapped, with a new update, we can generate a wallet without using the internet (suite)

That's now possible with the latest Trezor Suite and/or firmware, but Ledger still uses USB cables, which could represent a possible attack vector. You are still connecting your Trezor hardware wallet to an online computer through its USB port.

But this is done with ledger nano as well.

You can recover and generate your wallet seed without using the internet.

You just need to download the software and then you can do everything offline. Looks like Trezor is similar, because you said you need the "new update"

PRIOR TO STARTING

You need 2 things to make your Nano S work :

a connected computer running Chrome browser, where you will install and run your wallets to manage your accounts, send and receive payments.
your Nano S with its USB cable to log in your Chrome applications and authenticate your transactions.
 
Configuration
The initialization doesn't need to be done online.

https://support.coinhouse.com/hc/en-gb/articles/115005119714-Getting-started-with-your-Ledger-Nano-S

[n0nce]

Malware could potentially cause your airgapped computer to sign your transaction in a way that reveals a portion of your seed and/or private key to someone who knows where to look based on the malware. To anyone else, the transaction would look completely normal.

That is only fantasy talking unless you can show me some proof of that ever happening, and there is no way that seed words or private key could be exposed with QR codes.

Issue with QR code encoded malware is file size. A QR code offers extremely limited space, so it'd be super hard to transfer an actual piece of malware software - I'd dare to say impossible - over a single QR code. An input that leads to unexpected program behaviour? Maybe! It can be tried using fuzzing. You'd run the firmware in qemu, then pass it millions of codes per second and see if you can trigger some buffer overflow or similar. But that's not malware, at least in the definition of 'a piece of software that causes harm', because that just takes too much space to begin with.

By the way; a quite entertaining video about fitting a game into a QR code: https://www.youtube.com/watch?v=ExwqNreocpg
It's not so trivial to make any software, not to mention a sophisticated piece of malware, this compact.

A Hardware wallet such as a trezor for example offers much better security against malware. There are some potential security concerns with a trezor if an adversary were to have physical access to the device, but most people are more vulnerable to a $5 wrench attack, IMO.

Wrong.
Trezor wallet is fine for general use but it does not offer ''much better'' security against any malware, and it is inferior to any airgapped device, and this is not just my fantasy thinking.

One big issue I see with devices that use USB for firmware updates is that they have actually built-in mechanisms to replace the firmware via, well, USB. So that's already much easier for an attacker who likes to replace or modify the firmware with a malicious firmware (malware), because they can use the same 'gateway'. Any time you plug in your device, an attacker might try to exploit the update mechanism to change your firmware.

It would already be much better if non-airgapped devices that even have a microSD card slot already, used that for firmware updates exclusively and removed any code that allows to transfer firmware over USB. Since you don't update it so often, it wouldn't be a big inconvenience for the users and the attack surface would be greatly reduced..

Imagine: the device could be coded to reject anything sent over USB that is not a PSBT, so that would be already the first hurdle to overcome if one would like to try injecting or replacing the firmware when a user plugs in the device.

maybe Trezor is real air-gapped, with a new update, we can generate a wallet without using the internet (suite)

That's now possible with the latest Trezor Suite and/or firmware, but Ledger still uses USB cables, which could represent a possible attack vector. You are still connecting your Trezor hardware wallet to an online computer through its USB port.

But this is done with ledger nano as well.

You can recover and generate your wallet seed without using the internet.

That's not the definition of an air gap though. Actually, every hardware wallet generates wallet seed without using the internet. Otherwise it would be an extremely crappy device that should never be used by anyone. For sending a transaction, you need to connect the ledger to an online PC otherwise how do you publish it? In the case of air gapped wallets, you send the transaction over QR to the online device, so the wallet is never connected to an internet-connected machine.

[PrimeNumber7]

Malware could potentially cause your airgapped computer to sign your transaction in a way that reveals a portion of your seed and/or private key to someone who knows where to look based on the malware. To anyone else, the transaction would look completely normal.

That is only fantasy talking unless you can show me some proof of that ever happening, and there is no way that seed words or private key could be exposed with QR codes.

A seed being exposed would be predicated by malware being transmitted to the airgapped machine. The seed could be then leaked via the signature of a transaction. For example, malware could direct the infected computer to use an R-value in a certain range if a particular word is part of a seed. The R-value could also leak where in the seed the particular word is by the R-value being in the i-th portion of the range if the seed word is the i-th word in the seed. One random word could be leaked in a transaction. Once enough transactions have been broadcast, the attacker would know all of the seed words, including the order. The attacker would need to monitor for approximately 5 * 10^4 R-values.

A Hardware wallet such as a trezor for example offers much better security against malware. There are some potential security concerns with a trezor if an adversary were to have physical access to the device, but most people are more vulnerable to a $5 wrench attack, IMO.

Wrong.
Trezor wallet is fine for general use but it does not offer ''much better'' security against any malware, and it is inferior to any airgapped device, and this is not just my fantasy thinking.

Are you aware of any instances in which a trezor was hacked via malware? (this would not include any attach involving physical access to the device). There is at least one example I am aware of involving an exchange that had it's air-gapped cold wallet hacked. Several years ago North Korea had what was presumably their air gapped computer involving one of their missles they were test launching hacked, although this may have involved physical access, I am not sure.

edit:

Issue with QR code encoded malware is file size. A QR code offers extremely limited space, so it'd be super hard to transfer an actual piece of malware software - I'd dare to say impossible - over a single QR code.

This is a fair point. Although I would not say it is impossible. A QR code can generally hold up to 3kb worth of data. Very few things in this world are "impossible".

[Charles-Tim]

Malware could potentially cause your airgapped computer to sign your transaction in a way that reveals a portion of your seed and/or private key to someone who knows where to look based on the malware. To anyone else, the transaction would look completely normal.

That is only fantasy talking unless you can show me some proof of that ever happening, and there is no way that seed words or private key could be exposed with QR codes.

With reputed hardware wallets, I have heard that it is possible for QR code to be replaced with hacker's QR code, but not to the extent the seed phrase of such wallet will be revealed, but the initiated transaction to be signed can be replaced in which the bitcoin will be sent to the hacker's address.

Please show me one example for this QR malware, because I see you know a lot about this subject 

It is all based on what I have been reading, that people should be careful of Qshing and any other type of QR code malware, so this is not based on fact, but prevention is better.

Issue with QR code encoded malware is file size. A QR code offers extremely limited space, so it'd be super hard to transfer an actual piece of malware software - I'd dare to say impossible - over a single QR code.

QR code can not be hacked, but can be replaced which will be what the hacker will do, there are ways in which the transaction initiated which is to be signed will be changed to his own (hacker's QR code), it will also still just be a QR code but for a hacker which can be very deadly. Malware QR code are existing and they are just like other normal QR codes.

In the case of air gapped wallets, you send the transaction over QR to the online device, so the wallet is never connected to an internet-connected machine.

Like the example I have used before, like airgapped Electrum wallet, you can either use QR code or USB stick for as a means of transferring unsigned transaction from watch-only wallet to the airgapped device for signing, if using USB stick, does that mean the airgapped Electrum wallet is not airgapped?

Even if QR code can not be hacked, can't it be replaced? We should not underestimate what malware is. We should use the reputed wallet that is best for us and also still try as much as possible to avoid malware, the easiest thing to do for an experienced users that know about malware is to avoid malware.