AirGapped Hardware Wallets

[PrimeNumber7]

Can you really say a Hardware wallet is truly "air-gapped" if you are pushing firmware updates to it? Doing so in a way that your "average" user can complete the process without undue expenses.

I think to keep the HW wallet having it's "air-gapped" status after updating firmware, someone would need to compile the source code of the software that updates the firmware, and the firmware itself manually, and verify signatures signing the above code, signed by an entity you can trust, all on an air-gapped computer. I don't think this is something someone could do without a fairly decent amount of technical knowledge, and there would be costs involved that probably exceed the cost of the HW wallet.

I think if you were to update firmware via connecting the HW wallet to an internet-connected device, I don't think most people would consider the HW wallet to be "air-gapped" anymore. There are plenty of ways to do this safely while putting the risk of malware being introduced at near zero, as current HW wallet manufacturers do today, but I also think this procedure means these HW wallets are not "air-gapped".

In the end, everyone may choose their own definition of things and choose the method they like most to store their coins.
Matter of fact though: the commonly accepted definition of an airgapped wallet is that it's not physically connected to an online machine. I know it's vague, so there's room for interpretation.

I would typically define an "air-gapped" "computer" to be something that is never connected to the internet, nor is ever connected to any device that does not meet the definition of being "air-gapped".

If HW wallets are going to allow for firmware updates via a USB connection, and the manufacturer does not give clear instructions on how to do this via an air-gapped computer, calling the HW wallet "air-gapped" is probably more of a marketing gimmick than a security feature.

As for your suggestions: Lixin from Keystone confirmed they are planning for a version of their device that comes without firmware, so both the initial install and any updates will need to be compiled and flashed by you yourself. Maybe this would be something for you!

I posted up-thread that a trezor for example would be superior than an air-gapped wallet. If you are going to use an air-gapped HW wallet, one that requires the user to compile the firmware is probably best. Obviously, in order for this to provide meaningful protection, the user would need to be able to understand the code they are compiling.

Can you really say a Hardware wallet is truly "air-gapped" if you are pushing firmware updates to it? Doing so in a way that your "average" user can complete the process without undue expenses.

Yes you can.
In a same way like you would still use Airgapped computer with updated version of Electrum or any other software wallet with offline system update, not connecting to internet.
It's your own fault if you screw something up during the process of update, and procedure is very simple, click download on other online computer, verify software signature and then install it on airgapped computer.

If you use the term "its your own fault", there is probably not a good procedure that your "average" user can complete without experiencing security risks.

Also, if your computer is infected with malware, you cannot trust any output it provides. Granted, the manufacturer could suggest a procedure that is something along the lines of using a computer that boots from read-only memory, upload the public key whose private key signed the new firmware to the computer, upload the signature and source code to the computer to confirm the signature was signed by the right key, then install accordingly. However this procedure requires equipment whose cost would far exceed the cost of the HW wallet.

[dkbit98]

Also, if your computer is infected with malware, you cannot trust any output it provides.

You are totally missing the point of airgapped devices, you obviously never used one yourself, and you have your own twisted definition of this devices, so I am not going to continue this discussion with you.

[n0nce]

Also, if your computer is infected with malware, you cannot trust any output it provides.

You are totally missing the point of airgapped devices, you obviously never used one yourself, and you have your own twisted definition of this devices, so I am not going to continue this discussion with you.

Unfortunately, I'm under the same impression. I'll give it one more go though

If HW wallets are going to allow for firmware updates via a USB connection, and the manufacturer does not give clear instructions on how to do this via an air-gapped computer, calling the HW wallet "air-gapped" is probably more of a marketing gimmick than a security feature.

Firstly, this is a classic strawman. At least the 2 wallets I checked (Passport - doesn't even have a USB port and ColdCard), which are both marketed as airgapped, are upgraded via an SD card that holds the update.

I posted up-thread that a trezor for example would be superior than an air-gapped wallet. If you are going to use an air-gapped HW wallet, one that requires the user to compile the firmware is probably best.

The issue with this though is that then you're maybe safer during the (usually infrequent) firmware upgrades, but in day-to-day usage you're constantly physically plugging in your wallet into different machines' USB ports, which may or may not be infected, for signing transactions.

Just compare the attack surfaces:

• Device A: Updated via USB, with self-compiled firmware. Plugged in via USB for every transaction.
• Device B: Updated via SD card, with downloaded and verified firmware. Never plugged in, transaction data transferred via SD card or QR codes.

To me, device B wins hands down, I don't see a world where device A is more secure except maybe the case where you use it purely as cold storage. In that case though, a paper wallet may make more sense.

[dkbit98]

Newly discovered LANtenna Attack for airgapped devices was found recently, creating wireless signals with ethernet cable to steal data secrets from airgapped systems.
Malicious code can be sent from airgapped computers that don't have any internet connection, bluetooth or wi-fi, simply using $1 antenna via ethernet cables.
https://thehackernews.com/2021/10/creating-wireless-signals-with-ethernet.html

Full paper:
https://arxiv.org/pdf/2110.00104.pdf

[n0nce]

Newly discovered LANtenna Attack for airgapped devices was found recently, creating wireless signals with ethernet cable to steal data secrets from airgapped systems.

Sick! I think I saw a talk already at BlackHat or so about using cables as antennas; can't remember what kind of cable they were using though. I love these kinds of novel wireless attacks.

On the topic of airgapped wallets; I got a Passport and will try it out soon. Not sure whether to write a new post with extensive review or add to one of the threads about airgapped or open-source wallets. Anyhow; is there anything you would like to see / know about the device that wasn't covered in other reviews or articles so far?

[SFR10]

~Snipped~
simply using $1 antenna via ethernet cables.

Not sure which one is more accurate, the article that mentioned "could reach tens of meters" or the PDF file ^{[I only read the parts that I could understand]} that said "to a distance of several meters away" but regardless of that, the odds of such attacks happening are quite low ^[CMIW], even with an infected computer ^{[heavily depends on the location & distance of the computer + the security measures that some have]}.
^{- I never thought such a thing was even possible [thank you for sharing it].}

I got a Passport and will try it out soon. Not sure whether to write a new post with extensive review or add to one of the threads about airgapped or open-source wallets.

Do both ^{[just add a link for the latter part]}.

Anyhow; is there anything you would like to see / know about the device that wasn't covered in other reviews or articles so far?

Anything that might be hidden ^{[apart from its games]}.

[o_e_l_e_o]

Newly discovered LANtenna Attack for airgapped devices was found recently, creating wireless signals with ethernet cable to steal data secrets from airgapped systems.

This is why I am a proponent of physically removing any connectivity hardware (or indeed, any superfluous hardware) from your airgapped device rather than just disabling it. I could never fall victim to this attack because not only does my airgapped device not have any ethernet cables attached to it, but it does not even have an ethernet port in which to connect an ethernet cable.

Who actually has an ethernet cable attached to their airgapped device though? The device you are using to store airgapped wallets should obviously not be connected to a WiFi router or similar, and it should also not be part of a LAN or similar.

the odds of such attacks happening are quite low ^[CMIW]

Correct. As with most attacks which leak data from airgapped computers, the attacker must first gain access to your airgapped computer to install malware on it, and then hide some sort of receiving device within fairly close proximity to your airgapped computer. If your computer never leaves your house, then this is essentially impossible without obvious signs of forced entry.

[witcher_sense]

Who actually has an ethernet cable attached to their airgapped device though? The device you are using to store airgapped wallets should obviously not be connected to a WiFi router or similar, and it should also not be part of a LAN or similar.

If a device (in this case, an air-gapped computer with wallets installed) is a part of an air-gapped network, it needs to be somehow physically connected to other air-gapped computers. The question is why a crypto user would want isolated local networks to deal with cryptocurrency stuff? I think you are right in the sense that after such a vulnerability has been discovered and revealed, no computer that is part of isolated LAN can further be considered truly air-gapped. Cryptocurrency users, who want to maintain a decent level of security and preserve privacy, definitely should not have their (single) offline computer connected to the outside world: neither through physical means such as Ethernet cables, nor virtual ones such as WiFi, Bluetooth, etc.

[dkbit98]

I could never fall victim to this attack because not only does my airgapped device not have any ethernet cables attached to it, but it does not even have an ethernet port in which to connect an ethernet cable.

I don't know what kind of magical computer you are using but 99% of computers today have ethernet ports and you don't need to connect internet cable to be affected by this attack.

[o_e_l_e_o]

The question is why a crypto user would want isolated local networks to deal with cryptocurrency stuff?

Yeah, that's my point. If you have some kind of LAN or other local network set up with multiple computers and devices, then that's a poor choice for storing airgapped wallets. Whatever device you are using for your airgapped wallet should have the minimum amount of hardware required to run, and be connected to the minimum number of peripheral devices. If not building it yourself, then open it up and remove things like the WiFi card.

I don't know what kind of magical computer you are using but 99% of computers today have ethernet ports and you don't need to connect internet cable to be affected by this attack.

I have a variety of new and old laptops, none of which have ethernet ports. There are a number of Raspberry Pi boards without ethernet ports.

[n0nce]

I could never fall victim to this attack because not only does my airgapped device not have any ethernet cables attached to it, but it does not even have an ethernet port in which to connect an ethernet cable.

I don't know what kind of magical computer you are using but 99% of computers today have ethernet ports and you don't need to connect internet cable to be affected by this attack.

Depending on which locations (this includes some IT security conferences) you like to visit, it may be a wise choice to bring a device without connectivity of any kind
I've seen people put hot glue into their ports and also people simply desoldering ports from the motherboard.
If the machine is sitting in a physically secured location though, you should be good with leaving the ports on ^^

I have a variety of new and old laptops, none of which have ethernet ports. There are a number of Raspberry Pi boards without ethernet ports.

Old laptops - I get it. I have one that needs a PCMCIA card with an adapter to have ethernet. But modern? You mean those ultrabooks with just a bunch of USB-C ports? Cause that's not much better either; you can just plug in an adapter in that case.

[dkbit98]

Douglas Bakkum recently wrote an article for BitBox blog claiming that airgap is not really making hardware wallets more secure and it's only complicating them.
It's not surprising to hear this from inventor of BitBox wallet if we know that device is not airgapped, but it's interesting to read his opinion and conclusion.
He first started with myth of unbeatable airgap security, but wait a minute, nobody said that airgap is perfect and unbeatable.
Then he said that Micro-SD cards are mini computers with firmware that can be hacked, something I never heard happening but I guess it's possible in theory, however not all h-wallets are using SD cards, there is also QR codes.

Our conclusion is that air-gapped communication offers little-to-no added hardware wallet security while degrading the user experience.

Source articel: https://shiftcrypto.ch/blog/does-airgap-make-bitcoin-hardware-wallets-more-secure/

I personally won't agree with Douglas opinion, removing USB connection means less attack surface,
and in reply to BitBox blog with claims and conclusion we have interesting David Bakin blog, that explains it much better than me:
https://bakins-bits.dev/dev/2021/11/airgapped-hardware-wallets-and-fud-1/

[n0nce]

~

Read both a few days as well; interesting takes, but for me personally, the airgapped Passport is easier and quicker to use than the BitBox, not only though it is airgapped, but partly also because.
My point is the interface; it can interface with phones through the camera, laptops through camera or SD and finally even desktops without webcam through the SD card. This is highly versatile. And password entry is much faster through the keypad than through the BitBox touch menu.

I will write reviews about both and both are great products in my opinion, but Bakkum's article is disingenuous.

[dkbit98]

My point is the interface; it can interface with phones through the camera, laptops through camera or SD and finally even desktops without webcam through the SD card. This is highly versatile. And password entry is much faster through the keypad than through the BitBox touch menu.

There is a saying that everyone praises his own horse, and I think that is the case here with Bakkum indirectly praising his own wallet.
I think that Bitbox02 is very good open source device, but it's far from perfect and I personally don't like direct USB connection without cable
because I can't use it properly on my desktop computer and I need cable extension, or to use it on my laptop.
If I had to choose wallet with USB connection or airgap, I would use airgap option in 99%

I will write reviews about both and both are great products in my opinion, but Bakkum's article is disingenuous.

I don't know if you ever used Coldcard hardware wallet but I would be interested to hear some comparison Passport vs Coldcard vs other wallets.
Thanks.

[n0nce]

My point is the interface; it can interface with phones through the camera, laptops through camera or SD and finally even desktops without webcam through the SD card. This is highly versatile. And password entry is much faster through the keypad than through the BitBox touch menu.

There is a saying that everyone praises his own horse, and I think that is the case here with Bakkum indirectly praising his own wallet.

Of course that's what he's doing, but he's not honest about it. Of course you can advertise your own product, but strawmanning the competition is not elegant.

I think that Bitbox02 is very good open source device, but it's far from perfect and I personally don't like direct USB connection without cable
because I can't use it properly on my desktop computer and I need cable extension, or to use it on my laptop.
If I had to choose wallet with USB connection or airgap, I would use airgap option in 99%

Well, it comes with an extension cable, so it's no difference if it has a male or female USB port on it, except that with their design you don't need the cable when using a laptop, whereas you do always need one if you opt for a female plug on the hardware wallet. But I agree that QR codes are more comfortable, also because they work with any device that has a camera and you never need a cable.

I will write reviews about both and both are great products in my opinion, but Bakkum's article is disingenuous.

I don't know if you ever used Coldcard hardware wallet but I would be interested to hear some comparison Passport vs Coldcard vs other wallets.
Thanks.

Unfortunately, I have not tried that one yet. However, it should be fairly similar to Passport when used with SD card (which I'll try), when it comes to the user experience.

[dkbit98]

It's finally time to add one more airgapped hardware wallet in this topic, and that is Jade wallet after upcoming firmware update.
Jade always had camera in their EPS32 device and they just waited for software update to add support for QR codes and camera compatibility.
Someone on Twitter posted this VIDEO how this would work with Jade device.
Some argue that Jade is not really airgapped because of connection with Blockstream server, but that is debatable.


Image source taken from twitter account @bitcoin__help

[PrimeNumber7]

Some argue that Jade is not really airgapped because of connection with Blockstream server, but that is debatable.

Data from the internet must interact with the Jade device. I have previously argued that some HW wallets are superior in security compared to "traditional" 'air gapped' setups.

Every security measure uses various tradeoffs. The Jade, for example, reduces the risk of loss (via theft) if someone gains physical access to the device, in exchange for incremental additional vulnerability via having to connect (via an app) to the internet. Realistically, I think the risk of having a HW device stolen is greater than someone being able to inject malware into it, so it is probably a good tradeoff. However, I don't see how one could argue that Jade is in fact "air-gapped"

[witcher_sense]

Some argue that Jade is not really airgapped because of connection with Blockstream server, but that is debatable.

I have mixed feelings about the Jade hardware wallet, I haven't been following its development closely, but it is for sure the first time I hear that someone call it an "air-gapped" wallet. As far as I know, in order to get access to the signing functionality of this wallet, you first need to unblock it by entering a PIN code. This PIN-code protection is server-enforced, which means you have to be physically connected to a remote server via the Internet to get your PIN working. This requirement of having to be connected to the network slightly contradicts the concept of air-gapped wallets. However, there are ways to make this wallet more "air-gapped" and less reliant on third-party servers: namely by spinning up your own server on your own isolated local network and using a hardware wallet only in your house. But I think if your personal network is not correctly configured, it remains vulnerable to external attacks. Moreover, you will still need the Internet to broadcast a transaction, which means there should be a separate network that talks to the outside world. Isn't it easier to just use some other wallet that doesn't need any servers to be unlocked?

[o_e_l_e_o]

Please correct me if I'm wrong, but looking at the setup guide for Jade, it must be connected to your computer via a USB cable to set it up via Blockstream Green. As far as I am concerned, this immediately makes it non-airgapped, in exactly the same way Ledger or Trezor are non-airgapped. Perhaps it would be possible to use it in an air-gapped manner if you only connected it to an airgapped computer running an entirely offline version of Blockstream Green (although having never used this wallet I don't know if that is possible), but Jade itself is not an airgapped wallet.

[n0nce]

While I do love QR codes not only for security / air-gap, but also for their convenience (work cross-platform, no need to carry a cable); just adding QR code communication indeed doesn't make a wallet airgapped, in my opinion. Still nice to have, but not air-gapped.
So, I agree with o_e_l_e_o here.