Bitcoin Forum
March 28, 2024, 02:11:16 PM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: Be careful what you plug your hardware wallet into your PC with  (Read 472 times)
DaveF (OP)
Legendary
*
Offline Offline

Activity: 3430
Merit: 6129


Crypto Swap Exchange


View Profile WWW
March 26, 2022, 03:43:46 PM
Merited by vapourminer (2), Pmalek (1)
 #21

If he can get it working, it will be disclosed to them with an "X" number of days to acknowledge the issue and discuss with him.
The trouble is, it's not vulnerable until the user plugs in a malicious piece of hardware inline with their device. So, there might not really be a way to fix it if what he thinks is happening, is really the way it works.

It's like using a wireless keyboard to type sensitive information. There may not be a way to fix it.

As for what is working now, i.e. change an address in a known location that the user copy & pastes. There is nothing to really disclose. This device can run an app that can create predefined keyboard inputs. Short of unplugging the power to your PC it can't be fixed.

Edit to add: if it can't be fixed, it will not be given out or discussed (even to me and I'm the one who paid for the damn cables to test with)
If it can be fixed but they don't want to or just don't I'm not sure.
If it can be fixed and they have a timeline it will not be disclosed till after an agreed upon time has passed.

-Dave

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
1711635076
Hero Member
*
Offline Offline

Posts: 1711635076

View Profile Personal Message (Offline)

Ignore
1711635076
Reply with quote  #2

1711635076
Report to moderator
You can see the statistics of your reports to moderators on the "Report to moderator" pages.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
n0nce
Hero Member
*****
Offline Offline

Activity: 868
Merit: 5808


not your keys, not your coins!


View Profile WWW
March 26, 2022, 04:11:40 PM
Merited by vapourminer (2)
 #22

~
Right, so going the responsible disclosure route then. Definitely the best thing for the users and by many claimed the more moral thing to do.
I can see how this may be unfixable. If I am on the right track with my idea about this exploit, it should be possible to e.g. construct a 'toy scenario' with a software wallet or so, and show the attack on that, without revealing a real manufacturer where this also works. And letting people figure that out by themselves; that should be 'green light', legally.
It will be interesting nonetheless. The 'exploit' just uses keypresses though, so a mitigation would be providing a software that requires the user to allow new USB HID devices explicitly. It could be a service that runs in the background and shows a pop-up 'do you want to use this keyboard?' when plugging in a new device.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pmalek
Legendary
*
Offline Offline

Activity: 2716
Merit: 7030


Farewell, Leo. You will be missed!


View Profile
March 26, 2022, 06:26:07 PM
 #23

It would also get them into big legal trouble if they don't make a responsible disclosure. In cybersecurity it's either that, or selling the exploit.
I wanted to say that as well, but I couldn't remember the damn term Grin. Responsible disclosure, that's it. Dave doesn't seem to me like the person who is looking yo exploit this, otherwise I don't think we would even have this thread. His post above confirms just that. Dave also doesn't know how it works. Only the person who discovered this bug knows the specifics.

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
DaveF (OP)
Legendary
*
Offline Offline

Activity: 3430
Merit: 6129


Crypto Swap Exchange


View Profile WWW
March 26, 2022, 08:18:14 PM
Merited by Pmalek (1)
 #24

It would also get them into big legal trouble if they don't make a responsible disclosure. In cybersecurity it's either that, or selling the exploit.
I wanted to say that as well, but I couldn't remember the damn term Grin. Responsible disclosure, that's it. Dave doesn't seem to me like the person who is looking yo exploit this, otherwise I don't think we would even have this thread. His post above confirms just that. Dave also doesn't know how it works. Only the person who discovered this bug knows the specifics.

Apple = "It's not a bug, it's a feature"

Seriously, it's not a bug.

You are plugging something inline between your PC and your hardware device that can manipulate data. When HW wallets were 1st made there was no way that a device with all this storage and Wi-Fi could be put into a cable that does not look any different then a regular cable.

So, it's just a vulnerability not a bug. In the real world it's the same thing to the end user. Dealing with security discussions it's different. A bug indicates they made a mistake, a vulnerability is something they do not defend against. To most of us it does not make a difference.

To others it could cost them their job. A bug is "what the f--k were you thinking, get out of the office you idiot" a vulnerability is "This came up can you fix it or code around it"

-Dave


█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
DaveF (OP)
Legendary
*
Offline Offline

Activity: 3430
Merit: 6129


Crypto Swap Exchange


View Profile WWW
May 24, 2022, 11:32:22 AM
Merited by NeuroticFish (2), n0nce (1)
 #25

Just a bit of an update since it's been 2 months:
He contacted the comp any and they responded promptly and have been discussing options of how / if it's possible to fix it.

The biggest issue is that it is working as intended and now they are trying to figure out a way to stop a USB device that from behaving like a USB device should.
All without increasing the chance of user error. That was something we did not think of when talking about it. The more steps / checks you put in that a person has to do, the more possibility of said person making a mistake.

Next update when I know more.

-Dave


█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Tibu
Full Member
***
Offline Offline

Activity: 294
Merit: 129

Hardware and open source software solutions.


View Profile WWW
May 24, 2022, 12:19:50 PM
 #26

This is a good reminder...
Always be careful.
Dont trust, verify. And a good way to verify a cable is to open it. If you see suspicious board -> trash it.

🔥 🔥 🔥  Satochip - Secure the future.  🔥 🔥 🔥
⭐ Hardware wallet on a smartcard | Affordable and easy to use | Open source and community driven  ⭐
──WebsiteShop  |  Bitcointalk  |  Twitter  |  Telegram  |  Github──
n0nce
Hero Member
*****
Offline Offline

Activity: 868
Merit: 5808


not your keys, not your coins!


View Profile WWW
May 24, 2022, 12:30:17 PM
Merited by vapourminer (2)
 #27

This is a good reminder...
Always be careful.
Dont trust, verify. And a good way to verify a cable is to open it. If you see suspicious board -> trash it.
But then the cable is broken. And how to distinguish a suspicious board from a legit one? Sure, plain old USB-to-USB cables were just wires, so a silicon chip would stick out - but nowadays with USB-C, Lightning and whatnot, there are usually little circuit boards in the plugs anyway. I reckon it's pretty hard to tell if they're legit or not, even if inspected at a chip level.

It is explained in great detail for instance in this talk: '36C3 - Open Source is Insufficient to Solve Trust Problems in Hardware'
https://www.youtube.com/watch?v=Hzb37RyagCQ

A screencap about one attack method:

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Tibu
Full Member
***
Offline Offline

Activity: 294
Merit: 129

Hardware and open source software solutions.


View Profile WWW
May 24, 2022, 12:44:49 PM
 #28

This is a good reminder...
Always be careful.
Dont trust, verify. And a good way to verify a cable is to open it. If you see suspicious board -> trash it.
But then the cable is broken. And how to distinguish a suspicious board from a legit one? Sure, plain old USB-to-USB cables were just wires, so a silicon chip would stick out - but nowadays with USB-C, Lightning and whatnot, there are usually little circuit boards in the plugs anyway. I reckon it's pretty hard to tell if they're legit or not, even if inspected at a chip level.

It is explained in great detail for instance in this talk: '36C3 - Open Source is Insufficient to Solve Trust Problems in Hardware'
https://www.youtube.com/watch?v=Hzb37RyagCQ

A screencap about one attack method:


Thanks for the video. Really interesting.

🔥 🔥 🔥  Satochip - Secure the future.  🔥 🔥 🔥
⭐ Hardware wallet on a smartcard | Affordable and easy to use | Open source and community driven  ⭐
──WebsiteShop  |  Bitcointalk  |  Twitter  |  Telegram  |  Github──
dkbit98
Legendary
*
Offline Offline

Activity: 2184
Merit: 7019


SATOCHIP.io


View Profile WWW
May 24, 2022, 07:31:27 PM
Merited by NeuroticFish (2), DaveF (2), n0nce (1)
 #29

Dont trust, verify. And a good way to verify a cable is to open it. If you see suspicious board -> trash it.
I would agree with this, but you should also be aware that warranty for most devices would be voided if device was opened, and you could not replace it if malfunction happens.
Opening cables means that you are cutting and destroying them, and you can't use them anymore... I mean you can sort off, but question is how long this frankenstein cable will survive.
Sad fact is that most people won't even notice anything suspicious, unless someone tells them what to look for.

Recently I saw interesting products and topics related with this subject of USB connection with computers, you can always make your own cables and make them power only.

How (and why) to make your own power-only USB cable:
https://www.cultofmac.com/632796/how-and-why-to-make-your-own-power-only-usb-cable/

USB Data Blocker:
https://portablepowersupplies.co.uk/product/usb-data-blocker

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
n0nce
Hero Member
*****
Offline Offline

Activity: 868
Merit: 5808


not your keys, not your coins!


View Profile WWW
May 25, 2022, 12:41:42 PM
 #30

Recently I saw interesting products and topics related with this subject of USB connection with computers, you can always make your own cables and make them power only.

How (and why) to make your own power-only USB cable:
https://www.cultofmac.com/632796/how-and-why-to-make-your-own-power-only-usb-cable/

USB Data Blocker:
https://portablepowersupplies.co.uk/product/usb-data-blocker
Well, you do need data in most cases, like when using a hardware wallet or a mouse / keyboard, but you can indeed just make a regular USB cable yourself.

But it's a brilliant idea, I really like it! USB plugs of all sizes and materials are sold online (easy to inspect and solder wires to), cables too and you probably just need some solder and a bit of time.
I just found there are even kits [1] sold online with everything you need.
It will not be possible to make a USB-C fast charging one with 12 (or more?) inside wires though, I guess. But you can just use those store-bought and plug them directly into wall bricks.

[1] https://jujucables.com/product/diy-usb-cable-kit/

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
dkbit98
Legendary
*
Offline Offline

Activity: 2184
Merit: 7019


SATOCHIP.io


View Profile WWW
May 25, 2022, 03:09:07 PM
 #31

Well, you do need data in most cases, like when using a hardware wallet or a mouse / keyboard, but you can indeed just make a regular USB cable yourself.
Yeah I know.
I think I once tried experiment connecting Trezor device with usb power-only cable, and it didn't work properly Smiley

I just found there are even kits [1] sold online with everything you need.
It will not be possible to make a USB-C fast charging one with 12 (or more?) inside wires though, I guess. But you can just use those store-bought and plug them directly into wall bricks.
That is a nice find, I am checking it out now.
God knows how much money I wasted on cables in my life, and most of them were terrible quality especially 3.5mm audio cables used for headphones and speakers.
One friend recently wanted to start cable making business for his personal use and for selling, but I think he is busy with other stuff in his life now.
I am not a big fan of USB-C connection (known to create problems and confusion with some laptops) but I guess it's slowly taking over, liked it or not :/

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
n0nce
Hero Member
*****
Offline Offline

Activity: 868
Merit: 5808


not your keys, not your coins!


View Profile WWW
May 25, 2022, 04:49:09 PM
Merited by vapourminer (2), dkbit98 (1)
 #32

Well, you do need data in most cases, like when using a hardware wallet or a mouse / keyboard, but you can indeed just make a regular USB cable yourself.
Yeah I know.
I think I once tried experiment connecting Trezor device with usb power-only cable, and it didn't work properly Smiley
Of course, how else can it communicate if not using the two inner USB wires? Tongue

I just found there are even kits [1] sold online with everything you need.
It will not be possible to make a USB-C fast charging one with 12 (or more?) inside wires though, I guess. But you can just use those store-bought and plug them directly into wall bricks.
That is a nice find, I am checking it out now.
I believe it's an American shop, but these kinds of kits exist in Europe too. Apparently these high quality DIY cables are popular in use with keyboards.

God knows how much money I wasted on cables in my life, and most of them were terrible quality especially 3.5mm audio cables used for headphones and speakers.
One friend recently wanted to start cable making business for his personal use and for selling, but I think he is busy with other stuff in his life now.
How's the saying? Buy cheap = buy twice - something like that. Exists in many languages interestingly. And if you make it yourself you're also shielded from 'Bad USB cable' attacks [1] and cable implants (though it's a very targeted attack I must admit, so unlikely for majority of people).

I am not a big fan of USB-C connection (known to create problems and confusion with some laptops) but I guess it's slowly taking over, liked it or not :/
What's good about USB-C is that it's backwards-compatible. I found out you can even make your DIY USB-C cables; just only wire up positive, negative and the two data wires.
Here in this shop they sell a kit with PDF instructions [2] where it's clear they give you a USB-C connector with just the 4 classic USB-2.0 pads.


[1] https://mg.lol/blog/badusb-cables/
[2] https://www.zapcables.com/products/diy-usb-cable-kit

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
PrivacyG
Hero Member
*****
Offline Offline

Activity: 742
Merit: 1699


Crypto Swap Exchange


View Profile
May 25, 2022, 09:04:29 PM
 #33

Of course, how else can it communicate if not using the two inner USB wires? Tongue
I know Bluetooth has some security flaws.  I am interested in your input.  In this case, what do you think?  Would you say it is safer to use a Hardware Wallet over Bluetooth connection rather than an unknown or new USB cable?

-
Regards,
PrivacyG

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
n0nce
Hero Member
*****
Offline Offline

Activity: 868
Merit: 5808


not your keys, not your coins!


View Profile WWW
May 25, 2022, 09:27:02 PM
Merited by vapourminer (1), Pmalek (1)
 #34

Of course, how else can it communicate if not using the two inner USB wires? Tongue
I know Bluetooth has some security flaws.  I am interested in your input.  In this case, what do you think?  Would you say it is safer to use a Hardware Wallet over Bluetooth connection rather than an unknown or new USB cable?
Oh that's a good question. On one hand, technologically cable is better than wireless; assuming you know your cable. Wireless always remains attackable on the physical layer, although good high-level protocols can fix this attack vector. So to really answer it, you would also need to take into account whether the information sent over Bluetooth is encrypted on application-level and which Bluetooth implementation is used.

Fact of the matter though, the [1] whole Bluetooth 5.3 specification has grown into a single, 3,000 (three-thousand) page 27MB PDF document, which should be telling enough. It's really really difficult to be sure about the security of such a single, huge protocol stack that has organically evolved over the years and not been built from the ground up with security in mind. Compared to other wireless technologies, I'd rate Bluetooth as less secure since it's this proprietary single standard that encompasses all layers from physical to application, whereas for instance WiFi has different segregated layers that can be analyzed and replaced independently.

And this is only talking about protocol and possible protocol bugs. Add to this the huge (also single-project) Bluetooth implementations which are riddled of bugs and vulnerabilities; both on the device side ('mini' / 'IoT' type devices are typically less secure due to limited space - so often pure C code with sketchy optimizations) and even the host side. Literally one of the most widely used Bluetooth implementations, BlueZ [2] (besides having an expired TLS certificate) has had numerous attacks; though I'm not sure how many protocol bugs and how many implementation-specific ones.

This is all theory, though. I haven't seen specialized, stealthy Bluetooth attacking devices so far, whereas the aforementioned bad USB cable does exist and is used. So it's hard to say what's more secure in practice, with which device (which BT implementation) and in which security / attack scenario you should use what hardware wallet.

I'd personally go for cable and make sure I use one of my own cables, though. One reason is that when using a cable, you can only be infected when actually plugging the device in, so at the location / time you are trying to use it. However, a Bluetooth device can be infected at any time someone walks nearby as long as it's turned on. An example for this is the BlueBorne attack [3] where you might get infected by simply having a Bluetooth-capable HW wallet in your pocket while walking around town.

So even using Bluetooth-enabled hardware wallets with a cable is less secure than devices that don't have BT at all, due to the larger attack surface.

[1] https://www.bluetooth.com/specifications/specs/core-specification-5-3/
[2] https://www.bluez.org/
[3] https://www.armis.com/research/blueborne/

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
NeuroticFish
Legendary
*
Offline Offline

Activity: 3626
Merit: 6321


Looking for campaign manager? Contact icopress!


View Profile
May 26, 2022, 08:20:25 AM
Merited by DaveF (2)
 #35

Would you say it is safer to use a Hardware Wallet over Bluetooth connection rather than an unknown or new USB cable?

Imho it's not.
But really, it's not that difficult to buy a proper USB data cable from a proper shop if, by (some rather unlikely) chance, the one from the HW manufacturer got damaged or lost.
So why risk anyway?

And while I do agree that this problem with USB cables is a growing problem, I don't think that if you just buy a new cable there's a real chance for troubles.
So yeah, just stop using cables that aren't yours.

And no, I don't trust at all the wireless connections, no matter it's NFC, Bluetooth or WiFi.

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
vapourminer
Legendary
*
Offline Offline

Activity: 4284
Merit: 3472


what is this "brake pedal" you speak of?


View Profile
May 26, 2022, 05:38:23 PM
Merited by dkbit98 (1), n0nce (1)
 #36

i had a thread on diy usb cables.. might be of some use

https://bitcointalk.org/index.php?topic=5218898.msg53646922#msg53646922
dkbit98
Legendary
*
Offline Offline

Activity: 2184
Merit: 7019


SATOCHIP.io


View Profile WWW
May 26, 2022, 06:01:10 PM
 #37

How's the saying? Buy cheap = buy twice - something like that. Exists in many languages interestingly. And if you make it yourself you're also shielded from 'Bad USB cable' attacks [1] and cable implants (though it's a very targeted attack I must admit, so unlikely for majority of people).
Exactly that, and even when I purchased better quality audio cables, I destroy them as well...
I need some military grade cables, or instructions how to make them, because I am terminator for cables  Cool

What's good about USB-C is that it's backwards-compatible. I found out you can even make your DIY USB-C cables; just only wire up positive, negative and the two data wires.
Here in this shop they sell a kit with PDF instructions [2] where it's clear they give you a USB-C connector with just the 4 classic USB-2.0 pads.
I know USB type C have advantages compared to older USB, and good thing about them is they can work on both sides and you can't plug it incorrectly.
Problem I have is there is a push for all devices to use this for everything including power cables, that means all older cables are becoming obsolete, unless you use some adapter.

I know Bluetooth has some security flaws.  I am interested in your input.  In this case, what do you think?  Would you say it is safer to use a Hardware Wallet over Bluetooth connection rather than an unknown or new USB cable?
No it's not safer, and I personally don't like Bluetooth or other wireless type of communication used in hardware wallets.
Better option than cables is using QR codes, and airgapped hardware wallets like Passport, Keystone, Coldcard or DIY SeedSigner.

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
n0nce
Hero Member
*****
Offline Offline

Activity: 868
Merit: 5808


not your keys, not your coins!


View Profile WWW
May 26, 2022, 10:59:19 PM
Merited by vapourminer (1)
 #38

How's the saying? Buy cheap = buy twice - something like that. Exists in many languages interestingly. And if you make it yourself you're also shielded from 'Bad USB cable' attacks [1] and cable implants (though it's a very targeted attack I must admit, so unlikely for majority of people).
Exactly that, and even when I purchased better quality audio cables, I destroy them as well...
I need some military grade cables, or instructions how to make them, because I am terminator for cables  Cool
At least you're keeping the cable manufacturers in business! Tongue But I encourage you to try such a DIY kit; I'll do too when I find the time, maybe those are more sturdy indeed. I saw people put paracord and other materials around the wires to make them more durable and get a custom look. That way it will also be easy to spot if someone replaced your cable. Opposed to a standard all white or black cable which might be replaced without notice in an evil maid attack [1] scenario.

I know USB type C have advantages compared to older USB, and good thing about them is they can work on both sides and you can't plug it incorrectly.
Problem I have is there is a push for all devices to use this for everything including power cables, that means all older cables are becoming obsolete, unless you use some adapter.
On one hand, it's a pretty cool idea not having to carry a separate cable for almost every device, instead having a single cable that can charge your laptop, your phone, connect your phone to your laptop, connect your hardware wallet to your phone or connect your laptop to a monitor and much more.
But there's already been a few practical issues like some cables not speaking all protocols. So therefore some features don't work with certain cables and certain devices, but do work on others and these sorts of annoyances. I believe it comes down to the chips used in the connectors and the actual number of leads that are actually connected. In the screencap I shared earlier, you can see the USB-C plug only having USB 2.0 (!!) standard connection pads, so from the outside it seems just like a USB-C cable but it will obviously barely charge a laptop (if at all - at 5V, 0.9A).

But this may already be way too off-topic for this thread - sorry about that!

[1] https://en.wikipedia.org/wiki/Evil_Maid_attack

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
DaveF (OP)
Legendary
*
Offline Offline

Activity: 3430
Merit: 6129


Crypto Swap Exchange


View Profile WWW
July 03, 2022, 11:23:10 PM
 #39

So was talking about this while burgers & beers earlier.
The fix they sent him barely works and causes errors and when it does work it's still not right. But as he put it "was more of a proof of concept then finished coding"
However, they are working on it so I'll give them that.

And yes it's a What's App burgers and beers meeting since he is several time zones away....

-Dave

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
n0nce
Hero Member
*****
Offline Offline

Activity: 868
Merit: 5808


not your keys, not your coins!


View Profile WWW
July 03, 2022, 11:42:41 PM
 #40

So was talking about this while burgers & beers earlier.
The fix they sent him barely works and causes errors and when it does work it's still not right. But as he put it "was more of a proof of concept then finished coding"
However, they are working on it so I'll give them that.

And yes it's a What's App burgers and beers meeting since he is several time zones away....

-Dave
Interesting; so the bug / exploit you guys found is going to be fixed by the manufacturer now?
I was under the impression that due to its nature it was not vendor-specific to just one brand and that it was going to be hard to fix.

The attack I imagined from your rough description, wouldn't be easy to fix outside the OS level.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!