Do not use a wallet that do not bring out virtual keyboard

[_act_]

Warning: Smartphone text prediction guesses crypto hodler’s seed phrase

Andre, a 33-year-old IT professional from Germany, recently posted on the r/CryptoCurrency subreddit after discovering his mobile phone’s ability to predict the entire recovery seed phrase as soon as he typed down the first word. As a fair warning to fellow Redditors and crypto enthusiasts, Andre’s post highlighted the ease with which hackers can use the feature to drain a user’s funds just by being able to type the first word out of the BIP 39 list:

“This makes it easy to attack, get your hands on a phone, start any chat app, and start typing any words off the BIP39 list, and see what the phone suggests.”

Speaking to Cointelegraph, Andre, otherwise known as u/Divinux on Reddit, shared his shock when he first experienced his phone literally guessing the 12-24 word seed phrase. “First, I was stunned. The first couple words could be a coincidence, right?”

Andre’s experiments confirmed that Google’s GBoard was the least vulnerable as the software did not predict every word in the correct order. However, Microsoft’s Swiftkey keyboard was able to predict the seed phrase right out of the box. The Samsung keyboard, too, can predict the words if “Auto replace” and “Suggest text corrections” have been manually turned on.

I type so much daily, there are some sentences I frequently type which is already part of me, what I have noticed about this is that once I type the first word of the common sentences I use daily, I can use use the text predictor to know all the remaining words.

Example: I type 'Spam, move this to altcoin discussion as it does not belong to bitcoin discussion board'. If I type this often.

There will be a time if I type Spam, the text editor will bring the remaining words one by one to the last word which is 'board'.

If a see phrase is stolen if another person got hold of the person that use his device as wallet, this can not be commonly successfully done, but if it is done and the wallet is compromised this way, should we blame it on the word predictor or we should blame it on wallets that do not bring out virtual key board. I believe if virtual keyboard is used, this wouldn't have happened. Many wallets should not be used.

[1715156962]

1715156962

[1715156962]

1715156962

[1715156962]

1715156962

[1715156962]

1715156962

[un_rank]

This is a huge risk posed by those companies that monitor user information and having a virtual keyboard would greatly help to reduce the risk posed. Do you have a list of wallets that support virtual keyboards?

There's an additional risk of keyloggers being used. This could be a hardware or software which effectively monitors keys punched in a computer through several means, and can send this information to a third party which can lead to an exploitation. The risk becomes worse when you consider that hardware keyloggers can be built in on a keyboard you purchase online and used to monitor your activities.

It's important to do proper research before purchasing and using any piece of hardware.
Also, disable any permission which allows a software provider to monitor your activities.

[Cookdata]

If a see phrase is stolen if another person got hold of the person that use his device as wallet, this can not be commonly successfully done, but if it is done and the wallet is compromised this way, should we blame it on the word predictor or we should blame it on wallets that do not bring out virtual key board. I believe if virtual keyboard is used, this wouldn't have happened. Many wallets should not be used.

I'll blame it on the user for creating a wallet on a mobile device. Hardware wallets have been around for a while, and as part of the security measures for holders to accept the use of hardware wallets has been one of the problems that have been solved. Word suggestions aren't just the only problems with mobile wallets, there is the possibility that you may get attacked by keyloggers and malware that can change anything copy, it could be an address.

I've tested some software wallets and can state that some developers do deactivate this word prediction, as well as the ability to copy and paste recovery phrase/seed, but looking at all of this, it's very simple to fall victim to a wallet breach, that is why hardware wallets don't have these issues.

[o_e_l_e_o]

There have been plenty of cases of seed phrases being stolen after being typed in to a phone, even with a virtual keyboard. There are plenty of malicious apps out there which will capture your keyboard entries or your screen and send that off to an attacker. I've read reports of users who installed some emoji pack or similar keyboard customization which had a keylogger embedded in it.

Whenever you generate a wallet on a mobile wallet or enter a seed phrase on any mobile device, you should consider the security of that seed phrase to be very low. You should only be using mobile wallets for small amounts of coins you need immediate access to when you are away from home, and absolutely not for storing large amounts of funds. Consider anything in a mobile wallet analogous to hard cash you carry around in your pocket - you might carry around $100 in cash, but you are not going to carry around $10,000 in cash. This amount of coins belongs in a hardware wallet or cold storage, not in a mobile wallet.

[Ketesnuko]

It's why using a third party keyboard is wrong, if you are using a Xiaomi phone make sure you stick with the keyboard that comes with this phone or risk getting your recovery seed stolen, after installing any third-party keyboard you will always get a warning that your words will be saved probably into cloud, this is wrong.

[Lucius]

I'll blame it on the user for creating a wallet on a mobile device. Hardware wallets have been around for a while, and as part of the security measures for holders to accept the use of hardware wallets has been one of the problems that have been solved.

If you want a mobile wallet, you have to create it somehow, and this is not a problem if we are aware that such a wallet is extremely vulnerable and should not be used to store any major values. Given how the average user treats the security of their computer, smartphones are even lower on that list of priorities, and this should always be kept in mind.

HWs that can be connected to smartphones (wireless or via cable) is one of the choices as we can further protect ourselves while on the go and we need a crypto wallet. Of course, the question will always be whether it is smart, but with the fact that we can have two independent HWs, we can have multiple protected accounts on the same device in case a physical attack occurs or we lose the wallet.

[Welsh]

Yeah, avoid virtual keyboards, although I personally wouldn't touch the default keyboard (unless replacing it for a open source version) i.e installing addon packs or emoji's. Also, disable any sort of feature that can predict or memorise your words. I don't use phones as a way of storing Bitcoin, but I don't have the prediction text on either way for this exact reason. Delete your personal dictionary, and get rid of anything that's collecting your data.

Also, on a side note, I'd be looking for an alternative to Gboard if you're entering anything sensitive on it. I'd seek a open source alternative that you can verify yourself. This is mainly from a privacy stand point, as I'm sure a lot of people rely on Google products, although if you don't want them using your data to serve you cryptocurrency apps, in my mind it'll be worth seeking the alternative.

[jrrsparkles]

I know the risk if using default keyboard whenever we are using it for entering passwords or more important like while logging into our bank accounts, entering private keys of cryptocurrency wallets but most wallets provide virtual keyboard even they don't allow copy paste of the entries in it but yeah this is important advice and warning for someone who doesn't know it.

[Outhue]

This is why I hate importing my recovery seed after uninstalling, I don't always like it because you have to type it out into the new wallet, there are wallets that only requires you to pick the recovery seed on the screen to verify you wrote down the correct seed, those wallets dev know what they are doing.

[acroman08]

I guess members who constantly use their phones when dealing with cryptocurrency should be taking notes or at least be more cautious, especially the people who have just recently started with cryptocurrency.

It's why using a third party keyboard is wrong, if you are using a Xiaomi phone make sure you stick with the keyboard that comes with this phone or risk getting your recovery seed stolen, after installing any third-party keyboard you will always get a warning that your words will be saved probably into cloud, this is wrong.

yep, and other than your recovery seed being at risk, other important information like password, personal information, etc... would also be at risk.

[JeromeTash]

This is why I hate importing my recovery seed after uninstalling, I don't always like it because you have to type it out into the new wallet, there are wallets that only requires you to pick the recovery seed on the screen to verify you wrote down the correct seed, those wallets dev know what they are doing.

From what I know, some wallets base on the standard English dictionary, which is a group of words that you should enter minus misspelling any of them. So the words that appear on the screen do not actually mean the person who created the non-malicious wallet (dev) knows what your seeds are, it (the wallet software) is simple suggesting to you the next possible word based on the first letters you typed.

If you want to prove this, download a truly open source wallet like elect um and try importing your seed to the wallet minus any internet connectivity. The wallet will still try to suggest to you the words. How is the dev going to know what you just typed in, minus any internet connectivity?

[hatshepsut93]

All such problems can be solved by using cold storage, which everyone should do either with a hardware wallet or an airgapped PC. Smartphones or online computers should only hold small amounts that could be afforded to get lost.

As for this particular problem, you can import master private key via QR code in certain wallets like Electrum, that shouldn't leave any trace on your smartphone.

[mk4]

I'll blame it on the user for creating a wallet on a mobile device. Hardware wallets have been around for a while, and as part of the security measures for holders to accept the use of hardware wallets has been one of the problems that have been solved.

Partly true, because there's nothing wrong with using a hot wallet (for a small minority of your holdings, of course) if you need bitcoin/crypto to be easily accessible when you're out and about.

[libert19]

I used to use SwiftKey years ago prior Microsoft
's acquisition, nothing comes close to it in terms of word prediction - it's like privacy or comfort. You could type without even pressing a single letter.

[mk4]

I used to use SwiftKey years ago prior Microsoft
's acquisition, nothing comes close to it in terms of word prediction - it's like privacy or comfort. You could type without even pressing a single letter.

Very very handy when it comes to chatting and typing (though most keyboard apps already have this feature afaik), very bad in terms of privacy (it obviously uses predictive text and stores stuff in their database).

[o_e_l_e_o]

So the words that appear on the screen do not actually mean the person who created the non-malicious wallet (dev) knows what your seeds are, it (the wallet software) is simple suggesting to you the next possible word based on the first letters you typed.

The problem isn't with the keyboard auto-completing the word which you are typing (which is possible for all BIP39 words after a maximum of 4 characters have been entered, since the first 4 characters of every BIP39 word are unique), but rather with it automatically suggesting the next word in your seed phrase based on what you have previously entered. Someone else who has access to your phone (physically or who can remotely access your phone's memory and copy your custom dictionary) can simply start entering words on the BIP39 wordlist one by one until your phone starts suggesting another BIP39 word, and then another, and then another, and then they have your entire seed phrase.

[Pmalek]

I think I have turned all those predictive text suggesting thingies off when I initially set up my phone. But I just wanted to test it out on two different mobile wallets to see what will happen.

I used Electrum mobile and Coinomi since they are installed on my phone already.

Electrum gives you a 12-word seed. You have to write it down because the wallet doesn't allow you to copy-paste and save the words digitally.
For verification, the wallet displays a virtual keyboard. All good. The only time you use your phone's standard keyboard is when you set up a password.

Coinomi is a bit different. it generates 24-word seeds and the app gives you an option to copy and paste these words during the wallet creation process. Not good. When you want to verify the seed, you don't have to type them in. Instead, the wallet displays all of the words randomly and you have to click on them and place them in the correct sequence. The password is also typed in using the phone's standard keyboard.

In both cases, I wasn't able to get the phone to predict the seed. I tried typing them into Viber one by one, but nothing. I typed the seed words as my password using the phone's standard keyboard. Went back to Viber, but no text predictions. 
It would be good if the article mentioned a few wallets without a virtual keyboard that could be vulnerable to this.

[o_e_l_e_o]

I think I have turned all those predictive text suggesting thingies off when I initially set up my phone. But I just wanted to test it out on two different mobile wallets to see what will happen.

If you've turned predictive text and similar off, then this kind of attack will be impossible on your phone.

Coinomi is a bit different. it generates 24-word seeds and the app gives you an option to copy and paste these words during the wallet creation process. Not good.

Ugh! One more reason to add to the list of reasons of why Coinomi is an awful wallet to choose.

I typed the seed words as my password using the phone's standard keyboard.

Most (all?) phones automatically disable predictive text in password fields, for obvious reasons.

[ABCbits]

If a see phrase is stolen if another person got hold of the person that use his device as wallet, this can not be commonly successfully done, but if it is done and the wallet is compromised this way, should we blame it on the word predictor or we should blame it on wallets that do not bring out virtual key board. I believe if virtual keyboard is used, this wouldn't have happened. Many wallets should not be used.

I disagree with idea to avoid wallet without it's own virtual keyboard. User always could use different keyboard which doesn't collect user data or at least have option to disable predictive feature. I would recommend AnySoftKeyboard[1] for most people and Simple Keyboard[2] for those who only need most basic feature.

[1] https://anysoftkeyboard.github.io/
[2] https://github.com/rkkr/simple-keyboard

[crwth]

That will be a problem for people who will have no idea that it could be used like that. It's still hard to predict the right words and the correct order, but already having initial possible words is scary. I stay away from mobile wallets and retyping them to the app itself.

I remember that you only select the words anywhere in the app, correct? Like it will show you the seed you have and just click it. So it won't be typed anymore.