Firmware Upgrades for Hardware wallets their weakness?

[Kakmakr]

Do you think constant Firmware upgrades on hardware wallets are their weakness? I have gone through some firmware upgrades for some hardware wallets (Ledger) and I have to say for someone with good technical knowledge, it was not a good experience. 

The normal handling of the hardware wallet and the software is not that technical, but still a daunting task for people that are not that technical. (Thinking about the transition from the Ledger browser plugin for Chrome ..to the Ledger App) 

What can be done to improve the firmware upgrade for these devices ...to make it "Idiot Proof" ? What happens when Ledger or any hardware manufacturer goes bankrupt and exploits are found and the developers are not there to plug the holes? (Export seed to Electrum?)

[1715328379]

1715328379

[1715328379]

1715328379

[1715328379]

1715328379

[1715328379]

1715328379

[1715328379]

1715328379

[Pmalek]

Do you think constant Firmware upgrades on hardware wallets are their weakness? I have gone through some firmware upgrades for some hardware wallets (Ledger) and I have to say for someone with good technical knowledge, it was not a good experience. 

If we are talking about Ledger, it was worse in the past, now it's easy-peasy. Everything is complete without the user having to disconnect the wallet from the USB cable. In the past, you had to press and hold the buttons, then let go of one button while you connect/disconnect.

What can be done to improve the firmware upgrade for these devices ...to make it "Idiot Proof" ?

Talking about Ledger again. I would say they already are. It's just like an installation of any other software. A few clicks on the 'Yes' and 'Next' buttons and you are done.

What happens when Ledger or any hardware manufacturer goes bankrupt and exploits are found and the developers are not there to plug the holes? (Export seed to Electrum?)

You can buy any other hardware wallet and recover your accounts from seed. If they use the same derivation paths for your coins, even better. If not, you might have to recover the seed in a software wallet to modify the derivation paths. You should of course secure your Bitcoin before you go meddling with software wallets for altcoins.

[DaveF]

ColdCard feels to me to be idiot proof, but there will always be someone who can come along and screw up a process that should be impossible to screw up.
Pmalek is correct in the fact that if you have your seed you should be fine. But the time and effort and stress in recovering is a thing as is the expense of buying a new wallet.

I have not heard of any failures that bricked a device but I have not looked that hard.

Another thing to keep in mind that unless the firmware fixes some glaring vulnerability or adds a feature you must have, then you can probably skip doing them.

I have 2 HW wallets, one I use for my warm funds, that one is up to date. One is for long term cold storage, not updated or plugged in for a couple of years now.

-Dave

[Pmalek]

Another thing to keep in mind that unless the firmware fixes some glaring vulnerability or adds a feature you must have, then you can probably skip doing them.

Exactly. The newest Ledger Nano S firmware is 2.1.0 if I remember correctly. It introduces the needed support and necessities for Taproot. Other than that, it doesn't fix anything urgent or improve the user experience. Unless you want to use Taproot addresses with your Ledger HW, you don't need to perform the upgrade. It also decreases the already very limited internal storage of the device.   

[dkbit98]

Do you think constant Firmware upgrades on hardware wallets are their weakness? I have gone through some firmware upgrades for some hardware wallets (Ledger) and I have to say for someone with good technical knowledge, it was not a good experience.

Yes I think it's a big weakness, especially if hardware wallet firmware is closed source like in case with ledger devices.
In this case you would need to fully trust developers to be honest, and won't make any mistakes that could allow hackers to steal your coins.
With open source wallets you can always verify the changes, and other developers can do the same reporting some potential issues on time.

The normal handling of the hardware wallet and the software is not that technical, but still a daunting task for people that are not that technical. (Thinking about the transition from the Ledger browser plugin for Chrome ..to the Ledger App) 

I don't think ledger browser extension is working anymore, but they desktop app is also bad and having lot of issues with showing incorrect balances.
You can however use third party open source wallets like Electrum with ledger, to make things a bit easier.

What can be done to improve the firmware upgrade for these devices ...to make it "Idiot Proof" ? What happens when Ledger or any hardware manufacturer goes bankrupt and exploits are found and the developers are not there to plug the holes? (Export seed to Electrum?)

You can't do anything with black boxes like ledger, but you can change hardware wallet and get one that is open source like Passport, Bitbox, Keystone or Trezor.
Alternative option is to make your own DIY signing device like SeedSigner using general hardware like Raspberry PI Zero.

[BitMaxz]

Exactly. The newest Ledger Nano S firmware is 2.1.0 if I remember correctly. It introduces the needed support and necessities for Taproot. Other than that, it doesn't fix anything urgent or improve the user experience. Unless you want to use Taproot addresses with your Ledger HW, you don't need to perform the upgrade. It also decreases the already very limited internal storage of the device.   

Actually, it's not always good to upgrade the ledger firmware from time to time if it's not needed unless you need the additional feature or if it's related to a vulnerability issues you should upgrade it to fix those issues.
 
Sometimes hardware wallets can be soft bricked after upgrading I heard many times on some people out there happen to them and only a few people fixed their hardware wallet.

[n0nce]

You could phrase it like this: 'the fact that hardware wallets need to be kept up to date can be considered a systemic weakness [compared to a system that is cryptographically secure like an offline-generated cold storage seed with passphrase]'.

But the fact that you do get upgrades is definitely not a weakness; actually, I'd stop using a hardware wallet if the manufacturer drops support and stops working on the code, looking for bugs and fixing them, as well as fixing reported bugs and vulnerabilities. Providing software upgrades that keep the device secure and state-of-the art is essential to make sure your funds are secure against the latest attacks and exploits.

However, there remains the risk of malicious firmware update binaries and closed-source or non-reproducible builds. This allows the manufacturer or a middleman to give you a malicious (e.g. deanonymizing) firmware without you noticing; if however you have open source and a verifiable build, that provably comes from the supplied codebase, it reduces such risk.

Regarding usability for newbies, as was mentioned before, hardware wallets as a whole have come a long way. You also get clear and concise instructions from the manufacturer on how to verify the hash and signature of the image file. Reboots and complicated keypress combinations aren't needed on the last few devices I've come across. Passport, for instance, just requires you to put the file on a supplied microSD card and plug it into the device.

[Pmalek]

if however you have open source and a verifiable build, that provably comes from the supplied codebase, it reduces such risk.

Good choice of words. I am glad you used that construction because that's exactly the way it is. Someone else might have said that if you use open-source software with verifiable builds, there is no risk or you are absolutely safe due to the publicly available code.

The more popular the wallet is, the more user it has, and the more security experts verify every single piece of code, the lower is the possibility that the developers would get away with trying to introduce a backdoor or other type of vulnerability. Or if they just overlooked something by mistake which could have negative consequences. On the other hand, if the wallet is unpopular, it might take weeks or even months before someone discovered that something is off with the most recent update.     

[m2017]

Do you think constant Firmware upgrades on hardware wallets are their weakness? I have gone through some firmware upgrades for some hardware wallets (Ledger) and I have to say for someone with good technical knowledge, it was not a good experience.

Yes I think it's a big weakness, especially if hardware wallet firmware is closed source like in case with ledger devices.
In this case you would need to fully trust developers to be honest, and won't make any mistakes that could allow hackers to steal your coins.
With open source wallets you can always verify the changes, and other developers can do the same reporting some potential issues on time.

Perhaps this is a big weakness, but for the average user (most of them will be) it doesn't matter if the source code is open or closed, because he will not be able to read the code or changes to it. In the case of a closed source code, you will have to trust hardware wallet developers, and if the source code is open, then you need to trust independent developers and enthusiasts who check the code and changes. In both cases, ordinary users are forced to believe completely strangers. I think it looks like a religion. There, too, "users" can't check anything themselves and they can only "believe" in one or another confession.

Another important fact. People who buy HWs want to make a minimum of gestures: they bought a device, threw crypto into it, and use this device as needed. Will most of them follow the news and technical blogs where independent developers will post their research into the open source of HW? Even if a vulnerability is found in the code, such users will be the last to know about it after a long time, if at all they become aware of what happened. Until the balance on their device is reset. Therefore, I assume that from the position of an ordinary user, it doesn't matter to him which code is open or closed.

They are more interested in HW appearance and the impact of advertising.

[dkbit98]

But the fact that you do get upgrades is definitely not a weakness; actually, I'd stop using a hardware wallet if the manufacturer drops support and stops working on the code, looking for bugs and fixing them, as well as fixing reported bugs and vulnerabilities. Providing software upgrades that keep the device secure and state-of-the art is essential to make sure your funds are secure against the latest attacks and exploits.

Unless they are only making more mess with new upgrades by adding new worthless shitcoin support that only make upgrade bigger in size and more buggy in time.
I would understand if they are doing this for bitcoin only firmware, but you won't have so much updates with this, except maybe Taproot support or something like that.
There is also a danger of bricking your device during hardware wallet, and I saw several reports that this happened to ledger wallet owners.

[mk4]

What can be done to improve the firmware upgrade for these devices ...to make it "Idiot Proof" ? What happens when Ledger or any hardware manufacturer goes bankrupt and exploits are found and the developers are not there to plug the holes? (Export seed to Electrum?)

I'd say Ledger is already the most "idiot proof" hardware wallet we have right now, with Trezor coming in at a close second. Instead of working to make updating a bit more easier, they should probably just focus on removing unnecessary bloat on the Ledger Live software because it's slowly but surely getting slower and clunkier as time goes.

[Lucius]

I'd say Ledger is already the most "idiot proof" hardware wallet we have right now...

I agree that it can't be simpler than the current process (although I may be wrong), especially if I remember what it was like in the past when some people needed hours (or even days) to complete the firmware upgrade. Some people are quite afraid of this procedure for fear that something will go wrong and that they will lose their coins, although because of such things we have a backup.

What happens when Ledger or any hardware manufacturer goes bankrupt and exploits are found and the developers are not there to plug the holes? (Export seed to Electrum?)

Nothing lasts forever, so one should not expect Ledger to always exist. In the event that Ledger stops supporting its devices, anyone who doesn't feel safe will look for an alternative.

[n0nce]

What happens when Ledger or any hardware manufacturer goes bankrupt and exploits are found and the developers are not there to plug the holes? (Export seed to Electrum?)

Nothing lasts forever, so one should not expect Ledger to always exist. In the event that Ledger stops supporting its devices, anyone who doesn't feel safe will look for an alternative.

Yes; you just get a new device and transfer the coins. You can also just trash the old device and import your backed-up seed into a new wallet. I recently thought about this and maybe it helps people think of hardware wallets a bit differently: think of the device mostly as a signer. Don't rely on it not breaking, not getting lost or not ceasing to turn on, to be able to access your coins; instead, rely on your seed backup(s) and use the device as a convenient way to utilize said seed in everyday scenarios.

[Lucius]

I recently thought about this and maybe it helps people think of hardware wallets a bit differently: think of the device mostly as a signer. Don't rely on it not breaking, not getting lost or not ceasing to turn on, to be able to access your coins; instead, rely on your seed backup(s) and use the device as a convenient way to utilize said seed in everyday scenarios.

The problem that a lot of people have when it comes to hardware wallets is that they think that the device actually has something like Bitcoin in itself - and they don't realize that a 24-word backup is something far more vulnerable and important than the device itself. In addition, $50 or $100 for such a device is considered too high by most and they think that such a device should last a lifetime - and on the other hand, they buy expensive smartphones and gaming consoles every 2-3 years and do not complain to anyone.

[dkbit98]

I'd say Ledger is already the most "idiot proof" hardware wallet we have right now, with Trezor coming in at a close second. Instead of working to make updating a bit more easier, they should probably just focus on removing unnecessary bloat on the Ledger Live software because it's slowly but surely getting slower and clunkier as time goes.

I would partially agree with you but Trezor is very much different from ledger hardware wallet.
You can install Bitcoin only firmware in Trezor so you won't even notice most of the update noise coming out, and you can't do the same thing with ledger.
I can count Bitcoin-only hardware wallets on my hand, Trezor, BitBox02 and Keystone can do this optionally, than there is Passport, ColdCard, and that's about it.
Worthy mention DIY bitcoin only signing devices are SeedSigner (based on RaspberryPi) and Krux (based on ESP32 devices).

I recently thought about this and maybe it helps people think of hardware wallets a bit differently: think of the device mostly as a signer. Don't rely on it not breaking, not getting lost or not ceasing to turn on, to be able to access your coins; instead, rely on your seed backup(s) and use the device as a convenient way to utilize said seed in everyday scenarios.

I started to do something similar, and I will keep repeating that seed backup is much more important than device you use.
Signing devices is much better term than hardware wallets, but I think it will be very hard to change that for masses now

[n0nce]

I recently thought about this and maybe it helps people think of hardware wallets a bit differently: think of the device mostly as a signer. Don't rely on it not breaking, not getting lost or not ceasing to turn on, to be able to access your coins; instead, rely on your seed backup(s) and use the device as a convenient way to utilize said seed in everyday scenarios.

The problem that a lot of people have when it comes to hardware wallets is that they think that the device actually has something like Bitcoin in itself - and they don't realize that a 24-word backup is something far more vulnerable and important than the device itself. In addition, $50 or $100 for such a device is considered too high by most and they think that such a device should last a lifetime - and on the other hand, they buy expensive smartphones and gaming consoles every 2-3 years and do not complain to anyone.

Indeed; the hardware wallet is basically just a convenient way to access and use your seed.
With the cost, I do get that they can be pricey, especially if you don't live in a first-world country; however, in people don't realize how much money they lose to inflation and through buying useless throwaway devices all the time. Or think about laptop / phone storage upgrades; people pay hundreds for those even though they could get away with putting in some time and deleting loads of old data and media they don't need anymore.
Personally, I think even $200 is worth it for a device that can help you securely store and use money amounts larger than its cost by multiple orders of magnitude. But I digress!

I recently thought about this and maybe it helps people think of hardware wallets a bit differently: think of the device mostly as a signer. Don't rely on it not breaking, not getting lost or not ceasing to turn on, to be able to access your coins; instead, rely on your seed backup(s) and use the device as a convenient way to utilize said seed in everyday scenarios.

I started to do something similar, and I will keep repeating that seed backup is much more important than device you use.
Signing devices is much better term than hardware wallets, but I think it will be very hard to change that for masses now

Interesting; I first heard the term from the SeedSigner guy on Twitter, but it applies more to his product than to the 'real hardware wallets' that actually store the seed internally. I don't know who came up with this distinction (or if it's just my own definition) but just wanted to bring this up, because HW wallets don't just sign. This would be the argument against calling them signers. But they shouldn't be the main means of seed storage either; it's just a feature that makes them more convenient to use (instead of typing in 24 words every time you power them up).

[dkbit98]

Or think about laptop / phone storage upgrades; people pay hundreds for those even though they could get away with putting in some time and deleting loads of old data and media they don't need anymore.
Personally, I think even $200 is worth it for a device that can help you securely store and use money amounts larger than its cost by multiple orders of magnitude.

Just imagine how many people are throwing away over $1000 each year for buying brand new laptop or smartphone...
Most of them would be just fine with good quality older business laptop maybe with upgraded ram and ssd drive, and similar thing could be said for smartphones.
Hardware wallet can last for years and you don't need to upgrade anything, except doing regular firmware updates.
Than again, I recently heard cheap Lenovo laptops had big issue with BIOS exploits that is similar thing like firmware for hardware wallets.... so I could say that BIOS upgrades are weakness for laptops.

Interesting; I first heard the term from the SeedSigner guy on Twitter, but it applies more to his product than to the 'real hardware wallets' that actually store the seed internally.

I think we have the same source of information for this  
SeedSigner is amazing in many ways and they are doing some massive work in this field.

[Welsh]

ColdCard feels to me to be idiot proof, but there will always be someone who can come along and screw up a process that should be impossible to screw up.
Pmalek is correct in the fact that if you have your seed you should be fine. But the time and effort and stress in recovering is a thing as is the expense of buying a new wallet.

Not sure I agree. I think ColdCard is probably one of the more difficult hardware wallets to get a grasp out there. I'd say the Trezor is probably the most user friendlier, especially since they've added the Trezor Suite. Although, personally I do think ColdCard is probably the best option out there for security features, unfortunately that usually does come with added complexity, which I do believe is the case here.

I have 2 HW wallets, one I use for my warm funds, that one is up to date. One is for long term cold storage, not updated or plugged in for a couple of years now.

For the latter, in my mind it would just be a better idea to use Bitcoin Core as a offline wallet. Although, I guess you'll have to download, and verify core, and get it on the machine, so I'm not saying its a terrible idea by any means. However, some hardware wallets have physical threats, that a Bitcoin Core won't necessarily have.

[n0nce]

ColdCard feels to me to be idiot proof, but there will always be someone who can come along and screw up a process that should be impossible to screw up.
Pmalek is correct in the fact that if you have your seed you should be fine. But the time and effort and stress in recovering is a thing as is the expense of buying a new wallet.

Not sure I agree. I think ColdCard is probably one of the more difficult hardware wallets to get a grasp out there. I'd say the Trezor is probably the most user friendlier, especially since they've added the Trezor Suite. Although, personally I do think ColdCard is probably the best option out there for security features, unfortunately that usually does come with added complexity, which I do believe is the case here.

I agree; while it's great for security to have a completely airgapped wallet, messing around with a microSD card is not a great user experience. If it comes to choices for newcomers, I tend to recommend something that works with their preferred hardware. Elderly people often just use a PC or laptop, so something like Trezor is perfect. Younger folks that tend to sometimes not even own a computer, obviously need something that can be interfaced with from the phone they have. So it can be USB (OTG) on Androids, QR codes on any phone with a camera or NFC for the latest devices that have NFC. I was about not to mention NFC though, since similarly to Bluetooth, it's not an interface I'd recommend using due to its hardware-based attack vectors.

[Pmalek]

Just imagine how many people are throwing away over $1000 each year for buying brand new laptop or smartphone...
Most of them would be just fine with good quality older business laptop maybe with upgraded ram and ssd drive, and similar thing could be said for smartphones.

Speaking from personal experience, I have never been a fan of refurbished laptops. I like the speed and smell of new devices and I don't mind splashing out a few grands for a good business laptop that I use for work.
My laptops last 4-5 years, and then they die. It's always the motherboard that is the weak spot in my experience. I have had 3 laptops whose motherboards has failed in my lifetime. Buying a second-hand laptop is not an option for me because they simply aren't as good performance-wise and there is the added risk of hardware failures for outdated components.