Hardware wallet FUD (nonce attacks, unofficial firmware, etc)

[Pnigro]

Hi everyone,

One of the main reasons I love Bitcoin is having peace of mind knowing that my money is safe.

Throughout the years, I have gone from using closed source hot wallets like Coinomi to using hardware wallets, running my own node and generating my own seed using dice.

Lately I've seen several users on Twitter that oppose hardware wallets heavily. They claim that the wallet manufacturers can eventually rugpull everyone and there's nothing we can do about it.

The argument is that there is no way for users to know that the firmware signed by the maker is the one that is actually running on the device (only that the device claims that its running that).

In addition to that, we might be leaking our private keys through our signatures because of malicious nonce generation. This means that everything appears to be fine to the user, but the attacker can scan the blockchain for signatures generated using these nonces and could potentially figure out our private keys. This is explained here: https://shiftcrypto.ch/blog/anti-klepto-explained-protection-against-leaking-private-keys/ and here: https://medium.com/blockstream/anti-exfil-stopping-key-exfiltration-589f02facc2e

I am no expert in these topics so this is why I came here.

Are these worries warranted? What are the chances of losing our bitcoin even if we do everything right: buying the wallet from official website, running our own node, generating our own seed, checking app signatures, etc.

If all of this is true and COLDCARD can suddenly rugpull everyone, what hope does Bitcoin have?

If using Bitcoin Core on an airgap device with Linux is what's needed to keep your money safe, how will this ever be adopted globally?

Are these FUDers being overly paranoid? Or are we all dumb for trusting hardware wallet companies?

[1715156315]

1715156315

[1715156315]

1715156315

[1715156315]

1715156315

[1715156315]

1715156315

[NotATether]

In addition to that, we might be leaking our private keys through our signatures because of malicious nonce generation. This means that everything appears to be fine to the user, but the attacker can scan the blockchain for signatures generated using these nonces and could potentially figure out our private keys. This is explained here: https://shiftcrypto.ch/blog/anti-klepto-explained-protection-against-leaking-private-keys/ and here: https://medium.com/blockstream/anti-exfil-stopping-key-exfiltration-589f02facc2e

As I explain here, you only need to make sure the same nonce is not being reused and the nonce is not being generated deterministically - somebody might be able to crack open the ARM firmware of those hardware wallets and look for the relative lines to check - I'm an x86 buff and not an ARM one so I can't give advice on what specifically to look for, but if you don't see any syscalls to some random bytes function then that is a warning sign because that means the nonce isn't being generated from random bytes.

[NeuroticFish]

Are these FUDers being overly paranoid?

In theory, indeed, there can be problems with HW - from things not implemented good enough to actual malicious intentions, especially in the case of closed source ones.
But in reality nothing has happened for so long, we can pretty much tell they've passed the test of time and, as you said, those calls are overly paranoid.

However, a new trend seems to be to be wary with the classical hardware wallets and go for devices like SeedSigner, where everything is open source (and you can even assemble it yourself). But this doesn't mean the HW are unsafe; as I said, they've passed the test of time and the companies seem to indeed care more to sell their hardware (and keep a good name) than stealing from people.

[mindrust]

If you are going to just "hold", all you need is a piece of paper and a pen. Write down your keys/seed and here you have the most secure bitcoin wallet in the world.

If you are going to spend/send/receive coins every once in a while, then you need a linux PC with electrum (preferred) or bitcoin core. This route is also very safe.

I never get the idea of a hardware wallet. It is a business which solves a non-existing problem.

-Write down your name.
+But I don't have a pen.
-That's right mother fucker, I sell pens, now buy it.

^ Pretty much how it works with HW wallets.

A sensible person would have said:

"Why the fuck would I write down my name? Fuck off!"

*Btw you need a pen to write down your private keys.

[Pnigro]

If you are going to spend/send/receive coins every once in a while, then you need a linux PC with electrum (preferred) or bitcoin core. This route is also very safe.

I never get the idea of a hardware wallet. It is a business which solves a non-existing problem.

The idea of a hardware wallet is to make it easier for non-technical people to use Bitcoin without exposing their private keys to the internet.

I have taught several friends how to use them and they learn quickly.

The same cannot be said with using Electrum or Bitcoin Core on an airgapped Linux computer. I can picture my wife's face while trying to learn this, she would be like "This is too much for me".

[mindrust]

If you are going to spend/send/receive coins every once in a while, then you need a linux PC with electrum (preferred) or bitcoin core. This route is also very safe.

I never get the idea of a hardware wallet. It is a business which solves a non-existing problem.

The idea of a hardware wallet is to make it easier for non-technical people to use Bitcoin without exposing their private keys to the internet.

I have taught several friends how to use them and they learn quickly.

The same cannot be said with using Electrum or Bitcoin Core on an airgapped Linux computer. I can picture my wife's face while trying to learn this, she would be like "This is too much for me".

You can use electrum or a similar open source wallet on your iphone/android device too. It is not rocket science. They are pretty safe too. (not as safe as a linux pc but i would say pretty close)

If a person can't figure out how to use electrum, he shouldn't be using bitcoin anyway.

Bitcoin has an intelligence barrier. It is not for the absolute stupid.

[crwth]

If we are security conscious, we are looking for something that would help our case with the problems that might occur when we are trying to use exchanges wallets or something. We all want to have that "our keys, our coins" mantra in our lives.

Providing air-gapped computers would be more expensive and a hassle than a hardware wallet. It would help if you made sure of the official site where you are getting your devices because this is where hackers can step in. I believe you need to be still careful every step because that's where they usually strike.

You know that the private keys won't leave your device, that's on HW, and that's the practice. It's a little secure device made for that specific purpose, and I think trusting the right companies that deliver exemplary service is crucial.

It's not overly paranoid, but it should still be investigated if there's something sketchy about it.

[Pnigro]

You can use electrum or a similar open source wallet on your iphone/android device too. It is not rocket science. They are pretty safe too. (not as safe as a linux pc but i would say pretty close)

So, in your opinion, an open source wallet on iphone/android is as safe (or safer) than a hardware wallet?

[mindrust]

You can use electrum or a similar open source wallet on your iphone/android device too. It is not rocket science. They are pretty safe too. (not as safe as a linux pc but i would say pretty close)

So, in your opinion, an open source wallet on iphone/android is as safe (or safer) than a hardware wallet?

Nope. In my opinion hardware wallets make no sense to use. Completely unnecessary.

If you are going to hold, use a piece of paper.

If you are going to spend, use your phone.

If you are going to trade, well the exchange does the holding for you.

There isn't any need for a hw wallet in any of these situations.

[Pnigro]

You can use electrum or a similar open source wallet on your iphone/android device too. It is not rocket science. They are pretty safe too. (not as safe as a linux pc but i would say pretty close)

So, in your opinion, an open source wallet on iphone/android is as safe (or safer) than a hardware wallet?

Nope. In my opinion hardware wallets make no sense to use. Completely unnecessary.

If you are going to hold, use a piece of paper.

If you are going to spend, use your phone.

If you are going to trade, well the exchange does the holding for you.

There isn't any need for a hw wallet in any of these situations.

Ok, let's say a non-technical person (like the vast majority of people) wants to buy $25k in Bitcoin and hold it for 5 years.

What would be your recommendation to this person?

1) Install a mobile app on his phone, generate a seed, back up the seed, receive the bitcoin and then uninstall the app.

2) Learn how to install Linux and a wallet like Electrum or Sparrow and use that to generate the seed and receiving address.

3) Other (specify)

[dkbit98]

If all of this is true and COLDCARD can suddenly rugpull everyone, what hope does Bitcoin have?

You are watching to much sci-fi movies and Coldcard has nothing to do with someone having hope for Bitcoin, it's just nonsense.

First, you have hardware wallets with open source firmware code so anyone can inspect and see what is happening, there are no hidden stuff for Trezor, Codlcard, Keystone, Passport, etc.
For Trezor you can even identify all hardware components and make your own DIY device, but they are also working on new prototype secure element chip, that should improve security a lot.
Coldcard is not exactly open source anymore, but you can still verify it's code and I don't think it's dangerous to use it, unless some major bug happens.
Closed source hardware wallets like Ledger, Safepal, etc are much more dangerous, and you could never know if they have some secret junk inside, so I would stay away from them.

Speaking about open source firmware, you should be aware that almost all laptops and computers have closed source bios, so it's much bigger chance of something leaking from there, unless you have coreboot or something like that.
Intel and AMD are constantly sending information and they have whole hidden mini operating system inside with Intel Management and AMD equivalent.
Now, keeping laptop offline can help, but it's not perfect protection at all.

[n0nce]

The argument is that there is no way for users to know that the firmware signed by the maker is the one that is actually running on the device (only that the device claims that its running that).

That's wrong; you flash the device yourself using the firmware downloaded and verified from the website whenever you update it, actually. So every time you do, you re-verify that everything's fine.

There's one more step: verifying that the firmware actually comes from the source code in the repository.
That's something you can do yourself and any legit hardware wallet manufacturer should give instructions how to do so.
The fine people at https://walletscrutiny.com/ do this regularly for a whole bunch of wallets, in case you're uncomfortable doing it yourself.

The last step is verifying that the source code is good, this is extremely important as well. But that's the case for any wallet, software or hardware.

Are these worries warranted? What are the chances of losing our bitcoin even if we do everything right: buying the wallet from official website, running our own node, generating our own seed, checking app signatures, etc.

It depends on the wallet. Closed-source wallets and non-verifiable open-source wallets? Not unlikely. Open-source, verifiable wallets? Less so.
With everything else being fine, there remains the risk of a new codebase not having been analyzed and attacked enough yet to know that it's safe and secure.

If all of this is true and COLDCARD can suddenly rugpull everyone, what hope does Bitcoin have?

Bitcoin doesn't care about a single hardware wallet manufacturer.

Are these FUDers being overly paranoid? Or are we all dumb for trusting hardware wallet companies?

Again, depends on the device.
I wouldn't trust anything that's closed source firmware (like Ledger or Square's device), and I much prefer if the hardware is open-source and auditable, as well.

[Pnigro]

The argument is that there is no way for users to know that the firmware signed by the maker is the one that is actually running on the device (only that the device claims that its running that).

That's wrong; you flash the device yourself using the firmware downloaded and verified from the website whenever you update it, actually. So every time you do, you re-verify that everything's fine.

Interesting.

Is this flashing you talk about done by the official hardware wallet app? (BitBox App, Trezor Suite, etc)

Or is this something I need to do separately myself?

[DaveF]

....
Nope. In my opinion hardware wallets make no sense to use. Completely unnecessary.

If you are going to hold, use a piece of paper.

If you are going to spend, use your phone.

If you are going to trade, well the exchange does the holding for you.

There isn't any need for a hw wallet in any of these situations.

For you....For others it's a different story.

Hot wallet on my phone a few hundred dollars of crypto at most. Or, as I like to say, the phone is worth more then the crypto on it.
Warm wallet, under $2500 but that much would suck to loose so although it's on an internet connected PC it's needs a hardware wallet to sign / send.
Cold wallet. 2 of 3 mutisig in separate locations that all have live physical security and single pass-though man-traps.

The argument is that there is no way for users to know that the firmware signed by the maker is the one that is actually running on the device (only that the device claims that its running that).

That's wrong; you flash the device yourself using the firmware downloaded and verified from the website whenever you update it, actually. So every time you do, you re-verify that everything's fine.

Interesting.

Is this flashing you talk about done by the official hardware wallet app? (BitBox App, Trezor Suite, etc)

Or is this something I need to do separately myself?

Depends on the particular wallet. There is no 1 answer.

-Dave

[n0nce]

Or is this something I need to do separately myself?

You do it yourself; how it's done depends on the wallet, but on the Passport you just put the file you've downloaded and verified, on a microSD and then insert it and start the update process on the wallet.

BitBox and Trezor are done through their software if I remember correctly.
But you're supposed to verify the wallet software, too, of course.

[DireWolfM14]

The argument is that there is no way for users to know that the firmware signed by the maker is the one that is actually running on the device (only that the device claims that its running that).

That's wrong; you flash the device yourself using the firmware downloaded and verified from the website whenever you update it, actually. So every time you do, you re-verify that everything's fine.

Interesting.

Is this flashing you talk about done by the official hardware wallet app? (BitBox App, Trezor Suite, etc)

Or is this something I need to do separately myself?

I wrote a guide on how to verify Electrum, most hardware client-software such as Trezor Suite can be verified the same way.  As n0nce mentioned, the firmware for the Trezor (for example) is updated through the Trezor Suite client, which of course should be verified before it is used to update firmware.

Other vendors may do things a bit differently, for example the ColdCard hardware wallet verifies the firmware itself before installing it.  When upgrading the firmware on a ColdCard, you download it and store it on mSD card, and then load the mSD card into the hardware wallet.  Once you start the upgrade process the firmware is verified by the device before it's installed.

[o_e_l_e_o]

Ok, let's say a non-technical person (like the vast majority of people) wants to buy $25k in Bitcoin and hold it for 5 years.

What would be your recommendation to this person?

1) Install a mobile app on his phone, generate a seed, back up the seed, receive the bitcoin and then uninstall the app.

Absolutely not. Most mobile wallets are either closed source or non reproducible, which is a complete non-starter. Even if you choose and open source one and verify it or even better build it yourself, you are still installing it and generating your seed phrase on an insecure device with internet access. Such a set up should be used for a few hundred bucks worth of bitcoin at most, and certainly not $25k.

2) Learn how to install Linux and a wallet like Electrum or Sparrow and use that to generate the seed and receiving address.

This is a good option. You should ideally use an old computer or laptop for this that you can dedicate for this purpose only and never again use for anything else. It should remain permanently airgapped and should be completely formatted before you start.

3) Other (specify)

1 - A good hardware wallet.
2 - A paper wallet, although you still need the same steps of a completely formatted and permanently airgapped device as above to generate the paper wallet safely.

[Pmalek]

It basically boils down to trust in one way or the other. You can verify the installation binaries, signatures, and firmware, and that will tell you that they are signed by the right people and originate from the official teams behind those wallets. And then what? How many people actually know what the open-source code does and check to make sure the developers didn't insert something malicious or made an unintentional mistake? 1/10? More likely 1/100 do that.

The rest of us mere mortals are stuck trusting that nothing malicious has happened and that those 1/100 that know what they are doing have done their jobs properly. The system is generally working quite well for popular open-source projects with significant communities. But all it takes is one intentional/unintentional mistake for it all to crumble. Hopefully, that'll never happen. That's why most people can't do much then rely on trust despite the saying: "verify, don't trust."

[mindrust]

You can use electrum or a similar open source wallet on your iphone/android device too. It is not rocket science. They are pretty safe too. (not as safe as a linux pc but i would say pretty close)

So, in your opinion, an open source wallet on iphone/android is as safe (or safer) than a hardware wallet?

Nope. In my opinion hardware wallets make no sense to use. Completely unnecessary.

If you are going to hold, use a piece of paper.

If you are going to spend, use your phone.

If you are going to trade, well the exchange does the holding for you.

There isn't any need for a hw wallet in any of these situations.

Ok, let's say a non-technical person (like the vast majority of people) wants to buy $25k in Bitcoin and hold it for 5 years.

What would be your recommendation to this person?

1) Install a mobile app on his phone, generate a seed, back up the seed, receive the bitcoin and then uninstall the app.

2) Learn how to install Linux and a wallet like Electrum or Sparrow and use that to generate the seed and receiving address.

3) Other (specify)

Learning how to install linux mint is not harder than learning how cook by watching youtube videos. Tbh you don't even need linux. A clean windows install would do.

All you need to do is clicking "next next next next" and everything will be there.

Generate seeds and write down them on a piece of paper and its done.

Easier than boiling an egg.

[dkbit98]

Learning how to install linux mint is not harder than learning how cook by watching youtube videos. Tbh you don't even need linux. A clean windows install would do.

There is not such a thing as a clean windows install, it's always dirty and complicated  
Installing Linux is now much more easier then it was few years ago, and you probably don't need to install any additional drivers for your hardware, so it's quicker process than for wiNd0ws.
Instead of Linux Mint I would choose Fedora Linux in 2022.

Back to hardware wallet topic, some of this devices are not allowing installation of unofficial firmware and they need to be signed, like in case with Keystone, and maybe Passport (not sure).
I think that for Trezor you can install any firmware you want, even create your device with custom firmware, but risk is that you can lose all your coins if you don't know what you are doing.