Air gapping

[goldkingcoiner]

I think air gapping on a device previously connected to the internet is safe as long as you dont connect to the internet with it again, but I am no expert. But I do have an idea on how it could not be safe...Although I would need feedback on the idea. Again, I am by no means any kind of expert so this might sound dumb:

If you were to use a air gapped computer, could you be vulnerable from connecting a device, like a usb stick, that you use on your gapped computer as well as on a different computer with internet connection? Would that still count as being air gapped or could that potentially be a kind of "trojan horse" delivery mechanism that compromises your security?

In a nutshell: Could malware move sensitive data back and forth between the usb and the connected computers without you being any the wiser?

[1714779749]

1714779749

[1714779749]

1714779749

[1714779749]

1714779749

[1714779749]

1714779749

[1714779749]

1714779749

[o_e_l_e_o]

I think air gapping on a device previously connected to the internet is safe as long as you dont connect to the internet with it again, but I am no expert.

It's not. Your computer could be filled with malware which makes it generate pre-determined seed phrases or use weak entropy when generating new wallets. If you want to airgap a device which has previously been connected to the internet, then you need to format it and install a clean Linux OS.

In a nutshell: Could malware move sensitive data back and forth between the usb and the connected computers without you being any the wiser?

It's rare, but it is certainly possible. Many airgapped devices will use QR codes instead when transferring transactions back and forth in order to avoid this possible attack vector.

[apogio]

If you want to airgap a device which has previously been connected to the internet, then you need to format it and install a clean Linux OS.

Is there any type of malware that infects hardware? From a very short research I have made in the past, I know there are some trojan viruses that damage circuits. Having said that, I would also remove Bluetooth and network card from the device. Or do you think this is an overkill?

[o_e_l_e_o]

Is there any type of malware that infects hardware?

Not sure. There is BIOS malware though.

Having said that, I would also remove Bluetooth and network card from the device. Or do you think this is an overkill?

On the contrary - I think it is mandatory. A software level airgap will never be completely secure, since you are one misclick or one accidental setting change away from re-enabling some form of connectivity and breaking your airgap. A hardware level airgap (i.e. connectivity hardware removed) will always be a safer option.

[apogio]

On the contrary - I think it is mandatory. A software level airgap will never be completely secure, since you are one misclick or one accidental setting change away from re-enabling some form of connectivity and breaking your airgap. A hardware level airgap (i.e. connectivity hardware removed) will always be a safer option.

The only "problem" with airgapping is that it must be permanent as you said. Therefore, it must be dedicated to always being offline, both hardware and software-wise. And the problem with this is that one must buy this device only to use it offline which renders it limited to a small amount of tasks.

I have made the decision to buy a Raspberry Pi Zero which has no WiFi support, nor ethernet port and develop a device where I will generate passhprases and wallets (using electrum probably).

[NeuroticFish]

I have made the decision to buy a Raspberry Pi Zero which has no WiFi support, nor ethernet port and develop a device where I will generate passhprases and wallets (using electrum probably).

Raspberry pi is nice option. If you go for pi zero you may want to read about SeedSigner too. Using it as signing device is much more convenient than an offline computer imho.

[apogio]

Raspberry pi is nice option. If you go for pi zero you may want to read about SeedSigner too. Using it as signing device is much more convenient than an offline computer imho.

Yeah this is exactly why I thought of using RPi Zero. The only problem is that I can't find any RPi Zero without WiFi (the non-W version). At least where I live, it's difficult to find.

[ABCbits]

In a nutshell: Could malware move sensitive data back and forth between the usb and the connected computers without you being any the wiser?

While there are many malware which spread over USB storage was very common, i only recall very few malware which also move sensitive data/file over USB storage with goal uploading to creator's server.

On the contrary - I think it is mandatory. A software level airgap will never be completely secure, since you are one misclick or one accidental setting change away from re-enabling some form of connectivity and breaking your airgap. A hardware level airgap (i.e. connectivity hardware removed) will always be a safer option.

The only "problem" with airgapping is that it must be permanent as you said. Therefore, it must be dedicated to always being offline, both hardware and software-wise. And the problem with this is that one must buy this device only to use it offline which renders it limited to a small amount of tasks.

That's true. Aside from networking, you'll only use small portion of the storage and barely use the CPU/GPU. It's one of reason people also prefer to use their old PC or laptop.

Raspberry pi is nice option. If you go for pi zero you may want to read about SeedSigner too. Using it as signing device is much more convenient than an offline computer imho.

Yeah this is exactly why I thought of using RPi Zero. The only problem is that I can't find any RPi Zero without WiFi (the non-W version). At least where I live, it's difficult to find.

But if you can find W version easily, consider buying that and uninstall both WiFi and Bluetooth driver.

[o_e_l_e_o]

And the problem with this is that one must buy this device only to use it offline which renders it limited to a small amount of tasks.

You can certainly buy a SBC for this, but you can also use an old laptop (or any other old computer) you have for this without spending anything. It's fairly easy to open up a laptop and strip out the WiFi card, etc., and turn it in to an airgapped device.

[satscraper]

And the problem with this is that one must buy this device only to use it offline which renders it limited to a small amount of tasks.

You can certainly buy a SBC for this,

and keep it in popcorn tin  like Jimmy Zhong, the guy known to be an early developer of Bitcoin and the same time who stole 50 000 BTC from the Silk Road.

The guy was himself robbed  despite all measures taken - airgapping, "robust digital home surveillance system", etc. But he was lacking in one important trait - to remain quiet on the matter of bitcoin possessing.

P.S. I come to a conclusion that a  flamethrower becomes a must-have equipment for bitcoiner and is even more important than airgapped device
 

[Findingnemo]

It's fairly easy to open up a laptop and strip out the WiFi card, etc., and turn it in to an airgapped device.

Not for everyone.

I remember I broke hinges somehow while opening the back panel for switching SSD, so better leave the job to professionals.


Using old device for air-gapped wallet is okay but if someone is really going to save few thousands worth of BTC then better spend few hundreds to buy hardware wallet or value for money brand new laptop that can last for atleast 5 years with no issues.

[DYING_S0UL]

Some older Thinkpad T series models also have this physical switch, but I am not sure you can disable everything in any proprietary bios with any switch.

I was thinking is there any ways to make a smartphone air gapped? And obviously do all the things one would do with an air gapped laptop device (Is this even possible? I don't have much knowledge of this). It's a stupid question, isn't it? I understand smartphones are very small and delicate piece of hardwares. It's too much of hassle. Instead buying a old laptop and making it air gapped should be easy.

[satscraper]

I was thinking is there any ways to make a smartphone air gapped?

AirGap Knox claims to be the solution for disabling  "all sorts of connectivity on your smartphone on a system level and create an absolute secure environment for the AirGap Vault." They also claim that AirGap Vault combined with   Airgap Wallet turns Android smartphone into device  the  security of which is  comparable to dedicated hardware wallets:

P.S. Personally I didn't try it  because my stash relies entirely  on security of multisig wallet which has Passport 2  cosigner.

[ABCbits]

It's fairly easy to open up a laptop and strip out the WiFi card, etc., and turn it in to an airgapped device.

Not for everyone.

I remember I broke hinges somehow while opening the back panel for switching SSD, so better leave the job to professionals.

It also depends on the laptop itself. Certain brand or thin laptop usually is more tricky to be modified.

Using old device for air-gapped wallet is okay but if someone is really going to save few thousands worth of BTC then better spend few hundreds to buy hardware wallet or value for money brand new laptop that can last for atleast 5 years with no issues.

FWIW some old device also can last for really long time with some maintenance.

Some older Thinkpad T series models also have this physical switch, but I am not sure you can disable everything in any proprietary bios with any switch.

I was thinking is there any ways to make a smartphone air gapped?

Removing Wifi/Bluetooth chip or driver from smartphone usually is far harder, so your option usually is limited to always on airplane mode. And aside from AirGap Knox, Electrum Android should have all necessary feature to create wallet on air gapped device.

[o_e_l_e_o]

Using old device for air-gapped wallet is okay but if someone is really going to save few thousands worth of BTC then better spend few hundreds to buy hardware wallet or value for money brand new laptop that can last for atleast 5 years with no issues.

I am of the opinion that a properly airgapped old laptop is more secure than the majority of hardware wallets out there, if you know what you are doing. And there is no need to buy a new device just for this. The hardware requirements to run an airgapped wallet are absolutely tiny - any old device will do. You could even build a device from old components you have lying around.

I was thinking is there any ways to make a smartphone air gapped?

No. Unless you are one of the few people using a modular phone, then the WiFi, Bluetooth, NFC, etc., modules are integrated in to the circuit boards in your phone and nearly impossible to remove without damaging the phone. You can turn all these things off and turn on airplane mode, but as I've said above, a software level airgap is not a true airgap at all.

The whole point of phones is to be able to communicate wirelessly in as many ways as possible. Trying to airgap such a device will never be completely successful. Is it better than a random hot wallet? Yes. Is it as good as a proper airgapped device which has no connectivity hardware? No.

[BlackHatCoiner]

Removing Wifi/Bluetooth chip or driver from smartphone usually is far harder, so your option usually is limited to always on airplane mode.

In my opinion, nobody should even get in that trouble. Smartphones are the exact opposite of an airgapped device. They are designed to connect to as many networks as possible. You'll have to remove modem, Wi-Fi chip(s), antennas, bluetooth module(s), NFC, GPS I think, and even radio chip? I lost count, maybe there are even more.

I am of the opinion that a properly airgapped old laptop is more secure than the majority of hardware wallets out there, if you know what you are doing.

Alternatively, if you don't know what you're doing, buy yourself a signing device like SeedSigner. It requires minimum technical knowledge to setup, and is completely airgapped.

[Findingnemo]

The whole point of phones is to be able to communicate wirelessly in as many ways as possible. Trying to airgap such a device will never be completely successful. Is it better than a random hot wallet? Yes. Is it as good as a proper airgapped device which has no connectivity hardware? No.

That led me to think how about building a desktop with a motherboard that doesn't have an inbuilt wifi adapter, unfortunately, there are not many options available and I can find some basic level motherboards that are ddr4 for about $100 price range and other brands are costing around $400 just for motherboards so better option is to remove the driver from motherboards.

But some claim that config BIOS will also be good enough for an actual airgap, is that true?

[apogio]

Alternatively, if you don't know what you're doing, buy yourself a signing device like SeedSigner. It requires minimum technical knowledge to setup, and is completely airgapped.

SeedSigner is in fact one of the best projects out there. And unfortunately not a lot of people talk about it. People prefer to use Ledgers... I mean, what the ...

Anyway, o_e_l_e_o recently told me about this: https://monerosigner.com/ which is the essentially a SeedSigner fork for monero. I just mention it because, you never know who could be interested.

[Synchronice]

If you want to airgap a device which has previously been connected to the internet, then you need to format it and install a clean Linux OS.

Is there any type of malware that infects hardware? From a very short research I have made in the past, I know there are some trojan viruses that damage circuits. Having said that, I would also remove Bluetooth and network card from the device. Or do you think this is an overkill?

Everything with firmware can be infected with a virus. You might like to read about BadUSB. They just reprogrammed microcontroller, emulated a keyboard when connected to computer and initiated a series of keystrokes. Theoretically, CPUs, GPUs, motherboards, RAMs, absolutely every hardware component can be infected but this is something I wouldn't worry about. Probably no hacker is on that level to infect firmware so well that they'll let your computer to generate pre-generated seeds by hacker and if your device isn't connected to internet, who is going to steal any information? And if you think that someone might extract data from your air-gapped computer by recording frequency of your processor's cores or recording fun vibration or frequency of your hard drive, then you probably live in a wrong place

Even if you set laptop to airplane mode, don't remove Wi-Fi receiver and Bluetooth part from your laptop, who is going to get your seeds and bitcoins? Where do you live? I do not promote inattentiveness, no, you should be very careful but don't start thinking about how will someone steal data from your airgapped computer via wireless frequency or like, what if I CPU is infected and so on.
I don't say you are paranoid or something like that but there are so many people who have this illogical fear that someone will hack their computer via recording LED blinking and someone will hack their wallet because BIP wordlist is public and 12 words are too easy to guess

[o_e_l_e_o]

But some claim that config BIOS will also be good enough for an actual airgap, is that true?

You mean disabling WiFi or other connectivity hardware in the BIOS settings? That is still a software level airgap. It's better than just turning them off in your OS since you can't accidentally turn them back up with a single misclick and need to go back in to your BIOS settings in order to re-enable them, but it is still a software airgap since the hardware is still there, is still functional, and is still connected up. This will never be as secure as a hardware airgap where the necessary hardware doesn't even exist in the device.

Even if you set laptop to airplane mode, don't remove Wi-Fi receiver and Bluetooth part from your laptop, who is going to get your seeds and bitcoins? Where do you live? I do not promote inattentiveness, no, you should be very careful but don't start thinking about how will someone steal data from your airgapped computer via wireless frequency or like, what if I CPU is infected and so on.

My concerns with a software level airgap are not that someone is going to be able to extract data via monitoring my fan speed or electricity usage or one of the other novel techniques which has been described, but rather that a software level airgap is only ever one misclick, one settings change (accidental or malicious), one tiny adjustment, etc., aware from becoming a hot wallet. Additionally, a software level airgap is almost impossible for the user to verify themselves. If you turn on airplane mode on your phone, how can you confirm and verify for yourself that your phone is not transmitting any data at all via cellular, WiFi, Bluetooth, NFC, RFID, and so on?

A hardware level airgap is simply much safer.