Think of air gapped devices as the safest for cold storage

[hmbdofficial]

I have heard about the cold storage using air gap system as the safest form of protecting your bitcoin from malwares attack, phishing and keylogger from getting to your private keys which I find really interesting and safe but it left some questions in my head.
Are we saying that there ain’t QR code malware? The use of QR code to send the PSBT to the offline device won’t do anything?
I have seen situations where that SD card are also attacked affected by malware will that not  be a problem too if you reuse The SD card?
That the reason I'm doubting it

[Zaguru12]

Firstly there is no one that say there is no malware on QR code, most malware’s coming from QR codes are actually either from the software that it was generated from (that’s why generating your QR code using third party apps is total wrong) or the device that scans the QR code is infected such that it changes the address scanned from the code, and it’s reason why you need to actually verify the transaction yet again.

But there are devices which actually gives you the QR code directly for your watch only wallet to derive and example is the Electrum wallet.

Yes an SD card can be infected if you actually installed it into a corrupted online device that’s why if it is SD card you’re using use it with an adapter such that you lock and make it a read only or use a USB with read only switch too.

But QR code still stands out if not generated by third party

[ABCbits]

The use of QR code to send the PSBT to the offline device won’t do anything?

If the device used to create PSBT QR code is infected, theoretically the malware could replace the PSBT QR with their own PSBT which send Bitcoin to their address.

Yes an SD card can be infected if you actually installed it into a corrupted online device that’s why if it is SD card you’re using use it with an adapter such that you lock and make it a read only or use a USB with read only switch too.

On Linux, you also can mount external storage as read-only and disallow any running executable from it.

[Lucius]

There is no setup that is completely bulletproof, so we probably cannot say that an air-gapped wallet is a 100% safe way of storing private keys and performing transactions. Honestly, I've always been curious about the possibility of hackers successfully attacking an air-gapped device through QR codes or even an SD card, but I think the chances of that happening are very small if the user knows where such threats come from.

In other words, if someone has a habit of using pirated software, downloading multimedia from the internet and visiting suspicious websites, it is very likely that they will pick up something malicious, especially if they do not have any security software. Even then, most ordinary hardware wallets or air-gapped devices will be of great help to any careful user to recognize that something is not as it should be.

Therefore, I would conclude that there is no better protection than using an air-gapped wallet with, of course, all the security measures that go along with it.

[satscraper]

I have heard about the cold storage using air gap system as the safest form of protecting your bitcoin from malwares attack, phishing and keylogger from getting to your private keys which I find really interesting and safe but it left some questions in my head.
Are we saying that there ain’t QR code malware? The use of QR code to send the PSBT to the offline device won’t do anything?
I have seen situations where that SD card are also attacked affected by malware will that not  be a problem too if you reuse The SD card?
That the reason I'm doubting it

If malware is already sitting on your device then malicious QR may instruct it to do some bad actions.

If your device is clean then you are safe simply because any QR can not contain malware itself because on any existing standarts QR code is far too small to accomodate any meaningful executable.

For instance, size of QR subjected to ISO/IEC 18004:

~3K of bytes is far too little to be taken seriously by malware developers.

[BlackHatCoiner]

The use of QR code to send the PSBT to the offline device won’t do anything?

Your airgapped device will decode the QR code and read a PSBT. It will then show the PSBT to the hardware screen, so that you, manually, confirm it spends the correct inputs to the correct outputs. No, it cannot do anything malicious, considering the hardware device is not compromised and you verified the image that was installed in your airgapped device.

[ABCbits]

--snip--
~3K of bytes is far too little to be taken seriously by malware developers.

In this case, i agree with you. But in different scenario where the device of QR scanner have internet access, 3KB is enough to either
1. Add link to phishing website.
2. Include script which download another bigger malicious script. But this require the QR scanner have security vulnerability to execute data of scanner QR code.

[pooya87]

Think of it this way, when you choose your wallet type you are eliminating vulnerabilities based on your choices. That way you narrow down all the ways you can lose your coins so that the remaining ways are no longer plausible. Then you can that "secure".

For example when you choose an open source wallet compared to closed source, you are eliminating the possibility of running a possible malicious code that you are not aware of. It's the same with using air-gap device, you are eliminating possibility of easy access to your keys. Other that that, there will always be ways to gain access to your coins! Sometimes they are theoretical and crazy methods like the ones categorized as side-channel attacks (eg. measuring electromagnetic emission while your CPU is performing cryptographic computation).

You see if you start thinking about all these theoretical ways like through QR code, you would be stepping into a rabbit hole that you may not want to enter...

[SilverCryptoBullet]

For example when you choose an open source wallet compared to closed source, you are eliminating the possibility of running a possible malicious code that you are not aware of. It's the same with using air-gap device, you are eliminating possibility of easy access to your keys. Other that that, there will always be ways to gain access to your coins!

If people want to store and secure their coins on an air-gap device, they must keep that device as air-gap forever. Because if they connect that device with the Internet, just one time, it will be no longer an airgap device and there will be risk of compromisation on that device which in turn can steal their coins stored in wallets on that device.

[Amaro958]

--snip--
~3K of bytes is far too little to be taken seriously by malware developers.

In this case, i agree with you. But in different scenario where the device of QR scanner have internet access, 3KB is enough to either
1. Add link to phishing website.
2. Include script which download another bigger malicious script. But this require the QR scanner have security vulnerability to execute data of scanner QR code.

Links or scripts would need to be opened/executed to do any harm.
Of course a QR code app shouldn't to that automatically, if security is important.

[Synchronice]

There is no setup that is completely bulletproof, so we probably cannot say that an air-gapped wallet is a 100% safe way of storing private keys and performing transactions. Honestly, I've always been curious about the possibility of hackers successfully attacking an air-gapped device through QR codes or even an SD card, but I think the chances of that happening are very small if the user knows where such threats come from.

In other words, if someone has a habit of using pirated software, downloading multimedia from the internet and visiting suspicious websites, it is very likely that they will pick up something malicious, especially if they do not have any security software. Even then, most ordinary hardware wallets or air-gapped devices will be of great help to any careful user to recognize that something is not as it should be.

Therefore, I would conclude that there is no better protection than using an air-gapped wallet with, of course, all the security measures that go along with it.

Air-gapped device is not 100% safe. In general, nothing is 100% safe or guaranteed. An air-gapped device has a risk of side-channel attacks. An air-gapped hardware wallet or a device leaks information physically (acoustic signature of the processing for example can be measured too), which means that an attracker with the right equipment can hack it. The thing is, a random, average person is not under such a threat and sleep without worrying.

[satscraper]

There is no setup that is completely bulletproof, so we probably cannot say that an air-gapped wallet is a 100% safe way of storing private keys and performing transactions. Honestly, I've always been curious about the possibility of hackers successfully attacking an air-gapped device through QR codes or even an SD card, but I think the chances of that happening are very small if the user knows where such threats come from.

In other words, if someone has a habit of using pirated software, downloading multimedia from the internet and visiting suspicious websites, it is very likely that they will pick up something malicious, especially if they do not have any security software. Even then, most ordinary hardware wallets or air-gapped devices will be of great help to any careful user to recognize that something is not as it should be.

Therefore, I would conclude that there is no better protection than using an air-gapped wallet with, of course, all the security measures that go along with it.

Air-gapped device is not 100% safe. In general, nothing is 100% safe or guaranteed. An air-gapped device has a risk of side-channel attacks. An air-gapped hardware wallet or a device leaks information physically (acoustic signature of the processing for example can be measured too), which means that an attracker with the right equipment can hack it. The thing is, a random, average person is not under such a threat and sleep without worrying.

“acoustic signature” for QR code? That’s completely new to me.

I understand that QR code workflow is more about network isolation than true shield for all threats  as attacks can still come from compromised companion apps or even from the supply chain. But the idea of  “acoustic signature” coming from  QR code really puzzled me. Could you elaborate a bit more on what you meant and how it’s relevant? ^{Pertaining links would be appreciated}.

In return I’ll share good article that’s definitely worth reading: SoK: Design, Vulnerabilities, and Security Measures of Cryptocurrency Wallets.