Pages:
Author

Topic: AirGapped Hardware Wallets - page 2. (Read 1253 times)

legendary
Activity: 2212
Merit: 7064
September 23, 2023, 03:30:03 PM
#68
Dear Sir, I have a few questions. (1) Airgapped wallets that rely solely on QR code communication appear to be very secure. However, related hardware wallets, such as Keystone, have low sales. Why?
Who told you that Keystone have low sales?  They are currently sold out everything and you can only pre-order from their website.
QR is not used only by Keystone, but by many other airgapped devices like Jade, Passport, etc.

I have 2 safepal s1. After read a post by dkbit98, I do not dare to use them, again. Safepal is closed source, and others are open source, like keystone. However their sales are very low. I am concerned about the lack of supervision.
Do what you want with your devices.
dkbit98 is nobody, and he didn't command anyone what to do in their life.
btw Safepal released new model X1 that should have open source firmware, but I would hold on until I see some reviews for that device.



hero member
Activity: 714
Merit: 1298
September 23, 2023, 08:46:14 AM
#67
Yeah,  QR-code-based-communication is more secure, bu t it is also vulnerable and may result in the loss of fund in the case when relevant HW is paired with wallet on compromised computer that holds the malware code capable to change the receiving address in transaction that is granted for signing  via jeopardized QR code . 

One should always check what he is signing even with air-gapped wallet paired exclusively via QR over optical channel.
You mean that the Qr code can be compromised by clipboard malware? Clipboard malware works in a way that you will copy a bitcoin address, the address would be replaced by a hackers address on the clipboard, so that the hacker's address will be the one that will be pasted. If you make use of QR code, you do not copy anything to clipboard at all and no address will be replaced by the clipboard malware. Although, it is good to check and recheck what you paste, even from QR code.

Nope. I was talking about different kind of malware that has capability to compromise QR code that feeds HW with data over optical channel. Clipboard malware  doesn't take any action in this. And unfortunately for user he has no prospect to learn whether QR compromised or not, looking at its patterns  itself.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
September 23, 2023, 06:11:19 AM
#66
Yeah,  QR-code-based-communication is more secure, bu t it is also vulnerable and may result in the loss of fund in the case when relevant HW is paired with wallet on compromised computer that holds the malware code capable to change the receiving address in transaction that is granted for signing  via jeopardized QR code . 

One should always check what he is signing even with air-gapped wallet paired exclusively via QR over optical channel.
You mean that the Qr code can be compromised by clipboard malware? Clipboard malware works in a way that you will copy a bitcoin address, the address would be replaced by a hackers address on the clipboard, so that the hacker's address will be the one that will be pasted. If you make use of QR code, you do not copy anything to clipboard at all and no address will be replaced by the clipboard malware. Although, it is good to check and recheck what you paste, even from QR code.
jr. member
Activity: 57
Merit: 4
September 23, 2023, 05:16:43 AM
#65

[/quote]

Yeah,  QR-code-based-communication is more secure, bu t it is also vulnerable and may result in the loss of fund in the case when relevant HW is paired with wallet on compromised computer that holds the malware code capable to change the receiving address in transaction that is granted for signing  via jeopardized QR code .  

One should always check what he is signing even with air-gapped wallet paired exclusively via QR over optical channel.
[/quote]

I have 2 safepal s1. After read a post by dkbit98, I do not dare to use them, again. Safepal is closed source, and others are open source, like keystone. However their sales are very low. I am concerned about the lack of supervision.
hero member
Activity: 714
Merit: 1298
September 23, 2023, 04:37:31 AM
#64
Airgapped wallets that rely solely on QR code communication appear to be very secure. .

Yeah,  QR-code-based-communication is more secure, bu t it is also vulnerable and may result in the loss of fund in the case when relevant HW is paired with wallet on compromised computer that holds the malware code capable to change the receiving address in transaction that is granted for signing  via jeopardized QR code .  

One should always check what he is signing even with air-gapped wallet paired exclusively via QR over optical channel.
jr. member
Activity: 57
Merit: 4
September 23, 2023, 03:19:57 AM
#63
Quote
AirGapped devices by definition are never directly connected to internet or to any other devices that are connected to the internet.
However, most devices including computers and hardware wallets still have USB connections and that is the easiest way to breach airgapped machine, but not the only one.
Airgap malware exist today that are using acoustic or other type of signaling like light, magnetic, thermal or radio frequency, so we know that AirGapped devices are not providing perfect protection.
Dear Sir, I have a few questions. (1) Airgapped wallets that rely solely on QR code communication appear to be very secure. However, related hardware wallets, such as Keystone, have low sales. Why? (2) The risk associated with airgapped wallets seems to be primarily supply chain attacks. When newbies receive a new airgapped wallet, they may not even think about immediately updating the firmware. If anti-tampering measures are compromised and the supply chain is attacked, that can be dangerous. Especially considering the small sales volume of current airgapped wallets, the risk is likely significant.
legendary
Activity: 2268
Merit: 18771
October 24, 2022, 04:44:32 AM
#62
If using QR code, it is airgapped, but if using USB connection, it should not be regarded as airgapped is what o_e_l_e_o is referring to, I think.
Not exactly. It seems that to set up Jade you must connect it via USB to your computer. Since the vast majority of people who do this will connect it to a regular computer with an internet connection, then that is no longer air-gapped. It doesn't matter if you then go on to only use QR codes in the future, as an airgap should be either permanent or not at all.

Note that I'm not saying that it isn't secure, just that it isn't airgapped. Ledger and Trezor devices aren't airgapped either, although it is possible to use them in an airgapped manner if you only connect them to an airgapped computer. But if you connect your hardware wallet to a computer with an internet connection at any point, then it ceases to be an airgapped wallet.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
October 24, 2022, 04:39:00 AM
#61
While I do love QR codes not only for security / air-gap, but also for their convenience (work cross-platform, no need to carry a cable); just adding QR code communication indeed doesn't make a wallet airgapped, in my opinion. Still nice to have, but not air-gapped.
So, I agree with o_e_l_e_o here.
If using QR code, it is airgapped, but if using USB connection, it should not be regarded as airgapped is what o_e_l_e_o is referring to, I think. Is Jade having a means to use QR code? Is there other means in a way there is no way you will not have to plugging the USB stick for the continuing usage of the Jade hardware wallet with Blockstream Green? If the hardware wallet is USB stick dependent at some point, that means it is not an airgapped hardware wallet.
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
October 24, 2022, 04:07:36 AM
#60
While I do love QR codes not only for security / air-gap, but also for their convenience (work cross-platform, no need to carry a cable); just adding QR code communication indeed doesn't make a wallet airgapped, in my opinion. Still nice to have, but not air-gapped.
So, I agree with o_e_l_e_o here.
legendary
Activity: 2268
Merit: 18771
October 24, 2022, 02:59:41 AM
#59
Please correct me if I'm wrong, but looking at the setup guide for Jade, it must be connected to your computer via a USB cable to set it up via Blockstream Green. As far as I am concerned, this immediately makes it non-airgapped, in exactly the same way Ledger or Trezor are non-airgapped. Perhaps it would be possible to use it in an air-gapped manner if you only connected it to an airgapped computer running an entirely offline version of Blockstream Green (although having never used this wallet I don't know if that is possible), but Jade itself is not an airgapped wallet.
legendary
Activity: 2464
Merit: 4415
🔐BitcoinMessage.Tools🔑
October 24, 2022, 01:07:42 AM
#58

Some argue that Jade is not really airgapped because of connection with Blockstream server, but that is debatable.

I have mixed feelings about the Jade hardware wallet, I haven't been following its development closely, but it is for sure the first time I hear that someone call it an "air-gapped" wallet. As far as I know, in order to get access to the signing functionality of this wallet, you first need to unblock it by entering a PIN code. This PIN-code protection is server-enforced, which means you have to be physically connected to a remote server via the Internet to get your PIN working. This requirement of having to be connected to the network slightly contradicts the concept of air-gapped wallets. However, there are ways to make this wallet more "air-gapped" and less reliant on third-party servers: namely by spinning up your own server on your own isolated local network and using a hardware wallet only in your house. But I think if your personal network is not correctly configured, it remains vulnerable to external attacks. Moreover, you will still need the Internet to broadcast a transaction, which means there should be a separate network that talks to the outside world. Isn't it easier to just use some other wallet that doesn't need any servers to be unlocked?
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
October 23, 2022, 03:28:45 PM
#57
Some argue that Jade is not really airgapped because of connection with Blockstream server, but that is debatable.
Data from the internet must interact with the Jade device. I have previously argued that some HW wallets are superior in security compared to "traditional" 'air gapped' setups.

Every security measure uses various tradeoffs. The Jade, for example, reduces the risk of loss (via theft) if someone gains physical access to the device, in exchange for incremental additional vulnerability via having to connect (via an app) to the internet. Realistically, I think the risk of having a HW device stolen is greater than someone being able to inject malware into it, so it is probably a good tradeoff. However, I don't see how one could argue that Jade is in fact "air-gapped"
legendary
Activity: 2212
Merit: 7064
October 22, 2022, 03:40:50 PM
#56
It's finally time to add one more airgapped hardware wallet in this topic, and that is Jade wallet after upcoming firmware update.
Jade always had camera in their EPS32 device and they just waited for software update to add support for QR codes and camera compatibility.
Someone on Twitter posted this VIDEO how this would work with Jade device.
Some argue that Jade is not really airgapped because of connection with Blockstream server, but that is debatable.


Image source taken from twitter account @bitcoin__help

hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
November 13, 2021, 10:18:35 AM
#55
My point is the interface; it can interface with phones through the camera, laptops through camera or SD and finally even desktops without webcam through the SD card. This is highly versatile. And password entry is much faster through the keypad than through the BitBox touch menu.
There is a saying that everyone praises his own horse, and I think that is the case here with Bakkum indirectly praising his own wallet.
Of course that's what he's doing, but he's not honest about it. Of course you can advertise your own product, but strawmanning the competition is not elegant.

I think that Bitbox02 is very good open source device, but it's far from perfect and I personally don't like direct USB connection without cable
because I can't use it properly on my desktop computer and I need cable extension, or to use it on my laptop.
If I had to choose wallet with USB connection or airgap, I would use airgap option in 99%
Well, it comes with an extension cable, so it's no difference if it has a male or female USB port on it, except that with their design you don't need the cable when using a laptop, whereas you do always need one if you opt for a female plug on the hardware wallet. But I agree that QR codes are more comfortable, also because they work with any device that has a camera and you never need a cable.

I will write reviews about both and both are great products in my opinion, but Bakkum's article is disingenuous.
I don't know if you ever used Coldcard hardware wallet but I would be interested to hear some comparison Passport vs Coldcard vs other wallets.
Thanks.
Unfortunately, I have not tried that one yet. However, it should be fairly similar to Passport when used with SD card (which I'll try), when it comes to the user experience.
legendary
Activity: 2212
Merit: 7064
November 13, 2021, 09:07:06 AM
#54
My point is the interface; it can interface with phones through the camera, laptops through camera or SD and finally even desktops without webcam through the SD card. This is highly versatile. And password entry is much faster through the keypad than through the BitBox touch menu.
There is a saying that everyone praises his own horse, and I think that is the case here with Bakkum indirectly praising his own wallet.
I think that Bitbox02 is very good open source device, but it's far from perfect and I personally don't like direct USB connection without cable
because I can't use it properly on my desktop computer and I need cable extension, or to use it on my laptop.
If I had to choose wallet with USB connection or airgap, I would use airgap option in 99%

I will write reviews about both and both are great products in my opinion, but Bakkum's article is disingenuous.
I don't know if you ever used Coldcard hardware wallet but I would be interested to hear some comparison Passport vs Coldcard vs other wallets.
Thanks.
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
November 12, 2021, 09:33:52 AM
#53
~
Read both a few days as well; interesting takes, but for me personally, the airgapped Passport is easier and quicker to use than the BitBox, not only though it is airgapped, but partly also because.
My point is the interface; it can interface with phones through the camera, laptops through camera or SD and finally even desktops without webcam through the SD card. This is highly versatile. And password entry is much faster through the keypad than through the BitBox touch menu.

I will write reviews about both and both are great products in my opinion, but Bakkum's article is disingenuous.
legendary
Activity: 2212
Merit: 7064
November 11, 2021, 10:55:25 AM
#52
Douglas Bakkum recently wrote an article for BitBox blog claiming that airgap is not really making hardware wallets more secure and it's only complicating them.
It's not surprising to hear this from inventor of BitBox wallet if we know that device is not airgapped, but it's interesting to read his opinion and conclusion.
He first started with myth of unbeatable airgap security, but wait a minute, nobody said that airgap is perfect and unbeatable.
Then he said that Micro-SD cards are mini computers with firmware that can be hacked, something I never heard happening but I guess it's possible in theory, however not all h-wallets are using SD cards, there is also QR codes.
Quote
Our conclusion is that air-gapped communication offers little-to-no added hardware wallet security while degrading the user experience.
Source articel: https://shiftcrypto.ch/blog/does-airgap-make-bitcoin-hardware-wallets-more-secure/

I personally won't agree with Douglas opinion, removing USB connection means less attack surface,
and in reply to BitBox blog with claims and conclusion we have interesting David Bakin blog, that explains it much better than me:
https://bakins-bits.dev/dev/2021/11/airgapped-hardware-wallets-and-fud-1/

hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
October 08, 2021, 08:40:55 AM
#51
I could never fall victim to this attack because not only does my airgapped device not have any ethernet cables attached to it, but it does not even have an ethernet port in which to connect an ethernet cable.
I don't know what kind of magical computer you are using but 99% of computers today have ethernet ports and you don't need to connect internet cable to be affected by this attack.
Depending on which locations (this includes some IT security conferences) you like to visit, it may be a wise choice to bring a device without connectivity of any kind Grin
I've seen people put hot glue into their ports and also people simply desoldering ports from the motherboard.
If the machine is sitting in a physically secured location though, you should be good with leaving the ports on ^^

I have a variety of new and old laptops, none of which have ethernet ports. There are a number of Raspberry Pi boards without ethernet ports.
Old laptops - I get it. I have one that needs a PCMCIA card with an adapter to have ethernet. But modern? You mean those ultrabooks with just a bunch of USB-C ports? Cause that's not much better either; you can just plug in an adapter in that case.
legendary
Activity: 2268
Merit: 18771
October 08, 2021, 08:35:37 AM
#50
The question is why a crypto user would want isolated local networks to deal with cryptocurrency stuff?
Yeah, that's my point. If you have some kind of LAN or other local network set up with multiple computers and devices, then that's a poor choice for storing airgapped wallets. Whatever device you are using for your airgapped wallet should have the minimum amount of hardware required to run, and be connected to the minimum number of peripheral devices. If not building it yourself, then open it up and remove things like the WiFi card.

I don't know what kind of magical computer you are using but 99% of computers today have ethernet ports and you don't need to connect internet cable to be affected by this attack.
I have a variety of new and old laptops, none of which have ethernet ports. There are a number of Raspberry Pi boards without ethernet ports.
legendary
Activity: 2212
Merit: 7064
October 08, 2021, 05:54:29 AM
#49
I could never fall victim to this attack because not only does my airgapped device not have any ethernet cables attached to it, but it does not even have an ethernet port in which to connect an ethernet cable.
I don't know what kind of magical computer you are using but 99% of computers today have ethernet ports and you don't need to connect internet cable to be affected by this attack.


Pages:
Jump to: