Pages:
Author

Topic: AirGapped Hardware Wallets - page 5. (Read 1253 times)

legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
September 25, 2021, 01:14:34 AM
#8
As for the malware examples; not sure whether there was an attack already, but if there was none so far, it's easy to understand how the attack surface is smaller when you're not physically attached but merely exchange QR codes.
I have read about QR code malware before which will be similar to clipboard malware, or is this type of malware not possible?

For me, it seems way better to have the QR Code + camera way because on one hand I feel plugging an SD card in, bears potential risk as well (see viruses that spread via USB sticks..)
This is what I am implying, what makes SD card special, can SD card not be attacked/affected also with malware?

Any report that the seed phrase of Trezor or Ledger Nano was revealed through malware? What signs transaction, it is the private key, the private key which is offline and remain offline and the hardware wallet is detachable from the computer that makes hardware wallet to be airgapped, hackers can not use their malware to reveal the seed phrase or private key even while making use of hardware wallet for signing, even if possible, no report of such yetr you can bring up proves that against this.

Do you think it is not important to be careful of a malware that can change recipient's address to a hacker address in which hackers address is what will be sent to the SD card or which will be in the QR code sent for signing?
legendary
Activity: 2366
Merit: 2054
September 25, 2021, 12:07:48 AM
#7
Looks like Ledger and Trezor are airgapped.
Yes,

we can generate a wallet without being connected to the internet. With ledger nano s we can generate a wallet using power bank, but still, need a ledger Live application to download the Bitcoin aplication.

maybe Trezor is real air-gapped, with a new update, we can generate a wallet without using the internet (suite)
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
September 24, 2021, 08:35:03 PM
#6
Hardware wallets like Trezor and Ledger Nano that make use of USB code can not be said they are not airgapped, they are actually airgapped devices, they are completely seperate from wallet extension that are used to operate them while making transactions, even is there any malware that can reveal their seed phrase or keys? I doubt that, if wrong you can correct me with proves.
EVERYONE in the field refers to a device that is plugged via USB as non-airgapped. You may define your definitions however you want or even start a discussion, but this won't change the commonly accepted terminology.

As for the malware examples; not sure whether there was an attack already, but if there was none so far, it's easy to understand how the attack surface is smaller when you're not physically attached but merely exchange QR codes. Also just because an attack was not carried out yet, doesn't mean it's not possible. That's why we migrate to secure encryption schemes before quantum computing is able to break RSA and not after it will have happened, for example.in case it's not clear, airgap has nothing to do with quantum computing or breaking asymmetric encryption

Looks like Ledger and Trezor are airgapped.
They're not, because they are connected to an online PC via USB directly. In theory, the communication protocol can be hacked and e.g. address be replaced before being sent to the device to be signed.

That's the whole point of air gap: a gap of air between your hardware wallet and your online device which publishes the signed transaction. This highly minimizes the attack surface.

@dkbit98: thanks for this topic, I really enjoy these 'wallet lists'! Always great to have them bookmarked and check from time to time to see what's available.
Suggestion: add next to each device an info on the type of airgap it uses: QR/Cameras, SD cards, etc.... (not sure of other ways).

For me, it seems way better to have the QR Code + camera way because on one hand I feel plugging an SD card in, bears potential risk as well (see viruses that spread via USB sticks..) and also because if you have a QR + camera type wallet, you can use it with any PC or phone which has a webcam. This is one limitation of USB wallets that really bugs me; they don't work on iOS. And I will certainly not use a HW wallet that communicates over Bluetooth either.. Grin
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
September 24, 2021, 01:12:12 PM
#5
I think we need to define what airgapped devices are.
AirGapped devices by definition are never directly connected to internet or to any other devices that are connected to the internet.

I think this definition is quite accurate. I looked on wikipedia and found this:

Hardware wallets like Trezor and Ledger Nano that make use of USB code can not be said they are not airgapped, they are actually airgapped devices, they are completely seperate from wallet extension that are used to operate them while making transactions, even is there any malware that can reveal their seed phrase or keys? I doubt that, if wrong you can correct me with proves.

I tend to agree with this, but I am not an specialist.

I was reading ledger website, and I found this:

Quote
Hardware wallets are not connected to the Internet when they plug into a smartphone or computer, meaning that they do not share or communicate any critical information to the machine out of an abundance of caution. The same goes for hardware wallets that connect to smartphones. Hardware wallet devices are physically secured
from both the public internet and unsecured local area networks.

Looks like Ledger and Trezor are airgapped.

On the other hand, is it true that removing USD we really achieve an extra protection? are people safer using Cold Wallet than using Ledger Nano or Trezor? I don't know, and I have never heard such claim before, this is new to me. I am currently satisfied with my ledger, AFAIK.


It is also true that you insert a Ledger and Trezor into an infected computer that the virus will be unable to extract your private keys (ofc you shouldn't do that on purpose). You can see this comment from Trezor team on Reddit:

Quote
-johoe
·
3y
Distinguished Expert
You shouldn't use a known infected machine, but the Trezor is designed to keep your keys safe. However, make sure you always keep your firmware updated; there is a known bug in previous firmware <= 1.5.2 that is exploitable by malware (and maybe the bug in 1.6.1 is also exploitable).
https://www.reddit.com/r/TREZOR/comments/987jri/using_trezor_with_infected_machine/
hero member
Activity: 1358
Merit: 851
September 24, 2021, 12:12:01 PM
#4
According to the website, coldcard is only for bitcoin. Don't it require any upgrade? For instance; supporting LN may require an upgrade? I'm not sure though.
In case of Safepal, upgrade is optional. You can still go with current one all the time but that wouldn’t give you the benefit of using the latest coin edition in wallet. Other than that, that's okay to use as airgapped wallet. I haven’t use it yet but seen one review in youtube and seems fine as it doesn’t require you to be connected with any other device directly.
legendary
Activity: 2212
Merit: 7064
September 23, 2021, 06:11:36 AM
#3
OMG...
I think we need to define what airgapped devices are.
No we don't, because I defined them in first few sentences.

I know you are trying to bring up something but making use of airgapped may not be appropriate.
Sorry but you have zero authority to talk anything about airgapped devices.

Hardware wallets like Trezor and Ledger Nano that make use of USB code can not be said they are not airgapped, they are actually airgapped devices, they are completely seperate from wallet extension that are used to operate them while making transactions, even is there any malware that can reveal their seed phrase or keys? I doubt that, if wrong you can correct me with proves.
Have you actually read what I wrote before or you just blabing like this without any sence?
I literally said they are using secure USB over FIDO protocol so no need to repeat like a parrot.

Reputed hardware wallets like Trezor and Ledger Nano are airgapped too, but I understood what you meant, but airgapped should not be the appropriate term.
No they are not trully airgapped and even those manufacturers don't claim that, but maybe you can teach them better  Roll Eyes
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
September 23, 2021, 05:42:59 AM
#2
Hardware wallets are never directly connected to the internet and most of them are using USB connection with secure device-to-device FIDO protocol,
but if we want better protection we should look for True Airgapped wallets, and remove any USB connection with computer.
I think we need to define what airgapped devices are.

For example, I can set up Electrum airgapped device and be using its watch-only wallet to connect to it through QR code or USB stick, that does not mean it is not airgapped.

I know you are trying to bring up something but making use of airgapped may not be appropriate.

Hardware wallets like Trezor and Ledger Nano that make use of USB code can not be said they are not airgapped, they are actually airgapped devices, they are completely seperate from wallet extension that are used to operate them while making transactions, even is there any malware that can reveal their seed phrase or keys? I doubt that, if wrong you can correct me with proves.

Only the malware I know that can attack reputed hardware wallet this way are clipboard or QR code malware which can change recipient's address to hacker's address while making transaction. The reason we should make sure we protect our hardware wallet extension that we use to operate it from malware, also checking and rechecking the bitcoin address we are sending bitcoin to.

Reputed hardware wallets like Trezor and Ledger Nano are airgapped too, but I understood what you meant, but airgapped should not be the appropriate term.
legendary
Activity: 2212
Merit: 7064
September 23, 2021, 04:54:02 AM
#1
AirGapped devices by definition are never directly connected to internet or to any other devices that are connected to the internet.
However, most devices including computers and hardware wallets still have USB connections and that is the easiest way to breach airgapped machine, but not the only one.
Airgap malware exist today that are using acoustic or other type of signaling like light, magnetic, thermal or radio frequency, so we know that AirGapped devices are not providing perfect protection.

Hardware wallets are never directly connected to the internet and most of them are using USB connection with secure device-to-device FIDO protocol,
but if we want better protection we should look for True Airgapped wallets, and remove any USB connection with computer.
There are currently only a few Airgapped hardware wallets, but I expect this trend will grow in near future with better devices and better protection.
Always choose Open Source and tested hardware wallets.

Airgapped Hardware wallets:


- Safepal is closed source, claims it is airgapped, but you need to connect it with USB cable for every update.
- Ellipal is closed source.
- Ngrave is unknown source (they plan to be mostly open source)

DIY Airgapped Hardware wallets:


* Signing Device

Most of this wallets are communicating with QR codes or SD cards and they have their own flaws.
Nothing is perfect so do your own research before using any of this wallets.
Pages:
Jump to: