Topic: Attack vectors for Hardware Wallets (Read 610 times)

There are almost endless options against the wrench; some shown in this popular movie..


But in general, I agree that the first lines of defense are the most important, especially the ones preventing a personal conflict altogether. Because those can end up messy.

• Opsec: Don't let people know you own valuable stuff.
  
• Physical security: Make sure people cannot easily enter your property in general.
  
• Plausible deniability: Have decoy wallets / other measures that make a thief believe they 'got everything'.
  
• Self defense: If everything else fails, e.g. they keep asking for more or keep applying violence, have some backup plan.
  
• Passphrases / Multisig: Have your main stash either stored in a very hidden location or use passphrases and multisig. For instance, every one of the stolen (funded) wallets could be restored from a backup, which - appending a 13th / 25th word - creates a whole new wallet with the actual funds. Alternatively, have wallets in a completely different location that are required to complete a multisig wallet with the real funds. Of course, also have backups of every wallet in other locations.
  

So, while important, I do think that the multisig setup is one of the 'last resorts'. First and foremost, make sure people don't even want to attack you, destroy your front door etc.

---

Honorable mention: data can at times be as or even more valuable than money. Keep your (encrypted) backups updated! And of course encrypt your hard drives. I imagine a thief may want to just take stuff like portable computers with them and figure out how to extract wallets, later.

I haven't read all of it, but most of it and all these attacks relied on physical access.
They could make your computer transmit data through memory chips, keyboard LEDs, screen changing brightness, stealing and freezing memory chips, and so on. After reading it, I don't feel discouraged from using an air-gapped computer. If I ever face people who can break into my house without leaving a trace and modify my computer so that it starts sending data into a mobile phone network, I'm fucked anyway. They could as well drill a hole in the ceiling and place a micro camera that looks at my screen and keyboard. They wouldn't need to put a 100k USD worth of stuff into my PC to turn my RAM sticks into wifi antennas.


I once saw an interview with a weed grower and he said that every person that knows about you doing it doubles your chances of getting caught. It's the same with owning bitcoin, the more people know about it, the more shit can come your way.

It's important to have safety layers that work with each other, as each layer adds security to the whole system. For instance, I live in a house where there's only one access road and both my neighbors have cameras pointed at that road. That's already a security layer. There's no way to get close enough to my house to access my wifi network without me knowing it, unless you're my neighbor. The house is big and a hardware wallet is very small. Even if someone somehow came looking for it, it would literally take him days to find it. As for the wrench, I chop firewood, he comes with a wrench, I've got an axe

An attacker isn't going to spend hours looking for different worthless shitcoins on various chains, nor are they going to believe that the sum of all your holdings are some worthless shitcoins. You will need to hand over some amount of bitcoin or a major alt to convince them that is all you have.

An attacker also won't be satisfied with you handing them a hardware wallet, without knowing if there is anything on it or that they will be able to access anything that is.

Until they decide to just keep hitting you until you tell them the locations of your back ups or call the relevant people to obtain the necessary seed phrases. You need deniability.

It does very good job comparing all other options, except maybe owning a gun and using it against wrench attacker.
Multisig setup can also be good or bad, if you distribute it in different locations with multiple people, it will be very hard for attacker to get anything from you, except decoys.
Jameson Lopp was attacked like this in past, and guess what his defense is now - multisig setup.

Is it like the best fight is the one you avoid? It seems to me that in an $5 wrench attack the outcome for the victim is a foregone conclusion, and therefore the occurrence of this attack must be avoided. Not talking too much about btc would be good peculiarity.


If an $5 wrench attack nevertheless occurred, then it is better to give away what the attackers want, and the dummy wallet will come in handy here. I would stuff this wallet with various shitcoins that are worth nothing and with a small amount of liquid coins. I think almost everyone has such garbage for extras.

In addition, can give them old and broken HW devices. It is unlikely that there will be time and desire to check the content.

While I agree with all the other categories of attack, I'm not sure multi-sig does a particularly good job against $5 $10 wrench attacks.

An attacker will keep hitting you until you give him some coins. He doesn't care if your coins are protected by one signature or several or if they are in a software wallet or a hardware wallet. He will just hit you until you give him coins. The protection against this attack comes from either not revealing that you own any coins at all, or having decoy wallets you can hand over while keeping your main stash hidden. Multi-sig does not lend itself particularly well to this, since the compromise of one seed phrase back up which will most likely have additional xpubs stored along with it reveals the presence of a wallet which the attacker will want access to. Passphrases are a better option here, or entirely dummy wallets as DaveF says.

There is of course nothing stopping you combining multi-sig with a passphrase. Your three seed phrases (or whatever number you choose) generate a multi-sig wallet with a decoy amount of coins in it, while your three seed phrases plus one or more additional passphrases generate a different multi-sig wallet with your real stash hidden away.

You can still get a $5 wrench, it's just not as good quality.
I still say that the BEST defense is not letting people know about your BTC holdings.
The 2nd best is having dummy wallets around. Leave some money on an mk 2 cold card, or an old trezor. Someone wants it, they can have it. The other wallet is someplace safe and secure. You need funds you take it out, move it to the wallet that is controlled by the other hardware and put it back. If I show up at your house to sell you an S19 there is no reason for me to know what you are really using as a HW wallet or how much BTC you really have. All I should see is what you want me to see. and that should not be a lot.

-Dave

I didn't post for some time on this topics and I didn't really talk about best ways to protect against most of this attacks, but I decided to do it now.
Best protection from Wrench attack (it was $5 before inflation), chosen nonce attack, supply chain attack, evil made attack, pwned hardware wallet and lost seed, is using good Multisig Setup.
Having airgapped open source hardware wallet in combination with multisig setup is providing reasonably good protection from most attacks, and to be extra secure I would generate seed words offline and not in single hardware wallet.
This is not perfect protection against all attacks, but it is good enough for most people.

I am reading and I would like to suggest the following literature on the topic ..

Building Secure Firmware: Armoring the Foundation of the Platform
ISBN: 9781484261057

Gosh, firmware designing can unfolding a much large topic ...

To be fair, if the hardware wallet is used the same way as a paper wallet (just for receiving, stored in a safe place and coins are not spent) it's only susceptible to the supply chain attack that e.g. somehow the seed words were predetermined so the manufacturer can steal the funds.

The other attack vectors only come into play when trying to spend the funds, which is simply not possible with a paper wallet without importing it into a software, so it's hard to compare the attack surfaces.
On paper () the paper wallet has less, but in practice, it has more, because once people will want to spend that balance, they'll probably import it onto a live PC which might be fully infected with malware.

I don't think you are going to be able to do much below 1mb in terms of storage. Sourcing smaller NVRAM chips today is going to be just about impossible.

You can probably find controllers with that much storage in them by themselves, and just use that, but I don't know if that is going to be NVRAM or not.
 
Side note, with malware writers suffering from the same software bloat as everyone else can they even fit real malware in 1MB anymore?

-Dave

I use USB webcams with my computers when transferring QR codes. I've physically removed the built in webcam from my laptop, but I have a couple of super cheap webcams (like, $10 each) which I will plug in for the sole purpose of scanning a QR code and then immediately unplug again. I use a different webcam specific for each computer. It's a great set up that practically removes the possibility of leaking information or transferring malware between devices accidentally. If you want to be super paranoid, another nice trick I've picked up along the way is after I generate a QR code with one computer, I'll scan it with the webcam attached to that same computer and ensure that it scans and decodes to the correct information before I then scan it with the webcam attached to the second computer.

What I'd really like is a USB drive with maybe 300 bytes of memory only, so you could still transfer small transactions but too small for any crypto stealing malware. Maybe I'll build my own someday.

I check the whole address before copying it and then I check it again when I paste it. My private work area has pens and papers all around and I usually note down part of the address on paper. I also check it on a block explorer if it's been part of the draft for a few hours.

That's true and I agree with you on that part.

I use QR codes when a mobile is part of the story. In this case, it's two computers.

I have separate USBs for all of my devices. A USB for one of my machines wont be used with the other ones. And if I have to take something to a copy shop for example, I have a USB for that, and that one only goes into the machine with the least importance to me. It gets formatted every time.

I would be wary of doing this for a couple of reasons. Clipboard malware could obviously change the address, but so could anything malicious on your email provider's servers. It's also a privacy risk, since your email provider will likely have copies of the draft email you create saved and linked to your account even after you've deleted the address. I would prefer to use QR codes or a USB drive, same as I would use for moving transactions back and forth to an airgapped device.

The same probably applies to passphrases. Given how often users reuse the same password across all their accounts, I bet there are a significant number of people who are using their computer password or various account passwords as the passphrase for their seed extensions.

Yeah, just getting older and misread it then misread it again.

This next bit is a bit of a rant but: More and more I am seeing places that take BTC and other cryptos display QR codes that are getting cute instead of just being a black and white square. Bitrefill does this and it causes some wallets on some phones not to read the code. Just give me a black & white square please not this:



And when you display the actual address, bold preferably black on a white background, not some other hard to read color on the standard off white background. For those people with not great eyes or monitors, yes there is some text between the 'not' and 'on' and yes I had to deal with someone running their own btcpay server who had the address displayed like that.

---

Anyway, back to the attack vector part of the conversation. One thing that has not been discussed enough IMO is the human factor of pin / password reuse.
Went to an interesting security seminar about it a little while ago. Out of 500 people polled the number who had the same pin or close to the same pin for their cell phone unlock, phone VM, ATM card, casino loyalty card, computer pin, etc. WAS OVER 65%

Wonder how many have the same / similar pin for their hardware wallet and their phone.

-Dave

If I understand Dave's somewhat obtuse comment correctly, it would appear that his eyesight is failing him

@DaveF, if it makes you feel any better... I'm probably not far off needing to do the same!

Since I have several laptops and devices and only one of them has crypto software and my Ledger Live installation, I sometimes need to save a bitcoin address to check it on the other device or do something with it. For that purpose I also sometimes save it as a draft in my email so I can access it quickly on the second device. 

So what actually happened? I assume you didn't get infected with some clipboard hijacker. Was the copy/pasted thing correct and you just didn't see it properly or did you copy the wrong stuff?

I understood you , I just wanted to show it in numbers. Such an attack would be more difficult to organize about 30,000 times. And that's not counting the fact that Bitcoin has different address formats.

Bit of humor....

I have a crap multicoin hot wallet on my phone. When I need an address on my PC I either text myself and use google messages to copy and paste or I just email it to myself. Yes it's insecure but we are talking minimal amounts of LTC / DOGE and the like. I then verify the characters 5 though 8 since the app puts spaces in after every 4 and the last block of characters.

So this morning I sent a text and did a copy & paste and it was wrong, just a few letters at the end. I flashed back to this thread and worried, is it my phone, is it the laptop? Where and when and how did I get compromised? WTF?

The answer:
So....I really need to start wearing my glasses when doing stuff. That or get a bigger laptop screen.

-Dave

Correct, and I think that other smaller coins that have more characters would be a bigger problem, and it would be easier to generate fake addresses.

Sure they are much better than regular hot wallets, but you still need to confirm addresses properly, and not everyone is ''perfect'' like Pmalek  

You noticed I put a smiley at the end of that sentence, and then in next one I said that running something like this for Bitcoin would be more expensive.
However, this is another good reason not to use any altcoins on hardware wallets.

It's not anything new, it's just an improved version of clipboard attack with using of similar addresses.
Classic clipboard attack just replaces original address with any randomly generated address.