Topic: Attack vectors for Hardware Wallets (Read 582 times)

There are almost endless options against the wrench; some shown in this popular movie..


But in general, I agree that the first lines of defense are the most important, especially the ones preventing a personal conflict altogether. Because those can end up messy.

• Opsec: Don't let people know you own valuable stuff.
  
• Physical security: Make sure people cannot easily enter your property in general.
  
• Plausible deniability: Have decoy wallets / other measures that make a thief believe they 'got everything'.
  
• Self defense: If everything else fails, e.g. they keep asking for more or keep applying violence, have some backup plan.
  
• Passphrases / Multisig: Have your main stash either stored in a very hidden location or use passphrases and multisig. For instance, every one of the stolen (funded) wallets could be restored from a backup, which - appending a 13th / 25th word - creates a whole new wallet with the actual funds. Alternatively, have wallets in a completely different location that are required to complete a multisig wallet with the real funds. Of course, also have backups of every wallet in other locations.
  

So, while important, I do think that the multisig setup is one of the 'last resorts'. First and foremost, make sure people don't even want to attack you, destroy your front door etc.

---

Honorable mention: data can at times be as or even more valuable than money. Keep your (encrypted) backups updated! And of course encrypt your hard drives. I imagine a thief may want to just take stuff like portable computers with them and figure out how to extract wallets, later.

I haven't read all of it, but most of it and all these attacks relied on physical access.
They could make your computer transmit data through memory chips, keyboard LEDs, screen changing brightness, stealing and freezing memory chips, and so on. After reading it, I don't feel discouraged from using an air-gapped computer. If I ever face people who can break into my house without leaving a trace and modify my computer so that it starts sending data into a mobile phone network, I'm fucked anyway. They could as well drill a hole in the ceiling and place a micro camera that looks at my screen and keyboard. They wouldn't need to put a 100k USD worth of stuff into my PC to turn my RAM sticks into wifi antennas.


I once saw an interview with a weed grower and he said that every person that knows about you doing it doubles your chances of getting caught. It's the same with owning bitcoin, the more people know about it, the more shit can come your way.

It's important to have safety layers that work with each other, as each layer adds security to the whole system. For instance, I live in a house where there's only one access road and both my neighbors have cameras pointed at that road. That's already a security layer. There's no way to get close enough to my house to access my wifi network without me knowing it, unless you're my neighbor. The house is big and a hardware wallet is very small. Even if someone somehow came looking for it, it would literally take him days to find it. As for the wrench, I chop firewood, he comes with a wrench, I've got an axe

An attacker isn't going to spend hours looking for different worthless shitcoins on various chains, nor are they going to believe that the sum of all your holdings are some worthless shitcoins. You will need to hand over some amount of bitcoin or a major alt to convince them that is all you have.

An attacker also won't be satisfied with you handing them a hardware wallet, without knowing if there is anything on it or that they will be able to access anything that is.

Until they decide to just keep hitting you until you tell them the locations of your back ups or call the relevant people to obtain the necessary seed phrases. You need deniability.

It does very good job comparing all other options, except maybe owning a gun and using it against wrench attacker.
Multisig setup can also be good or bad, if you distribute it in different locations with multiple people, it will be very hard for attacker to get anything from you, except decoys.
Jameson Lopp was attacked like this in past, and guess what his defense is now - multisig setup.

Is it like the best fight is the one you avoid? It seems to me that in an $5 wrench attack the outcome for the victim is a foregone conclusion, and therefore the occurrence of this attack must be avoided. Not talking too much about btc would be good peculiarity.


If an $5 wrench attack nevertheless occurred, then it is better to give away what the attackers want, and the dummy wallet will come in handy here. I would stuff this wallet with various shitcoins that are worth nothing and with a small amount of liquid coins. I think almost everyone has such garbage for extras.

In addition, can give them old and broken HW devices. It is unlikely that there will be time and desire to check the content.

While I agree with all the other categories of attack, I'm not sure multi-sig does a particularly good job against $5 $10 wrench attacks.

An attacker will keep hitting you until you give him some coins. He doesn't care if your coins are protected by one signature or several or if they are in a software wallet or a hardware wallet. He will just hit you until you give him coins. The protection against this attack comes from either not revealing that you own any coins at all, or having decoy wallets you can hand over while keeping your main stash hidden. Multi-sig does not lend itself particularly well to this, since the compromise of one seed phrase back up which will most likely have additional xpubs stored along with it reveals the presence of a wallet which the attacker will want access to. Passphrases are a better option here, or entirely dummy wallets as DaveF says.

There is of course nothing stopping you combining multi-sig with a passphrase. Your three seed phrases (or whatever number you choose) generate a multi-sig wallet with a decoy amount of coins in it, while your three seed phrases plus one or more additional passphrases generate a different multi-sig wallet with your real stash hidden away.

You can still get a $5 wrench, it's just not as good quality.
I still say that the BEST defense is not letting people know about your BTC holdings.
The 2nd best is having dummy wallets around. Leave some money on an mk 2 cold card, or an old trezor. Someone wants it, they can have it. The other wallet is someplace safe and secure. You need funds you take it out, move it to the wallet that is controlled by the other hardware and put it back. If I show up at your house to sell you an S19 there is no reason for me to know what you are really using as a HW wallet or how much BTC you really have. All I should see is what you want me to see. and that should not be a lot.

-Dave

I didn't post for some time on this topics and I didn't really talk about best ways to protect against most of this attacks, but I decided to do it now.
Best protection from Wrench attack (it was $5 before inflation), chosen nonce attack, supply chain attack, evil made attack, pwned hardware wallet and lost seed, is using good Multisig Setup.
Having airgapped open source hardware wallet in combination with multisig setup is providing reasonably good protection from most attacks, and to be extra secure I would generate seed words offline and not in single hardware wallet.
This is not perfect protection against all attacks, but it is good enough for most people.

I am reading and I would like to suggest the following literature on the topic ..

Building Secure Firmware: Armoring the Foundation of the Platform
ISBN: 9781484261057

Gosh, firmware designing can unfolding a much large topic ...

To be fair, if the hardware wallet is used the same way as a paper wallet (just for receiving, stored in a safe place and coins are not spent) it's only susceptible to the supply chain attack that e.g. somehow the seed words were predetermined so the manufacturer can steal the funds.

The other attack vectors only come into play when trying to spend the funds, which is simply not possible with a paper wallet without importing it into a software, so it's hard to compare the attack surfaces.
On paper () the paper wallet has less, but in practice, it has more, because once people will want to spend that balance, they'll probably import it onto a live PC which might be fully infected with malware.

I don't think you are going to be able to do much below 1mb in terms of storage. Sourcing smaller NVRAM chips today is going to be just about impossible.

You can probably find controllers with that much storage in them by themselves, and just use that, but I don't know if that is going to be NVRAM or not.
 
Side note, with malware writers suffering from the same software bloat as everyone else can they even fit real malware in 1MB anymore?

-Dave

I use USB webcams with my computers when transferring QR codes. I've physically removed the built in webcam from my laptop, but I have a couple of super cheap webcams (like, $10 each) which I will plug in for the sole purpose of scanning a QR code and then immediately unplug again. I use a different webcam specific for each computer. It's a great set up that practically removes the possibility of leaking information or transferring malware between devices accidentally. If you want to be super paranoid, another nice trick I've picked up along the way is after I generate a QR code with one computer, I'll scan it with the webcam attached to that same computer and ensure that it scans and decodes to the correct information before I then scan it with the webcam attached to the second computer.

What I'd really like is a USB drive with maybe 300 bytes of memory only, so you could still transfer small transactions but too small for any crypto stealing malware. Maybe I'll build my own someday.

I check the whole address before copying it and then I check it again when I paste it. My private work area has pens and papers all around and I usually note down part of the address on paper. I also check it on a block explorer if it's been part of the draft for a few hours.

That's true and I agree with you on that part.

I use QR codes when a mobile is part of the story. In this case, it's two computers.

I have separate USBs for all of my devices. A USB for one of my machines wont be used with the other ones. And if I have to take something to a copy shop for example, I have a USB for that, and that one only goes into the machine with the least importance to me. It gets formatted every time.

I would be wary of doing this for a couple of reasons. Clipboard malware could obviously change the address, but so could anything malicious on your email provider's servers. It's also a privacy risk, since your email provider will likely have copies of the draft email you create saved and linked to your account even after you've deleted the address. I would prefer to use QR codes or a USB drive, same as I would use for moving transactions back and forth to an airgapped device.

The same probably applies to passphrases. Given how often users reuse the same password across all their accounts, I bet there are a significant number of people who are using their computer password or various account passwords as the passphrase for their seed extensions.

Yeah, just getting older and misread it then misread it again.

This next bit is a bit of a rant but: More and more I am seeing places that take BTC and other cryptos display QR codes that are getting cute instead of just being a black and white square. Bitrefill does this and it causes some wallets on some phones not to read the code. Just give me a black & white square please not this:



And when you display the actual address, bold preferably black on a white background, not some other hard to read color on the standard off white background. For those people with not great eyes or monitors, yes there is some text between the 'not' and 'on' and yes I had to deal with someone running their own btcpay server who had the address displayed like that.

---

Anyway, back to the attack vector part of the conversation. One thing that has not been discussed enough IMO is the human factor of pin / password reuse.
Went to an interesting security seminar about it a little while ago. Out of 500 people polled the number who had the same pin or close to the same pin for their cell phone unlock, phone VM, ATM card, casino loyalty card, computer pin, etc. WAS OVER 65%

Wonder how many have the same / similar pin for their hardware wallet and their phone.

-Dave

If I understand Dave's somewhat obtuse comment correctly, it would appear that his eyesight is failing him

@DaveF, if it makes you feel any better... I'm probably not far off needing to do the same!

Since I have several laptops and devices and only one of them has crypto software and my Ledger Live installation, I sometimes need to save a bitcoin address to check it on the other device or do something with it. For that purpose I also sometimes save it as a draft in my email so I can access it quickly on the second device. 

So what actually happened? I assume you didn't get infected with some clipboard hijacker. Was the copy/pasted thing correct and you just didn't see it properly or did you copy the wrong stuff?

I understood you , I just wanted to show it in numbers. Such an attack would be more difficult to organize about 30,000 times. And that's not counting the fact that Bitcoin has different address formats.

Bit of humor....

I have a crap multicoin hot wallet on my phone. When I need an address on my PC I either text myself and use google messages to copy and paste or I just email it to myself. Yes it's insecure but we are talking minimal amounts of LTC / DOGE and the like. I then verify the characters 5 though 8 since the app puts spaces in after every 4 and the last block of characters.

So this morning I sent a text and did a copy & paste and it was wrong, just a few letters at the end. I flashed back to this thread and worried, is it my phone, is it the laptop? Where and when and how did I get compromised? WTF?

The answer:
So....I really need to start wearing my glasses when doing stuff. That or get a bigger laptop screen.

-Dave

Correct, and I think that other smaller coins that have more characters would be a bigger problem, and it would be easier to generate fake addresses.

Sure they are much better than regular hot wallets, but you still need to confirm addresses properly, and not everyone is ''perfect'' like Pmalek  

You noticed I put a smiley at the end of that sentence, and then in next one I said that running something like this for Bitcoin would be more expensive.
However, this is another good reason not to use any altcoins on hardware wallets.

It's not anything new, it's just an improved version of clipboard attack with using of similar addresses.
Classic clipboard attack just replaces original address with any randomly generated address.

It's not exactly a new idea is it? I could swear there were reports of clipboard hijacking malware that did exactly this (contact a cloud based server to get a suitable "fake" address) at least 2-3 years ago.

Is it just the shear volume of available replacement addresses that is news?

The point is not that they like ETH, but that it is easier to generate an address base for it, since it uses hexadecimal encoding. Such addresses need to be generated 16⁸ (4 characters at the beginning and 4 at the end). Bitcoin uses Base58 encoding, so you need to create significantly more addresses 58⁸

They are only a character or 2 shorter

bc1qfesm8up3jezmxt2m9untmz34t4w7js7ppehe3w  (38 characters)
0x8d804fA98890C3438c91955F42B2b7880F94f5BD (40 characters)

But yes, hardware wallets give people a bit of a false sense of security. But they are still better then nothing.
But there are still people out there who don't believe in AV software because "they know better"
If you are not careful, no matter what the rest of us try to do to help you, it's going to go badly at times.

-Dave

I never consider that to be safe because clipboard attacks existed before, but this is some next level stuff and small script like this probably wouldn't even be detected by any antivirus software.

Yes all other coins including Bitcon are affected, but they obviously like ethereum so much they named this malware ethClipper. 
However, I think that cost for running Bitcoin related ClipperCloud distributed service for generating addresses would be much higher than for Ethereum.

Example they gave is for first and last 4 characters in address and I think that Bitcoin addresses are shorter than for Ethereum.
My thinking is that a lot of people would fall for this scam even with minimum changes possible, and hardware wallet is just giving them false sense of security.

Part of the question is how many characters (other then all) makes it safe. 6 at the beginning and 6 at the end. 7 & 7?

From one of the charts in the PDF going from 10 matches to 11 takes your storage from 104Tb 1625Tb (1.625Pb) a mere 9 characters is 6.5Tb
My back of the napkin math is that at 14 characters you need 360Pb of storage.

Seems unlikely to happen till storage prices drop a lot more....

-Dave

I only read some of its parts, but just to be sure, this could affect ^{[in theory]} other cryptocurrency addresses ^{[apart from Ethereum]} as well, am I right?

---

While I was scrolling through the PDF file, the following part caught my attention:

• Quote
  Intuitively, it is very important for the malware to substitute the address very quickly, before the user pastes the address to the wallet client application.
  So if someone uses an infected computer, but copy & pastes really fast, then that significantly lowers the chance for that malware to find a suitable address and substitute it!
  ^{- Perhaps, it's not as bad as I initially thought, but regardless of that, we should always double/triple-check everything.}

I guess it was expected that sooner or later the time will come that we can no longer consider hardware wallets to be safe to use on compromised and malware-infected computers.

I have been checking the entire address anyways. I might sound a bit arrogant, but since I check my addresses fully and multiple times, this couldn't happen to me. But I know that many like to check just a few characters in the beginning and a few at the end. Luckily, this hasn't been turned into a real malware just yet. As long as standard security practices are being followed, even if it does, you should know how to not get your devices infected.

Nice share dkbit98!

EthClipper is malware example of Clipboard Meddling Attack on Hardware Wallets with Address Verification Evasion, and paper is released by Nikolay Ivanov and Qiben Yan.

This malware targets hardware wallet owners using ClipperCloud distributed service and distributed database of pre-mined accounts that creates addresses with maximum visual similarity to the original one.
They tested this malware on Trezor One, Ledger Nano S, Ledger Nano X, and KeepKey hardware wallets, and manufacturers all confirmed danger of EthClipper.
EthClipper can run as a simple script and it doesn't need any hardware access or special os privileges.

EthClipper is using modified and improved version of clipboard hijacking with social engineering, ClipperCloud that mines and stores billions of addresses that are later compared with original address detected in clipboard, and ClipperCloud than finds visual similar address and replaces it.
It is harder for victim to recognize false generated address and they send coins to attackers address.


https://arxiv.org/pdf/2108.14004.pdf

One of the problems with this attack is bad design and small screen that many of hardware wallet devices have, like we can see in image below:
Biggest problem however is human mistake of not fully confirming address but just looking at first and the last part of address, like we can see in example of similar address replaced with ClipperCloud:



Interesting part is to hear replies this two developers received from hardware wallet manufacturers:


Recommendation for avoiding this kind of attacks would be to avoid doing partial address confirmation, better spend few more seconds to fully verify address, and using separate computer for crypto would always be a good advice.

One interesting attack for paper wallets is that you need only few seconds to take a picture of mnemonic seed words with your phone or camera.
No need to take full access, replace anything or even touch the paper.

This is a part of Supply Chain Attacks but it is interesting that it can even happen directly from factory.
You would receive wallet directly from manufacturer but someone who works in factory could send you counterfeited device.


Not just any metal.
Some metals like aluminum are not good for this purpose, and I remember how Jameson Lopp tested many metallic backups and some of them failed to perform as advertised:
https://jlopp.github.io/metal-bitcoin-storage-reviews/

This is an issue with almost any kind of storage, but a backup solves that. Arguably a backup of a paper wallet is easier, cheaper, more convenient, and easier verifiable than most other types of storage. Low tech FTW.

Or upgrade paper to some sort of etched metal type of thing.

I don't know if you would put this in the Supply Chain Attacks or someplace else but counterfeit devices are also a concern.
This is why buying any wallet from anyplace other then the manufacturer or one of their partners is bad.

This is why when I bought mine I bought from the people who built it. Not a 3rd party.

-Dave

I would add fire or flood damage to that list.

 

The alternative is to keep 100% offline and hidden the money you don't use on the daily basis.
It will clearly not mitigate all the possible attacks, but it will reduce greatly the chance for them to happen.

Generating the seed on a HW and writing it to a paper wallet may be safe enough, I think. But clearly, nothing is 100% sure.

I think you are a bit confused about Paper wallets, and what vulnerabilities are.
You can't spend funds from paper wallet until you import seed words to other type of wallets (hot, cold, hardware wallet), so the moment you start spending funds from paper wallet you are de facto not using paper wallet anymore.

There are other evil maid attacks. Where the evil hacker maid just spend your coins while you are out. The attacker dont need to replace your device with an identical one...


Well, if you ever want to spend your coins from your paper wallet you are vulnerable To this attack as well.


If the wallet has some security vulnerability which can be exploited while expending,  it should be considered a vulnerability of the wallet.

Imo that's a minor vulnerability which doesn't make any difference, for both hw and for paper wallets.

Since you need a computer of some sort to spend any coins, that's not exactly a vulnerability of the wallet.

AFAIK paper wallet is vulnerable only to a couple of things - wrench attack, and physical theft with no wrench involved.

Thanks for correction and suggestion for adding Man in the Middle attacks.
This attacks can happen with attacker changing addresses or QR codes so it is very important to check and verify everything on device.

Most of this attacks are not because of user mistakes, especially supply chain, human attacks, server attacks, and all device attacks.
Like I said in first post, some of this attacks can also happen for other devices.


It is much harder for attacker to replace your offline computer with identical tampered clone, in Evil Maid attack.


Why would you ever use clipboard for PAPER wallet?
It is generated offline and printed.

This cannot happen because once you failed the PIN 3 times, your device will be automatically resetted.


But what is the alternative, then?

As far as I understand, all those attacks can be done in a offline computer, they can be done in a paper wallet, and so on.

For example:

1 - Evil hacker maid attack can just get your offline computer and steal your money.

2 - You have a paper wallet, but you have a clipboard malware and you lose your coins.

Most of those attacks are users fault that could be easily avoided just by double checking destination addresses, hiding your device properly, and so on...

1. it steals, not stills (evil maid)
2. I think that you've missed Man in the Middle attacks. Ledger had this vulnerability in 2018 and in theory it's fixed, but newer HWs may be vulnerable to that without knowing it yet. So I would not rule this out.


I find HW a great tool for every day payments, but not really for keeping life changing amounts on them. And your pretty impressive list tells that I'm right about this.

We can all agree that Hardware Wallets are much better and safer way for storing Bitcoin than regular hot wallets installed on your computer or mobile phone.
This devices are designed for sole purpose of keeping users private keys and funds safe, and there are less attack vectors than for regular computers and phones but we should know that they are not perfect solution and there are many attack vectors.
You must take responsibility for keeping your backup, password and/or passphrase safe and there is no protection from attackers if you lose them.

Each hardware wallet manufacturer have different tactics for protection against this attacks and reducing attack surface, and some do it better than others but none of them are bulletproof.
Here I tried to collect most known hardware wallet attack vectors and some of them can be applied on other devices and not just hardware wallets.



Device Attacks

 - Firmware bugs - are always possible and we have them before for most hardware wallets, but updates get released soon after reporting.

 - Invasive attacks - are result of device being opened by attacker and to extract memory and password or replace chip.

 - Side channel attacks - can be done with analyzing device power, electromagnetic leaks or OLED and it was done before by invd on many hardware wallets.

 - Evil Maid attacks - can be done when attacker steal device from you and then modify it or replace it with other that gets returned to you as tampered.

 - Brute-force attacks - can be done when attacker brute-force your password and unlock the device.

Computer Attacks

 - Malicious apps attack - can be done with replacing original wallet app with malicious one installed on computer.

 - Malicious USB connection and cables - are one of the latest threats used to infect your devices with malware.

 - Clipboard hijacking - can be done with malicious program on your computer that can read clipboard and replace your addresses with different one.

 - Man in the middle attack - can happen when attacker manages to alter and change receiving address with malware.

Online Attacks

 - Server attack - is always possible for all hardware wallets and it can result in tracking your IP address and showing wrong balances.

 - Phishing Attacks - are happening often when user is tricked to enter his seed words on fake website wallet.

Supply Chain Attacks

 - Entropy attack - can be done using bad true random number generators or with backdoors in manufacturer secure element chips.

 - Device Shipping attack - can be done as soon as device leave the factory with help of employees or resellers.

 - Malicious firmware - can be installed and delivered to you without you ever knowing that.

 - Covert nonce channel attack - can be done by extracting the seed with encoding part of nonce and making malicious signatures.

Human Attacks

 - Wrench attack - can happen when attacker physically attacks you and threatens you to send them funds.

 - Stolen backup - can happen if you are not careful and passphrase should be used and kept separate.

 - Leaking Private Data -  happened several times when customer data was stolen by hackers and leaked from manufacturers like ledger.

 - Shoulder_surfing


Best PROTECTION against many of this attacks in using a good Multisig Setup.

---

This may look a lot at first sight and you may think that Air-gapped computer is a better solution, but please visit this website to see some of their attacks vectors:
https://airgapcomputer.com/

There is NO perfect solution

---

* This is work in progress; open for suggestion and changes