Topic: Bitcoin Ledger and other hardware related questions. (Read 939 times)

True, but it's also possible to be done hardware level, such as intercept data from WiFi/Bluetooth keyboard or use USB keylogger. Example :
1. https://www.heise.de/ct/artikel/Logitech-keyboards-and-mice-vulnerable-to-extensive-cyber-attacks-4464533.html
2. https://www.amazon.com/Keyllama-4MB-Value-Keylogger-black/dp/B004ZGXU48

But those attack require attacker have physical access or nearby you when you input sensitive information which is very unlikely compared with attack on software level which mentioned by bitmover.

Cautious yes, paranoid no.  I think you're being paranoid about the risk of getting some malware installed onto something from a power bank.  I believe I already mentioned that you don't charge the Ledger from a power bank, so there's no need to ever connect the two.  As far as a power bank being able to infect a laptop....that's highly unlikely IMO.  There certainly hasn't been a case of that happening yet.

Right-o, and I think he's teetering toward the paranoid side.

I think they are talking about keyloggers, access to your copy and paste clipboard, etc.

If the attacker had physical access to your computer or keyboard or hardware wallet this is certainly a problem, and I would consider those devices permanently compromised (unless if you are dealing with small amounts of btc). Most of successful hardware attacks had physical access to the device.

There are also some attacks which you copy the correct address and paste the attackers address (when making transactions). This is why ledger nano confirms the address in the device's led. Maybe he was talking about that as well.

When you say keyboard, you mean wired or wireless or both?  So basically if someone know you have crypto in your computer and had access to your keyboard, they can basically put something there and when its connected to your laptop, you are screwed?

Just FYI, you generally don't store paper in a "cryptosteel" type seed mnemonic storage device.

The idea is that you either engrave or "punch" the seed mnemonic directly into the metal... or you use laser engraved letter "tiles" to piece the words together.

Wow, surprised! I mean what the hell? Even these kind of hardware are prone to stealing our data at a theoretical (and to some extent, real) levels? I'm actually shocked to know about this list and very much scared to know that almost every digital device out there has got some sort of weakness which can be used by stealers / hackers to steal / transmit our data through various channels implemented into these devices. Heck, this discussion gave me an in-depth look into what kind of software / hardware can be dangerous in fetching our fortunes (yes, our data is everything for us) and how we can save ourselves from becoming a victim.

---

Lolz, I'm actually getting a complex from that guy whenever he asks a question and uses the same pattern I've used to make it my only used way to ask a question here. After reading the thread today and the way he's asking back-to-back questions make me feel that I'm his alt. /jk (don't take my words seriously )

I believe even cryptosteel is prone to being stolen and / or rust taking place on it and messing up with the paper inside (as I know about a few use cases where metal changes its form in size and shape due to various air / oxygen / iron related issues and this could be dangerous while removing the paper as it may also end up tearing paper into many pieces). I believe the only way to save our hardware from being malevolent is to keep it away most of the time from using online (I mean connected to internet).

Money? Probably just a few bucks
Time? Depends on the actual microcontroller you try to tamper with.
You can't generalize this by saying it takes X minutes/hours/days.

Some USB sticks, for example, can be tampered with within a few minutes (software side).
Others would require to replace the controller completely.

Each devices is different and it almost always is not a trivial task.




Anything which has a microcontroller which doesn't verify the firmware.
So, yes.. everything in your list. At least on a theoretical level.




Sure.

There also already have been many cases where keylogger have been hid in keyboards.
Not directly manipulating the microcontroller, but inserted a small chip which reads out the keyboard buffer each X milliseconds.

There are countless ways to gain access to sensitive information. Effectively you can not protect yourself against all of them. It is a probability game.
If you buy your hardware from a trusted seller and don't let some shady techy people (who want to harm you) access it, you are pretty much safe.




As others have mentioned, if there is no data connection, no data can be transmitted.
And therefore no malware can be transmitted / installed.

---

Well.. what if this happens? Is it safe to spread my cryptosteel around 10 banks then? What if there are a lot of bombs being dropped ? Is it safe then ?  

There is "being cautious" and then there is "being paranoid". This should solve all your problems: https://mcphee.com/products/tin-foil-hat

Seriously, you keep banging on about USB and USB-C devices... you've already been told, simply get "power only" cables or those data blocker adaptors that were listed above. Problem completely solved. You could even buy a powerbank from "Hackers R Us" and use it with those and you'd have no need to worry.

You keep playing the "what if?" game and never seem to want to make an actual decision. If you keep doing that, you'll eventually get to the level of: "Well, what if someone drops a dirty bomb on the bank where my cryptosteel is stored in a safety deposit?"

Refer: Analysis Paralysis

Hey all.  I know you cannot infect a hardware wallet.  Im well aware of that.  I mean a laptop powerbank or powerbank infecting your computer or laptop.  Thus imagine your password manager like lastpass or keepass gets compromised.  Or other wallets you have on your wallet gets compromised such as electrum or similar wallets with other altcoins.



Would you say its good to be always paranoid though?  I mean remember... when electrum message show update... how much percentage of ppl even think... okay this looks suspicious.  Would you say that is something to be paranoid about?  Like if i opened electrum and saw that update that ppl saw... i could not tell you if i would have updated it or not.... because well its a message directly from electrum.  But if it goes to github... obviously i would be a bit suspicious but i wouldnt know.  But always better to be careful and paranoid right?  I mean, anyone that is not paranoid with electrum, well they wouldnt think much besides okay i got to an update.. you agree with me here?



Well i just want to know if an ac power bank can be compromised... Example imagine someone put something in it... then sells it.  Then that person who uses it whether they have crypto or do things like online banking and online shopping... then the seller could see everything on their screen and keylog everything.  I mean back then... i never had any laptop or online security at all.  I didnt even use a password manager.  You would not believe how foolish my passwords were for many sites that i go on.  So when i hear okay someone could stick a usb flash drive in your laptop while you are away for 1 minute and you got a virus... thats when i thought well what else could hackers do?  I mean let say you know someone has lot of crypto and they want to buy a mouse or keyboard and you have one.  Well a scumbag hacker could put things in it... then sell it to you without you knowing anything was done to it... would you agree? 


Okay powerbanks connected usb or usb-c could compromise the device.  THat is what i wanted to know.  So now i know this for sure but i figure it has to since if flash drive connected usb could... usb-c shoudl as well.


Well possible and probable... i get what you mean by it.  Well if someone on amazon or ebay was selling keylogging flash drives, well they could say i bought from reseller or it was new etc... and not be responsible. 


Because i previously a long time ago have bought a used modem before.  But of course back then, i had no computer security whatsoever.  So i want to know like what products you buy can possibly be compromised.  I mean put it this way... if you use a computer for crypto and banking, you certainly dont feel safe buyed a used computer right?  But if you wipe it fullly and use a new hard drive... that is fine?  But of course there is chance of RAM having malware... i read about this.  Yes its very paranoid.  But i rather be that then not think of anything... and then suddenly you got keylogged or malware without you knowing...

Honestly, I'm not sure that there is ANYTHING that will satisfy your level of paranoia

Asking whether a device can be compromised by an AC power bank like that is just ridiculous. If all it does is connect to your laptop via the normal power cable, that is simply impossible.

Yes, power banks that connect via USB or USB-C connectors could theoretically be a disguised device setup to compromise your device. However, in that instance, the attack vector is instantly rendered useless by simply using "power only" USB cables/connectors as already discussed.

I think you need to learn the difference between "possible" and "probable". For instance... is it "possible" that I could randomly generate the same seed as your HW wallet? Yes, the odds are non-zero... BUT is it "probable"? Hell no... the odds are so ridiculously small that it may as well be considered "impossible".

Is it possible that someone is selling keylogging USB power banks on Amazon? Yes... is it probable? I'll let you figure that one out...

There is no way to infect your hardware wallet this way. If that was the case, that would also happen when you even put it in a infected PC.

Right now I don't think there is any way of infecting your HW. Not from an infected PC, not from a USB/powerbank/charger/etc...

All I could see happening is a bad USB disguised as a power bank. But all that could possibly do is infect your PC, not your HW.

Okay yes i meant like a powerbank that charges your laptop... so the chargetech power bank.  But do you think its possible for someone to do something do it put malware/keylogger on it... thus compromise it... then when you connect it to your laptop... you get compromised?  I assume possible but no one would go to these lengths right?  Also the chargetech power bank... its connects to the power port of your laptop right?  Or does it go into the usb-c of your laptop?



Did you bought all these items new from amazon and that chargetech site?  It was from amazon directly right and not 3rd party?  If so, then there would be nothing to worry about. 

The only one I've used to charge a laptop is the Chargetech power bank, because it has an AC outlet whereas the others don't.  The other power banks I use are mainly for my phone, my headphones, and various other electronics that need to be charged via USB.  

That Chargetech badboy will charge any laptop.  It'll power your refrigerator for a short time, too (though I haven't tried it).  And I think you got your answer from other users:  there won't be any keylogger on any of these chargers.  Well, maybe some of them think it's possible, but I'm sure as hell not worried about it.

Edit:

Yeah, all from either Amazon or Chargetech; nothing was used.

Hi there.  Okay thats what i thought about with the modem/router.  Thanks for confirming this.


You posted the plug for a laptop charger.  Yes that is what i mean.  Something like that which connects to the power port of your laptop.  So as long as you stick something like that to your power port to your laptop, its impossible to get anything?  What if they compromise the charger itself?  The big part of the laptop charger?



What about a powerbank... that connects to something like that?  Are you saying if it looks anything like that... that you connect to your power port on your laptop even if its a shorter one... its impossible?


I seen power banks where it does not charge into the power port in the laptop... instead it charges into the usb-c port of the laptop instead.  Have you seen this or know what im talking about here?
So you are saying.. that is definitely possible for malware right?  And that is juice jacking?


Thanks.

Bob thanks for the response.  Well for poker banks whether its for laptop or phones/tablets... if its from the official site, well that is safe.  I mean say from amazon 3rd party on ebay... would you say there is risk with this?  Also with amazon... assuming it comes directly from amazon.com and not 3rd party, there is no risk right?  Now if you buy a powerbank from dell or apple site... pretty much zero risk since it comes from them directly right?



How much money and time would it take for someone to install keylogger/malware into something like a powerbank?  Whether its a powerbank for laptop or powerbank that is used for portable devices?  Woudl it be even worth the time and money though?  But if they knew the buyers had crypto on their computer for example, then wouldn't some scum do that?



Yes i know usb flash drives can easily have malware.  Even i know this.  Yes if someone connects usb stick to your laptop, that is not good because like you said most likely they are not trying to put malware on your computer, its you dont know where their usb has been. 


But the real micro controller tampering you are talking about, what devices would this include?  I assume


1. Modems
2. Routers
3. Printers
4. Powerbanks
5.  Mouse
6.  Keyboard



Wouldn't mouse and keyboard be the easiest and least detectable thing because most ppl wouldnt even think about it?  Example imagine someone knows a certain someone has crypto in their computer and does not have nano ledger etc.  Someone could lend or give someone a mouse or keyboard...they connect to their computer, they are now screwed right?



But where would you rank powerbanks?  What about powerbanks that only connect to the power outlet in your laptop?  I mean it does not connect to your laptop usb.  But still that doesn't matter?  What about say powerbanks that connect to usb-c?  Now that is much more different right? 



What if someone lends you say their asus or dell laptop charger?  Is it possible for them to lend or sell you an asus or dell laptop ac adapter charger where connecting it gives you malware/keylogger?  Of course it connects to the power plug in your laptop only... not the usb-c port in your laptop. 

Yes. An attacker could replace the modem or router's firmware with a malicious version which could do a variety of things, including transmitting your data to them, allowing them access to your home network, transferring malware on to connected devices, etc.

Provided your laptop charges from a dedicated AC power port such as this one, then there is no risk of infection:


If your device charges via a port which also accepts data connections (so all mobiles and tablets, and some laptops, notably Apple ones), then it is entirely possible. This kind of attack is known as "juice jacking".

Yes. This is "juice jacking" as above.

As well as DIYing your own cable as HCP has said, you can buy adapters which will fit to any cable and only transfer the charging pins and not the data pins. Exmaple: https://www.amazon.com/PortaPow-3rd-Data-Blocker-Pack/dp/B00T0DW3F8/

If you're super concerned... just use a "power only" usb cable... ie. one that doesn't have the data pins connected. Then it doesn't matter what sort of USB port you plug into, the only thing that will be transferred is power.

You can even DIY this: https://www.instructables.com/id/USB-Condom/

Yes.

Anything which has a micro controller can be tampered with, either by reprogramming (doesn't work with all micro controller) or replacing it.
That's by the way one reason (if you have sensitive data on your computer) why i would discourage from plugging in USB sticks from other people. They don't necessarily want to intentionally damage you.. but who knows how they are handling their ITsec..

USB sticks are the most prominent and most probable example of getting infected.
Real micro controller tampering happens rarely, but is very well possible.


But if you start to believe everyone wants to infect you (e.g. official powerbank seller, amazon, etc..), you might start getting a bit too paranoid.

Im confuse why you say


powerbank to laptop to nano ledger s? 


Do you mean if you wanted to use the nano ledger s but the issue is your laptop is low battery so you connect the power bank to it to it can charge it?  That way it has enough battery on the laptop so you can connect your nano ledger?


If so, i didn't mean that.  I just mean like if you ever connect a power bank to your laptop... is it possible for someone to put malware or firmware on it where the moment you receive the powerbank... then whenever you connect it to your laptop or tablet/phone... now your device is compromised.  Thus any password manage you use or email you use when you type it in your laptop, is now compromised because that powerbank is compromised.  Does that make sense in what im asking?


I know that even if your laptop is compromised... even if you connect your nano ledger s to it, there is no issue because when you send btc... it will show the actual address you are sending to if its to a different btc address, then you wont send the btc. 

Okay i see this.  So these actually charge your laptop as well?  Or you use it for your phone?  IM curious but what laptop do you have that works with these power banks?


So is it possible or not possible for someone in install malware/keylogger on this... then moment you connect laptop to it or tablet/phone to it... you get keylogged?