Pages:
Author

Topic: Even air-gapped wallets aren't safe... (Read 645 times)

full member
Activity: 756
Merit: 112
May 03, 2019, 08:42:21 PM
#32
'the sound of hard drives', woah.

attack vectors are only going to become more clever. the incentives get more compelling by the year.

as for my airgapped computer, i took out all connectivity like the wifi card and bluetooth stuff and put a brand new hard drive in it. it's never been anywhere near the internet and never will. of course the OS came from the internet but it can't talk to it.

i sleep well enough at night. if ninjas come around and scan me while i sleep then so be it.

as for the skeptics, sometimes these things start off at the height being theoretical, then the refinements start to arrive...

I think at some point it becomes unhealthy to worry about such far fetched situations and you may end up making a bigger mistake due high levels of stress in the process.

If you are worried about someone building patterns from the HDD noise... an SSD makes no noise that I know off since it has no moving parts.

And again if you are worried about airwave signals you can buy one of these:



Then only open your computer inside the sealed tent.

Haha I think this is too much. But if it is really needed better to buy one for use every 5 to 10 years. Since air gapped computers are mostly used often.
brand new
Activity: 0
Merit: 0
seriously, the only really secure method of storage is to put ll the funds into a new paper wallet
then send the private key to me and i will look after it for you....and will send them back to you when needed
how could a hacker comprimise that?


Wink
legendary
Activity: 2912
Merit: 1386
I guess it kinda goes to show you that the only un-hackable piece of technology is your good old fashioned brain! Bring back the brain wallets!

Random speculation does NOT constitute realistic threats to security.

Random speculation does not support a theory of weakness against threats.
newbie
Activity: 168
Merit: 0
I think since, the eyes of hackers is on this new emerging cryptocurrency market, it is becoming increasingly difficult for them to hack from computers that are connected to the internet. Therefore, I think they are finding new ways. Before, we simply ignore that it is not possible, I think this needs more discussion and if necessary, steps need to be taken to protect ourselves. But, I guess, in general it is not easy to hack an air-gapped wallets.
sr. member
Activity: 518
Merit: 268
Exactly... just like the Ledger wallet exploit was... And if you think people who setup a Pi are going to check every line of code in the distro that they download... you're the world's greatest optimist! Tongue
That's why checksums and digital signatures were invented. Also Github let's you see all changes that were done from the last release, so you don't have to check the whole code for back-doors every time a new version is released
newbie
Activity: 19
Merit: 0
I guess it kinda goes to show you that the only un-hackable piece of technology is your good old fashioned brain! Bring back the brain wallets!
legendary
Activity: 2912
Merit: 1386

you use a QR code to move the pre-signed transaction from the air gapped computer which has no access to internet in anyway.....

QR-Codes are like a red flag to a bull and says "Read me, i am a password" to the O/S ....

But this is ridiculous.

SO WHAT? That's information you want to be transferred.

This discussion is falling into the logical error of the "Irrefutable Hypothesis."
legendary
Activity: 1288
Merit: 1087
April 27, 2018, 11:55:54 AM
#23
I think at some point it becomes unhealthy to worry about such far fetched situations and you may end up making a bigger mistake due high levels of stress in the process.

yep. life is indeed too short and there will always be new scares out there.

but maybe absolute guaranteed safety will always be slightly beyond reach. it does make me wonder about how stuff like that affects the perception of crypto for newcomers.

the hacks of legit services have usually been through some crazily obvious old chestnuts like an employee opening an email attachment. one day it might happen through one of these super techie methods at which point faith might crumble a little.
legendary
Activity: 1232
Merit: 1091
April 27, 2018, 11:53:50 AM
#22
as for the skeptics, sometimes these things start off at the height being theoretical, then the refinements start to arrive...

That's why I stopped using my Trezor and Nano S hardware wallets more than a month ago. I know for most people there isn't much to worry about, and the manufacturers come up with fixes in a quick fashion, but it's just too repetitive for me to feel good about these hardware wallets. I'm back using the less convenient paper wallets as cold storage option, but I don't mind losing convenience when I get more security for it in return. Usually people easily ignore things like exchange hacks and other situations having ended in coin loss, but they fortunately do pay close attention to their hard ware wallets, which is quite interesting.
legendary
Activity: 1372
Merit: 1252
April 27, 2018, 11:49:48 AM
#21
'the sound of hard drives', woah.

attack vectors are only going to become more clever. the incentives get more compelling by the year.

as for my airgapped computer, i took out all connectivity like the wifi card and bluetooth stuff and put a brand new hard drive in it. it's never been anywhere near the internet and never will. of course the OS came from the internet but it can't talk to it.

i sleep well enough at night. if ninjas come around and scan me while i sleep then so be it.

as for the skeptics, sometimes these things start off at the height being theoretical, then the refinements start to arrive...

I think at some point it becomes unhealthy to worry about such far fetched situations and you may end up making a bigger mistake due high levels of stress in the process.

If you are worried about someone building patterns from the HDD noise... an SSD makes no noise that I know off since it has no moving parts.

And again if you are worried about airwave signals you can buy one of these:



Then only open your computer inside the sealed tent.
legendary
Activity: 1288
Merit: 1087
April 27, 2018, 11:31:24 AM
#20
'the sound of hard drives', woah.

attack vectors are only going to become more clever. the incentives get more compelling by the year.

as for my airgapped computer, i took out all connectivity like the wifi card and bluetooth stuff and put a brand new hard drive in it. it's never been anywhere near the internet and never will. of course the OS came from the internet but it can't talk to it.

i sleep well enough at night. if ninjas come around and scan me while i sleep then so be it.

as for the skeptics, sometimes these things start off at the height being theoretical, then the refinements start to arrive...
legendary
Activity: 1372
Merit: 1252
April 26, 2018, 10:01:38 AM
#19
you use a QR code to move the pre-signed transaction from the air gapped computer which has no access to internet in anyway.....

QR-Codes are like a red flag to a bull and says "Read me, i am a password" to the O/S

Your not selling any old 286/486 machines are you running NT 4 with a 10baseT network card are you because I think we need to
go back to them days to own one of these things they use to call a "personal computer"

CD-Rom, no updates, just service pack II, lovely days.

The idea of using QR codes is that you don't connect any device to the offline computer. So you put the hash of the pre signed transaction in the hot node avoiding devides.. this is better than nothing and way safer than transporting raw transactions with an USB, and im not going to burn a CD just to carry basically some lines of text, which I will dump in a text editor and analyze before entering it in the clients just in case the QR is modified somehow during the process which is just insane paranoid mode.

And yes computers haven't been safe for ages but pre 2008 computers with libreboot seem to be as good as it gets for freedom these days it seems, older ones are just unusable.

I have never seen conclusive proof of someone being censored because of their opinions here. Franky1 for instance has been talking about how awesome big blocks are for years and he is a Legendary member.

Wanna see my inbox, full of deleted message warnings and if you think you have freedom of speech here then try presenting an argument that
miners have become a greedy monopoly and that Bitcoin is well past it's sell by date and then report back to me.

Your not trying hard enough !

There's plenty of people claiming mining is centralized, I don't see the problem which such clam. As long as you aren't spamming the forum the posts will remain, at least in my experience. I mean even Core devs which are admins in this forum claim mining is centralized (Luke-jr for instance).
member
Activity: 210
Merit: 26
High fees = low BTC price
April 25, 2018, 11:48:14 AM
#18
you use a QR code to move the pre-signed transaction from the air gapped computer which has no access to internet in anyway.....

QR-Codes are like a red flag to a bull and says "Read me, i am a password" to the O/S

Your not selling any old 286/486 machines are you running NT 4 with a 10baseT network card are you because I think we need to
go back to them days to own one of these things they use to call a "personal computer"

CD-Rom, no updates, just service pack II, lovely days.
legendary
Activity: 1372
Merit: 1252
April 25, 2018, 11:25:03 AM
#17
Before I reply I would like to say that the ministry of Bitcoin propaganda runs this forum and keeps removing posts.

I looked into these air-gap bridges and you can download apps from play store that produce spectra graphs and you can
even send and receive cartoon like images using nothing more than sound.

Turns out that some TV adverts are using sound to communicate with apps ruining on "Smart Phone" so this is not science
fiction and is fact.

Developers should keep away from using any microsoft blackbox code and the same goes for google android code that's
all over our phones because "They" are years ahead of where we think they are when it comes to steeling our data.








I have never seen conclusive proof of someone being censored because of their opinions here. Franky1 for instance has been talking about how awesome big blocks are for years and he is a Legendary member.

Anway to go back on topic: The reason an airgapped computer defeats a hardware wallet is that you can avoid using the USB to access the wallet. The wallet is always inside the airgapped computer, and you use a QR code to move the pre-signed transaction from the air gapped computer which has no access to internet in anyway, to an online node. So this way you avoid the USB vector attack. I don't see how trusting a third party device is better than that.
legendary
Activity: 3108
Merit: 2177
Playgram - The Telegram Casino
April 25, 2018, 04:18:14 AM
#16
Curious how people went off the deep end with regards to the Hardware Wallet "Proof of Concept" exploits... that also REQUIRE physical access to the device... and yet this "proof of concept" receives the following

PoC exploits should always be taken seriously, despite being PoC only. Apart from that I fully agree with you. The PoC in question doesn't even affect hardware wallets to begin with. It just shows that if you have full access to an unsecured hardware device and its software you can do amazing things with it.

As an attack it is thwarted by applying best practices in terms of security. Which is why these best practices exist to begin with.


Looks like the only secure way is to write down private keys and store separate parts of them in fireproof, blast proof steel cube.

Or, you know... buying a hardware wallet.
legendary
Activity: 1904
Merit: 1159
April 24, 2018, 09:49:28 PM
#15
Great topic. It must be such a source of tension for people who have hundreds of BTC and other crypto. So many attack vectors and new are being researched everyday.
Even if you ensure that your air-gapped hardware has no malware , there is the Meltdown and Spectre vulnerability! While a software patch suffices for Meltdown, Spectre needs a hardware fix it seems. So Goodbye old processors!!
Looks like the only secure way is to write down private keys and store separate parts of them in fireproof, blast proof steel cube. You could always leave crytpic clues for your grandson/daughter (National Treasure) if you are worried about succession. It is interesting that cryptocurrency wave has provided renewed motivation to academic work on such attacks. Wonder how far along SHA-256 attacks are?
HCP
legendary
Activity: 2086
Merit: 4361
April 24, 2018, 08:24:28 PM
#14
Curious how people went off the deep end with regards to the Hardware Wallet "Proof of Concept" exploits... that also REQUIRE physical access to the device... and yet this "proof of concept" receives the following:

NOTE: quote "owners" removed on purpose... not trying to start arguments here!

Quote
These concepts are not new, spy agencies and expert hackers have a lot of methods for stealing data from air-gapped machines, but they are very complicated and require some complex setup, so it's very unlikely that someone with this level of expertise would target private users. Big targets like exchanges should be the ones who must be worried about such attacks, especially with the risks of rogue employees helping those hackers by installing some devices or software.
Much like the recent Ledger exploit... that wasn't some "script kiddie" downloadable rootkit... it required some serious know how.


Quote
But only big exchanges/services or popular people on Cryptocurrency/cryptography world should worry about this problem.
Why? Shouldn't anyone using a cold storage device take appropriate precautions? Huh


Quote
It's a really unrealistic scenario. You shouldn't be taking off your raspberry pi/airgapped laptop out of your house ever, you should only open it when there are no cameras around. If there are phones are around, there are cameras around too... and you can assume someone has recorded you entering your wallet password and so on, so why would you go out with your cold storage device.
So an "Evil maid" is realistic for hardware wallets... but not cold storage airgapped machines? Huh


Quote
This is more like a proof of concept than something we can see too often in the wild.
OK, a bad linux distro can do that. Or a compromised clone of the wallet. And I expect that people that start to setup a PI has that much common sense to check this.
So I don't really see how this infection could happen, really.
Exactly... just like the Ledger wallet exploit was... And if you think people who setup a Pi are going to check every line of code in the distro that they download... you're the world's greatest optimist! Tongue


Not claiming that hardware wallets are better (or worse) than air gapped machine... My point is just that, as always... claims of "safe and secure" ALWAYS need to be taken with a grain of salt... NOTHING is 100% secure... and nothing should be treated as such.
legendary
Activity: 3108
Merit: 2177
Playgram - The Telegram Casino
April 24, 2018, 04:48:14 PM
#13
I think this is the most important thing about cold storage, hardwallets, etc.
People buy hardwallets a little cheaper from third party seller, compromising security.

As Bitcoin was booming we watched as these hardware wallets doubled in price so lets not pretend that we are
dealing with nice people here who can themselves be trusted.

That those third party resellers can not be trusted is exactly the point that bitmover is making though.

If you refer to SatoshiLabs and Ledger themselves -- SatoshiLabs never increased the Trezor price, except for priority shipping. Ledger did increase their price, but not even close to doubling it.

Keep in mind that both those companies are rather small operations, so production bottlenecks are indeed a thing and not just a way to artificially manipulate supply and demand.


God knows what Microsoft get up to when you plug these wallets into the USB ports and the same is also true
with Intel Chips and I think you are safer trusting something made in China than anything made in the USA.

Doesn't matter. Hardware wallets are built to work securely even on compromised computer systems, regardless of whether it's been compromised by malware or out-of-the-box. That applies to both the computer's software and hardware.


We still don't have the right formula but maybe something using optical none electrical crystal lenses that you
wear as glasses is going to be the way to go.

Light-based quantum encrypted transmission channels have existed for a long time and have been cracked as far back as 2010:
https://www.nature.com/news/2010/100829/full/news.2010.436.html

I'm not sure how this relates to the current discussion though.
member
Activity: 210
Merit: 26
High fees = low BTC price
April 24, 2018, 03:03:23 PM
#12
I think this is the most important thing about cold storage, hardwallets, etc.
People buy hardwallets a little cheaper from third party seller, compromising security.

As Bitcoin was booming we watched as these hardware wallets doubled in price so lets not pretend that we are
dealing with nice people here who can themselves be trusted.

God knows what Microsoft get up to when you plug these wallets into the USB ports and the same is also true
with Intel Chips and I think you are safer trusting something made in China than anything made in the USA.

We still don't have the right formula but maybe something using optical none electrical crystal lenses that you
wear as glasses is going to be the way to go.
Pages:
Jump to: