Topic: Firmware Upgrades for Hardware wallets their weakness? (Read 473 times)

Right, it's something that happens in everything we manufacture. For example, when you make cars, millions get made successfully, but not every car is as reliable as another. There's certain defects during the manufacturing process, which is unavoidable. You look at a pair of shoes, and they'll be slightly different, whether or not that difference can compromise their function, but it could, potentially.

It's the same here, there's a margin for error where certain devices can or will brick. It could be anything, during the upgrade sequence it could be something like not having a heat sink, and the device goes above operating conditions, or anything really.

However, this somewhat extends to software as well, since not everyone uses the software as specified, or if downloading, you might have not downloaded it correctly, or part of it was corrupted, which when the hardware wallet is fed that, it doesn't know what to do with it, hence the bricked device.

If they offer a replacement service for free, you can't really get any better than that. As long as you have your seed setup, it should be fine.

I don't think the chances of bricking your device during a firmware upgrade are that big to warrant having a second device that you would use only when you are making firmware upgrades on the main one. But that doesn't mean that having two is a bad idea for other purposes. People often forget that customers only complain and become vocal when they are unsatisfied, angry, and disappointed. Ledger has sold millions of hardware wallets. I think I remember sources talking about 3-4 millions. Even if you find 100 complaints right now where customers talk about bricking their hardware during a firmware upgrade, that's like 0.003% from 3 million. Even if it's 1000 or 2000, it's still insignificant. You aren't going to see 3 million people write: I performed the upgrade, everything was perfect! Most people don't do that, and that's why there is so much focus on the negative side of things.   

But if something like that happened to you, Ledger will replace your device for free even if it's no longer under warranty. There are documented cases of that even on this forum. I think the last one I read was from Maus0728 who said in one of his posts that his device got replaced with expired warranty. Their support personnel also confirmed this to me when I performed experiments and contacted them with various fake tickets to see how they handle user complaints.

Well, this was a very informative discussion indeed... I never thought it would give such brilliant feedback and comments when I started it. I think, if people can afford it, it might be a good idea to buy a second device and then to transfer the "tokens" to the second device... before you run the new firmware. 

A simple solution like this... will reduce the fear that are linked to the possibility that a firmware upgrade might "Brick" a hardware wallet and it will also encourage experimentation ...if you have a backup device.

                                                      Thank you for your valuable inputs and suggestions.

Your proposal is similar to classic risk diversification. I think it would not hurt many to take note of this and include the creation of a separate wallet with funds for "pocket money" in their to-do list. You are absolutely right that for one reason or another there may come a moment (like the HWs breakdown you are talking about) when need access to your balance, but using the main wallet will be risky (in general, perhaps the best option would be to have several main wallets). In this case, a wallet with a certain amount will come in handy. Even if the pocket money wallet is compromised, the damage will not be critical, but the benefits from such a wallet will be significant.

I don't think they would ask you to return the hardware wallet if it was used when it broke, and even if you do, you shouldn't do it. It's not worth the headaches thinking whether or not someone along the way could extract some data from it. Saving $50, $100, or $200 by not purchasing a new HW, but risking losing $100.000 shouldn't be an option.

Judging by the experience of one of my colleagues, he was asked to return a device that came faulty and couldn't be used from the start. The old one, which was out of warranty, didn't even have to be returned. 

Or just be prepared for a scenario in which your hardware wallet will one day break. Keep some coins secured only with the seed. That's the amount you would need to access the same day your HW breaks. $100, $500, $5.000, everyone has different needs and spending habits. Keep the rest secured by (multiple) passphrases. If your hardware wallet breaks, and you need access to some coins in that exact hour, recover your Bitcoin through seed and use only those coins that aren't protected with a passphrase. 

I guess, yes, of course if you need instant access to some BTC you can also restore a seed to a software wallet. If it's a large amount and you can't quickly get your hands on a hardware wallet (same-day kind of urgency and remember we're talking about large amounts) you could run to the store and quickly buy a fresh new laptop to rip the wireless connectivity out of and live boot Tails on. This way you could import the seed and do your important million-dollar transaction securely and quickly as well.

Most bricks would likely happen when the bootloader is upgrading. It probably wouldn't matter what the firmware runs on, if you lose the method of communicating with the host device, then your HW wallet is bricked. I think that the devs are unlikely to really mess it up because there is a certain procedure to test the updates against their device before pushing it out. Failing to test it would just be general incompetence.
Largely depends on if you store everything in your hardware wallet. It might be wise to have a spare hardware wallet so you can seamlessly shift to your new hardware wallet when it breaks without any delay.

This layered approach is a little bit what Trezor Model T and Foundation Passport are doing; the actual firmware is MicroPython and it runs little Python scripts on top. I do believe that firmware released by these companies upgrades still replace the whole thing, but since the actual base firmware is probably fairly stock MicroPython runtime, there is less risk of the devs messing something up real bad.

You don't even have to buy two devices up front; just get whatever is the latest and greatest / most secure whenever your existing hardware wallet breaks / bricks. As I said on page 1, the wallet is mostly an electronic representation of your seed which allows you to quickly use it. But the actual 'set in stone' secure location for your seed should be on paper or metal backup, stored in a handful of secure locations.

agreed.

just buy a spare hardware wallet and be ready for failure. iow, backups of seeds on non digital media.

for example i've had a few harddrives/SSDs that failed over the years and i would not send in for warranty replacement simply because of the personal info thats on them. i just ate the cost. and its my fault if losing anything anyway if i didnt have the data backed up. same principle applies to hardware wallets. do not send anything out that has potentially valuable data that can be recovered. destroy it instead and roll with the backup.

I think that it is fairly unlikely for hardware wallets to actually be bricked because most of them actually validate the firmware for any inconsistencies before applying it. Unsolvable bricks are far few and between.
That might actually be counter-intuitive. Most hardware wallets are actually designed with proprietary firmware and bootloaders to try to minimize additional attack vectors and possible external problems. Running your hardware wallet inside a Linux Sandbox wouldn't help because you now have to consider the security of Linux as well.

No one would realistically send their hardware wallets or anything to Ledger or the hardware wallet manufacturer. I don't find a point in them giving out warranty if you realize that it is virtually impossible to check if the data is cleanly wiped from your device before sending it to them.

People are mainly scared of applying firmware updates to hardware, in general, because of the risk that it bricks the device.

Generally, there is no warranty or support for when your device breaks due to a bad update. It is also unlikely that any technician can fix it, given that bricked hardware is virtually unusable. This forces the user to purchase a second device, data be damned.

For hardware wallets in particular, I would recommend a Linux "hypervisor" (extremely stripped down to reduce the amount of security updates required as much as possible) as the main OS that then boots up the actual hardware wallet OS.

This has the advantage that if the wallet OS breaks because of some firmware update, a technician can boot up a Linux shell and revert it to a known good version.

They weren't consumer laptops. Well, one of them was a low-budget multimedia machine which I got a long, long time ago. The second one was a HP EliteBook and the third one was a Dell Vostro. The last two belong to the business class of laptops. The Dell Latitude and Precision series are even better. I have never worked on a Lenovo machine, but all the Thinkpads that caught my attention were really expensive devices.     

I wouldn't say Coldcard is difficult to grasp, but it's certainly not device for everyone or for someone who owns shitcoins.
I don't think that Coldcard have best security features and they had history of misleading customers before with some false statements, but it's not bad hardware wallet to have if you like old calculators 

That's probably because you purchase junk consumer laptops, so it's your fault for wasting money.
I did not say buy crap laptops, but buy business class tanks like good old Thinkpad T series, or Dell Latitude/Precision... because they are indestructible, that is why military uses them.
You can easily find spare parts for them locally or online, and they are modular so you can replace each part, cpu, etc separately.

Speaking from personal experience, I have never been a fan of refurbished laptops. I like the speed and smell of new devices and I don't mind splashing out a few grands for a good business laptop that I use for work.
My laptops last 4-5 years, and then they die. It's always the motherboard that is the weak spot in my experience. I have had 3 laptops whose motherboards has failed in my lifetime. Buying a second-hand laptop is not an option for me because they simply aren't as good performance-wise and there is the added risk of hardware failures for outdated components.   

I agree; while it's great for security to have a completely airgapped wallet, messing around with a microSD card is not a great user experience. If it comes to choices for newcomers, I tend to recommend something that works with their preferred hardware. Elderly people often just use a PC or laptop, so something like Trezor is perfect. Younger folks that tend to sometimes not even own a computer, obviously need something that can be interfaced with from the phone they have. So it can be USB (OTG) on Androids, QR codes on any phone with a camera or NFC for the latest devices that have NFC. I was about not to mention NFC though, since similarly to Bluetooth, it's not an interface I'd recommend using due to its hardware-based attack vectors.

Not sure I agree. I think ColdCard is probably one of the more difficult hardware wallets to get a grasp out there. I'd say the Trezor is probably the most user friendlier, especially since they've added the Trezor Suite. Although, personally I do think ColdCard is probably the best option out there for security features, unfortunately that usually does come with added complexity, which I do believe is the case here.

For the latter, in my mind it would just be a better idea to use Bitcoin Core as a offline wallet. Although, I guess you'll have to download, and verify core, and get it on the machine, so I'm not saying its a terrible idea by any means. However, some hardware wallets have physical threats, that a Bitcoin Core won't necessarily have.

Just imagine how many people are throwing away over $1000 each year for buying brand new laptop or smartphone...
Most of them would be just fine with good quality older business laptop maybe with upgraded ram and ssd drive, and similar thing could be said for smartphones.
Hardware wallet can last for years and you don't need to upgrade anything, except doing regular firmware updates.
Than again, I recently heard cheap Lenovo laptops had big issue with BIOS exploits that is similar thing like firmware for hardware wallets.... so I could say that BIOS upgrades are weakness for laptops.

I think we have the same source of information for this  
SeedSigner is amazing in many ways and they are doing some massive work in this field.

Indeed; the hardware wallet is basically just a convenient way to access and use your seed.
With the cost, I do get that they can be pricey, especially if you don't live in a first-world country; however, in people don't realize how much money they lose to inflation and through buying useless throwaway devices all the time. Or think about laptop / phone storage upgrades; people pay hundreds for those even though they could get away with putting in some time and deleting loads of old data and media they don't need anymore.
Personally, I think even $200 is worth it for a device that can help you securely store and use money amounts larger than its cost by multiple orders of magnitude. But I digress!

Interesting; I first heard the term from the SeedSigner guy on Twitter, but it applies more to his product than to the 'real hardware wallets' that actually store the seed internally. I don't know who came up with this distinction (or if it's just my own definition) but just wanted to bring this up, because HW wallets don't just sign. This would be the argument against calling them signers. But they shouldn't be the main means of seed storage either; it's just a feature that makes them more convenient to use (instead of typing in 24 words every time you power them up).

I would partially agree with you but Trezor is very much different from ledger hardware wallet.
You can install Bitcoin only firmware in Trezor so you won't even notice most of the update noise coming out, and you can't do the same thing with ledger.
I can count Bitcoin-only hardware wallets on my hand, Trezor, BitBox02 and Keystone can do this optionally, than there is Passport, ColdCard, and that's about it.
Worthy mention DIY bitcoin only signing devices are SeedSigner (based on RaspberryPi) and Krux (based on ESP32 devices).

I started to do something similar, and I will keep repeating that seed backup is much more important than device you use.
Signing devices is much better term than hardware wallets, but I think it will be very hard to change that for masses now

The problem that a lot of people have when it comes to hardware wallets is that they think that the device actually has something like Bitcoin in itself - and they don't realize that a 24-word backup is something far more vulnerable and important than the device itself. In addition, $50 or $100 for such a device is considered too high by most and they think that such a device should last a lifetime - and on the other hand, they buy expensive smartphones and gaming consoles every 2-3 years and do not complain to anyone.