Topic: Firmware Upgrades for Hardware wallets their weakness? (Read 517 times)

Right, it's something that happens in everything we manufacture. For example, when you make cars, millions get made successfully, but not every car is as reliable as another. There's certain defects during the manufacturing process, which is unavoidable. You look at a pair of shoes, and they'll be slightly different, whether or not that difference can compromise their function, but it could, potentially.

It's the same here, there's a margin for error where certain devices can or will brick. It could be anything, during the upgrade sequence it could be something like not having a heat sink, and the device goes above operating conditions, or anything really.

However, this somewhat extends to software as well, since not everyone uses the software as specified, or if downloading, you might have not downloaded it correctly, or part of it was corrupted, which when the hardware wallet is fed that, it doesn't know what to do with it, hence the bricked device.

If they offer a replacement service for free, you can't really get any better than that. As long as you have your seed setup, it should be fine.

I don't think the chances of bricking your device during a firmware upgrade are that big to warrant having a second device that you would use only when you are making firmware upgrades on the main one. But that doesn't mean that having two is a bad idea for other purposes. People often forget that customers only complain and become vocal when they are unsatisfied, angry, and disappointed. Ledger has sold millions of hardware wallets. I think I remember sources talking about 3-4 millions. Even if you find 100 complaints right now where customers talk about bricking their hardware during a firmware upgrade, that's like 0.003% from 3 million. Even if it's 1000 or 2000, it's still insignificant. You aren't going to see 3 million people write: I performed the upgrade, everything was perfect! Most people don't do that, and that's why there is so much focus on the negative side of things.   

But if something like that happened to you, Ledger will replace your device for free even if it's no longer under warranty. There are documented cases of that even on this forum. I think the last one I read was from Maus0728 who said in one of his posts that his device got replaced with expired warranty. Their support personnel also confirmed this to me when I performed experiments and contacted them with various fake tickets to see how they handle user complaints.

Well, this was a very informative discussion indeed... I never thought it would give such brilliant feedback and comments when I started it. I think, if people can afford it, it might be a good idea to buy a second device and then to transfer the "tokens" to the second device... before you run the new firmware. 

A simple solution like this... will reduce the fear that are linked to the possibility that a firmware upgrade might "Brick" a hardware wallet and it will also encourage experimentation ...if you have a backup device.

                                                      Thank you for your valuable inputs and suggestions.

Your proposal is similar to classic risk diversification. I think it would not hurt many to take note of this and include the creation of a separate wallet with funds for "pocket money" in their to-do list. You are absolutely right that for one reason or another there may come a moment (like the HWs breakdown you are talking about) when need access to your balance, but using the main wallet will be risky (in general, perhaps the best option would be to have several main wallets). In this case, a wallet with a certain amount will come in handy. Even if the pocket money wallet is compromised, the damage will not be critical, but the benefits from such a wallet will be significant.

I don't think they would ask you to return the hardware wallet if it was used when it broke, and even if you do, you shouldn't do it. It's not worth the headaches thinking whether or not someone along the way could extract some data from it. Saving $50, $100, or $200 by not purchasing a new HW, but risking losing $100.000 shouldn't be an option.

Judging by the experience of one of my colleagues, he was asked to return a device that came faulty and couldn't be used from the start. The old one, which was out of warranty, didn't even have to be returned. 

Or just be prepared for a scenario in which your hardware wallet will one day break. Keep some coins secured only with the seed. That's the amount you would need to access the same day your HW breaks. $100, $500, $5.000, everyone has different needs and spending habits. Keep the rest secured by (multiple) passphrases. If your hardware wallet breaks, and you need access to some coins in that exact hour, recover your Bitcoin through seed and use only those coins that aren't protected with a passphrase. 

I guess, yes, of course if you need instant access to some BTC you can also restore a seed to a software wallet. If it's a large amount and you can't quickly get your hands on a hardware wallet (same-day kind of urgency and remember we're talking about large amounts) you could run to the store and quickly buy a fresh new laptop to rip the wireless connectivity out of and live boot Tails on. This way you could import the seed and do your important million-dollar transaction securely and quickly as well.

Most bricks would likely happen when the bootloader is upgrading. It probably wouldn't matter what the firmware runs on, if you lose the method of communicating with the host device, then your HW wallet is bricked. I think that the devs are unlikely to really mess it up because there is a certain procedure to test the updates against their device before pushing it out. Failing to test it would just be general incompetence.
Largely depends on if you store everything in your hardware wallet. It might be wise to have a spare hardware wallet so you can seamlessly shift to your new hardware wallet when it breaks without any delay.

This layered approach is a little bit what Trezor Model T and Foundation Passport are doing; the actual firmware is MicroPython and it runs little Python scripts on top. I do believe that firmware released by these companies upgrades still replace the whole thing, but since the actual base firmware is probably fairly stock MicroPython runtime, there is less risk of the devs messing something up real bad.

You don't even have to buy two devices up front; just get whatever is the latest and greatest / most secure whenever your existing hardware wallet breaks / bricks. As I said on page 1, the wallet is mostly an electronic representation of your seed which allows you to quickly use it. But the actual 'set in stone' secure location for your seed should be on paper or metal backup, stored in a handful of secure locations.

agreed.

just buy a spare hardware wallet and be ready for failure. iow, backups of seeds on non digital media.

for example i've had a few harddrives/SSDs that failed over the years and i would not send in for warranty replacement simply because of the personal info thats on them. i just ate the cost. and its my fault if losing anything anyway if i didnt have the data backed up. same principle applies to hardware wallets. do not send anything out that has potentially valuable data that can be recovered. destroy it instead and roll with the backup.

I think that it is fairly unlikely for hardware wallets to actually be bricked because most of them actually validate the firmware for any inconsistencies before applying it. Unsolvable bricks are far few and between.
That might actually be counter-intuitive. Most hardware wallets are actually designed with proprietary firmware and bootloaders to try to minimize additional attack vectors and possible external problems. Running your hardware wallet inside a Linux Sandbox wouldn't help because you now have to consider the security of Linux as well.

No one would realistically send their hardware wallets or anything to Ledger or the hardware wallet manufacturer. I don't find a point in them giving out warranty if you realize that it is virtually impossible to check if the data is cleanly wiped from your device before sending it to them.

People are mainly scared of applying firmware updates to hardware, in general, because of the risk that it bricks the device.

Generally, there is no warranty or support for when your device breaks due to a bad update. It is also unlikely that any technician can fix it, given that bricked hardware is virtually unusable. This forces the user to purchase a second device, data be damned.

For hardware wallets in particular, I would recommend a Linux "hypervisor" (extremely stripped down to reduce the amount of security updates required as much as possible) as the main OS that then boots up the actual hardware wallet OS.

This has the advantage that if the wallet OS breaks because of some firmware update, a technician can boot up a Linux shell and revert it to a known good version.

They weren't consumer laptops. Well, one of them was a low-budget multimedia machine which I got a long, long time ago. The second one was a HP EliteBook and the third one was a Dell Vostro. The last two belong to the business class of laptops. The Dell Latitude and Precision series are even better. I have never worked on a Lenovo machine, but all the Thinkpads that caught my attention were really expensive devices.     

I wouldn't say Coldcard is difficult to grasp, but it's certainly not device for everyone or for someone who owns shitcoins.
I don't think that Coldcard have best security features and they had history of misleading customers before with some false statements, but it's not bad hardware wallet to have if you like old calculators 

That's probably because you purchase junk consumer laptops, so it's your fault for wasting money.
I did not say buy crap laptops, but buy business class tanks like good old Thinkpad T series, or Dell Latitude/Precision... because they are indestructible, that is why military uses them.
You can easily find spare parts for them locally or online, and they are modular so you can replace each part, cpu, etc separately.

Speaking from personal experience, I have never been a fan of refurbished laptops. I like the speed and smell of new devices and I don't mind splashing out a few grands for a good business laptop that I use for work.
My laptops last 4-5 years, and then they die. It's always the motherboard that is the weak spot in my experience. I have had 3 laptops whose motherboards has failed in my lifetime. Buying a second-hand laptop is not an option for me because they simply aren't as good performance-wise and there is the added risk of hardware failures for outdated components.   

I agree; while it's great for security to have a completely airgapped wallet, messing around with a microSD card is not a great user experience. If it comes to choices for newcomers, I tend to recommend something that works with their preferred hardware. Elderly people often just use a PC or laptop, so something like Trezor is perfect. Younger folks that tend to sometimes not even own a computer, obviously need something that can be interfaced with from the phone they have. So it can be USB (OTG) on Androids, QR codes on any phone with a camera or NFC for the latest devices that have NFC. I was about not to mention NFC though, since similarly to Bluetooth, it's not an interface I'd recommend using due to its hardware-based attack vectors.

Not sure I agree. I think ColdCard is probably one of the more difficult hardware wallets to get a grasp out there. I'd say the Trezor is probably the most user friendlier, especially since they've added the Trezor Suite. Although, personally I do think ColdCard is probably the best option out there for security features, unfortunately that usually does come with added complexity, which I do believe is the case here.

For the latter, in my mind it would just be a better idea to use Bitcoin Core as a offline wallet. Although, I guess you'll have to download, and verify core, and get it on the machine, so I'm not saying its a terrible idea by any means. However, some hardware wallets have physical threats, that a Bitcoin Core won't necessarily have.

Just imagine how many people are throwing away over $1000 each year for buying brand new laptop or smartphone...
Most of them would be just fine with good quality older business laptop maybe with upgraded ram and ssd drive, and similar thing could be said for smartphones.
Hardware wallet can last for years and you don't need to upgrade anything, except doing regular firmware updates.
Than again, I recently heard cheap Lenovo laptops had big issue with BIOS exploits that is similar thing like firmware for hardware wallets.... so I could say that BIOS upgrades are weakness for laptops.

I think we have the same source of information for this  
SeedSigner is amazing in many ways and they are doing some massive work in this field.

Indeed; the hardware wallet is basically just a convenient way to access and use your seed.
With the cost, I do get that they can be pricey, especially if you don't live in a first-world country; however, in people don't realize how much money they lose to inflation and through buying useless throwaway devices all the time. Or think about laptop / phone storage upgrades; people pay hundreds for those even though they could get away with putting in some time and deleting loads of old data and media they don't need anymore.
Personally, I think even $200 is worth it for a device that can help you securely store and use money amounts larger than its cost by multiple orders of magnitude. But I digress!

Interesting; I first heard the term from the SeedSigner guy on Twitter, but it applies more to his product than to the 'real hardware wallets' that actually store the seed internally. I don't know who came up with this distinction (or if it's just my own definition) but just wanted to bring this up, because HW wallets don't just sign. This would be the argument against calling them signers. But they shouldn't be the main means of seed storage either; it's just a feature that makes them more convenient to use (instead of typing in 24 words every time you power them up).

I would partially agree with you but Trezor is very much different from ledger hardware wallet.
You can install Bitcoin only firmware in Trezor so you won't even notice most of the update noise coming out, and you can't do the same thing with ledger.
I can count Bitcoin-only hardware wallets on my hand, Trezor, BitBox02 and Keystone can do this optionally, than there is Passport, ColdCard, and that's about it.
Worthy mention DIY bitcoin only signing devices are SeedSigner (based on RaspberryPi) and Krux (based on ESP32 devices).

I started to do something similar, and I will keep repeating that seed backup is much more important than device you use.
Signing devices is much better term than hardware wallets, but I think it will be very hard to change that for masses now

The problem that a lot of people have when it comes to hardware wallets is that they think that the device actually has something like Bitcoin in itself - and they don't realize that a 24-word backup is something far more vulnerable and important than the device itself. In addition, $50 or $100 for such a device is considered too high by most and they think that such a device should last a lifetime - and on the other hand, they buy expensive smartphones and gaming consoles every 2-3 years and do not complain to anyone.

Yes; you just get a new device and transfer the coins. You can also just trash the old device and import your backed-up seed into a new wallet. I recently thought about this and maybe it helps people think of hardware wallets a bit differently: think of the device mostly as a signer. Don't rely on it not breaking, not getting lost or not ceasing to turn on, to be able to access your coins; instead, rely on your seed backup(s) and use the device as a convenient way to utilize said seed in everyday scenarios.

I agree that it can't be simpler than the current process (although I may be wrong), especially if I remember what it was like in the past when some people needed hours (or even days) to complete the firmware upgrade. Some people are quite afraid of this procedure for fear that something will go wrong and that they will lose their coins, although because of such things we have a backup.

---

Nothing lasts forever, so one should not expect Ledger to always exist. In the event that Ledger stops supporting its devices, anyone who doesn't feel safe will look for an alternative.

I'd say Ledger is already the most "idiot proof" hardware wallet we have right now, with Trezor coming in at a close second. Instead of working to make updating a bit more easier, they should probably just focus on removing unnecessary bloat on the Ledger Live software because it's slowly but surely getting slower and clunkier as time goes.

Unless they are only making more mess with new upgrades by adding new worthless shitcoin support that only make upgrade bigger in size and more buggy in time.
I would understand if they are doing this for bitcoin only firmware, but you won't have so much updates with this, except maybe Taproot support or something like that.
There is also a danger of bricking your device during hardware wallet, and I saw several reports that this happened to ledger wallet owners.

Perhaps this is a big weakness, but for the average user (most of them will be) it doesn't matter if the source code is open or closed, because he will not be able to read the code or changes to it. In the case of a closed source code, you will have to trust hardware wallet developers, and if the source code is open, then you need to trust independent developers and enthusiasts who check the code and changes. In both cases, ordinary users are forced to believe completely strangers. I think it looks like a religion. There, too, "users" can't check anything themselves and they can only "believe" in one or another confession.

Another important fact. People who buy HWs want to make a minimum of gestures: they bought a device, threw crypto into it, and use this device as needed. Will most of them follow the news and technical blogs where independent developers will post their research into the open source of HW? Even if a vulnerability is found in the code, such users will be the last to know about it after a long time, if at all they become aware of what happened. Until the balance on their device is reset. Therefore, I assume that from the position of an ordinary user, it doesn't matter to him which code is open or closed.

They are more interested in HW appearance and the impact of advertising.

Good choice of words. I am glad you used that construction because that's exactly the way it is. Someone else might have said that if you use open-source software with verifiable builds, there is no risk or you are absolutely safe due to the publicly available code.

The more popular the wallet is, the more user it has, and the more security experts verify every single piece of code, the lower is the possibility that the developers would get away with trying to introduce a backdoor or other type of vulnerability. Or if they just overlooked something by mistake which could have negative consequences. On the other hand, if the wallet is unpopular, it might take weeks or even months before someone discovered that something is off with the most recent update.     

You could phrase it like this: 'the fact that hardware wallets need to be kept up to date can be considered a systemic weakness [compared to a system that is cryptographically secure like an offline-generated cold storage seed with passphrase]'.

But the fact that you do get upgrades is definitely not a weakness; actually, I'd stop using a hardware wallet if the manufacturer drops support and stops working on the code, looking for bugs and fixing them, as well as fixing reported bugs and vulnerabilities. Providing software upgrades that keep the device secure and state-of-the art is essential to make sure your funds are secure against the latest attacks and exploits.

However, there remains the risk of malicious firmware update binaries and closed-source or non-reproducible builds. This allows the manufacturer or a middleman to give you a malicious (e.g. deanonymizing) firmware without you noticing; if however you have open source and a verifiable build, that provably comes from the supplied codebase, it reduces such risk.

Regarding usability for newbies, as was mentioned before, hardware wallets as a whole have come a long way. You also get clear and concise instructions from the manufacturer on how to verify the hash and signature of the image file. Reboots and complicated keypress combinations aren't needed on the last few devices I've come across. Passport, for instance, just requires you to put the file on a supplied microSD card and plug it into the device.

Actually, it's not always good to upgrade the ledger firmware from time to time if it's not needed unless you need the additional feature or if it's related to a vulnerability issues you should upgrade it to fix those issues.
 
Sometimes hardware wallets can be soft bricked after upgrading I heard many times on some people out there happen to them and only a few people fixed their hardware wallet.

Yes I think it's a big weakness, especially if hardware wallet firmware is closed source like in case with ledger devices.
In this case you would need to fully trust developers to be honest, and won't make any mistakes that could allow hackers to steal your coins.
With open source wallets you can always verify the changes, and other developers can do the same reporting some potential issues on time.

I don't think ledger browser extension is working anymore, but they desktop app is also bad and having lot of issues with showing incorrect balances.
You can however use third party open source wallets like Electrum with ledger, to make things a bit easier.

You can't do anything with black boxes like ledger, but you can change hardware wallet and get one that is open source like Passport, Bitbox, Keystone or Trezor.
Alternative option is to make your own DIY signing device like SeedSigner using general hardware like Raspberry PI Zero.

Exactly. The newest Ledger Nano S firmware is 2.1.0 if I remember correctly. It introduces the needed support and necessities for Taproot. Other than that, it doesn't fix anything urgent or improve the user experience. Unless you want to use Taproot addresses with your Ledger HW, you don't need to perform the upgrade. It also decreases the already very limited internal storage of the device.   

ColdCard feels to me to be idiot proof, but there will always be someone who can come along and screw up a process that should be impossible to screw up.
Pmalek is correct in the fact that if you have your seed you should be fine. But the time and effort and stress in recovering is a thing as is the expense of buying a new wallet.

I have not heard of any failures that bricked a device but I have not looked that hard.

Another thing to keep in mind that unless the firmware fixes some glaring vulnerability or adds a feature you must have, then you can probably skip doing them.

I have 2 HW wallets, one I use for my warm funds, that one is up to date. One is for long term cold storage, not updated or plugged in for a couple of years now.

-Dave

If we are talking about Ledger, it was worse in the past, now it's easy-peasy. Everything is complete without the user having to disconnect the wallet from the USB cable. In the past, you had to press and hold the buttons, then let go of one button while you connect/disconnect.

Talking about Ledger again. I would say they already are. It's just like an installation of any other software. A few clicks on the 'Yes' and 'Next' buttons and you are done.

You can buy any other hardware wallet and recover your accounts from seed. If they use the same derivation paths for your coins, even better. If not, you might have to recover the seed in a software wallet to modify the derivation paths. You should of course secure your Bitcoin before you go meddling with software wallets for altcoins.

Do you think constant Firmware upgrades on hardware wallets are their weakness? I have gone through some firmware upgrades for some hardware wallets (Ledger) and I have to say for someone with good technical knowledge, it was not a good experience. 

The normal handling of the hardware wallet and the software is not that technical, but still a daunting task for people that are not that technical. (Thinking about the transition from the Ledger browser plugin for Chrome ..to the Ledger App) 

What can be done to improve the firmware upgrade for these devices ...to make it "Idiot Proof" ? What happens when Ledger or any hardware manufacturer goes bankrupt and exploits are found and the developers are not there to plug the holes? (Export seed to Electrum?)