Pages:
Author

Topic: Hardware Wallets & Security flaws (Read 631 times)

legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
August 13, 2018, 06:30:57 AM
#34
Would you buy a car, if it had no re-sell value?

Would you buy a second hand lock for your house? This would be a better analogy than the one with car.
The value of the item is not that big if you think that it can help safekeeping millions of dollars (*).

Also, if you find it expensive, maybe you want to buy it for the wrong reason. I mean, a hardware wallet is great to safely sign transactions for the money you use often. For the rest of the money, really, you can use paper wallets for free.


(*) While a hardware wallet can safeguard all your coins, I'd advise to keep at hand only the money you need at hand; the rest is always safer offline.
legendary
Activity: 1876
Merit: 3139
August 13, 2018, 06:20:13 AM
#33
What happens if a newer version or a better hardware wallet comes out and you want to sell your old wallets to fund your purchase of the newer models? This is why ledger built in software to check the integrity of the device and why people are allowed to re-sell their devices.

There will always be people who decide to buy an used device in order to save some money. I doubt that an ordinary user knows that in TREZOR's case it would be a good idea to reflash the device. Both TREZOR and Ledger are very unlike to release more new models in the near future. Ledger Blue and TREZOR T introduced features which some people might consider as useless and increasing the possible ways of breaking the device. That's why older models will still be available.

By the way, Ledger's Secure Element checks if the software was modified on each boot. The same thing is done on TREZOR by the bootloader which cannot be reprogrammed.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
August 13, 2018, 01:40:48 AM
#32
What would be the use of hardware if it does not have a re-sell value? What happens if a newer version or a better hardware wallet comes out and you want to sell your old wallets to fund your purchase of the newer models? This is why ledger built in software to check the integrity of the device and why people are allowed to re-sell their devices.

Would you buy a car, if it had no re-sell value?
legendary
Activity: 1382
Merit: 1122
August 12, 2018, 10:12:21 PM
#31
Pretty cool, these enclaves! And pretty fancy lingo!
And yet I have recently driven my office chair over my hardware wallet and lost 5BTC!
From my point of view, there is nothing as secure as a brain wallet! I would rather trust a brain wallet than any other wallet that relies on storing stuff on some device that may die anytime!

5 BTC is quite a hefty sum for learning about the importance of backups. Usually you get this lesson for free by following your hardware wallet's quickstart instructions.

Unfortunately, they told me to write down my seed on a piece of paper that any house maid can copy with their phone camera ... didn't want to do it. And with at least 20 different people monitoring my computer (10 of which probably spy on my webcam and get the tingles), I didn't want to save it on my computer either. Also, it was not clear to me how the whole security thing would differentiate from any other paper wallet (in terms of [in]security). Anyway, I have learned my lesson" i'll just stick to good ol' brain wallets in the future. Haven't lost any of those in the past.

Sounds like you have too many people around you  Grin

I only trust cold storage that I've properly made. I have no use for a hardware wallet and would much rather not have to trust one if I don't absolutely have to. I do understand that they're more secure than ay normal hot wallet, but with so many different vulnerabilities it's easier to just print out a piece of paper and keep it well hidden. Don't like paper? Use metal, rock, or whatever you want.
copper member
Activity: 49
Merit: 0
Just grinding everday
August 01, 2018, 07:53:51 PM
#30
I have heard people talk about hardware wallets as the best wallets, but i have never really used one before. So I can't actually say how safe it is.

I have one and find that I am more scared of losing the passphrase than anything else...
newbie
Activity: 34
Merit: 0
August 01, 2018, 04:39:08 AM
#29
I have heard people talk about hardware wallets as the best wallets, but i have never really used one before. So I can't actually say how safe it is.
HCP
legendary
Activity: 2086
Merit: 4363
July 28, 2018, 12:41:55 AM
#28
From my point of view, there is nothing as secure as a brain wallet! I would rather trust a brain wallet than any other wallet that relies on storing stuff on some device that may die anytime!
But that's the point... it doesn't rely on "storing stuff on some device", as long as you've created the written back-up as per the recommended backup procedures!

Also, just wanted to point out... the brain is also "a device that may die anytime." Tongue
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
July 26, 2018, 04:29:28 AM
#27

Pretty cool, these enclaves! And pretty fancy lingo!
And yet I have recently driven my office chair over my hardware wallet and lost 5BTC!
From my point of view, there is nothing as secure as a brain wallet! I would rather trust a brain wallet than any other wallet that relies on storing stuff on some device that may die anytime!


Unfortunately, they told me to write down my seed on a piece of paper that any house maid can copy with their phone camera ... didn't want to do it. And with at least 20 different people monitoring my computer (10 of which probably spy on my webcam and get the tingles), I didn't want to save it on my computer either. Also, it was not clear to me how the whole security thing would differentiate from any other paper wallet (in terms of [in]security). Anyway, I have learned my lesson" i'll just stick to good ol' brain wallets in the future. Haven't lost any of those in the past.

I must admit that I have not heard of the case that someone has lost coins because of the office chair, for me personally something unthinkable, but obviously something like this can happen. If you write your seed on piece of paper, engrave it in plastic, wood, metal or anything else and keep it safe in deposit box you would still have 5BTC. Even if there is no 20 people monitoring your PC it would not be wise to save seed/private keys on your computer.

Hardware wallets are are designed to protect our private keys in a safe environment which has so far worked flawlessly. But they are not designed to protect our coins from office chairs or mad dogs, especially if we do not stick to the safety instructions and make backup.
legendary
Activity: 3122
Merit: 2178
Playgram - The Telegram Casino
July 26, 2018, 04:26:42 AM
#26
Unfortunately, they told me to write down my seed on a piece of paper that any house maid can copy with their phone camera ... didn't want to do it. And with at least 20 different people monitoring my computer (10 of which probably spy on my webcam and get the tingles), I didn't want to save it on my computer either. Also, it was not clear to me how the whole security thing would differentiate from any other paper wallet (in terms of [in]security). Anyway, I have learned my lesson" i'll just stick to good ol' brain wallets in the future. Haven't lost any of those in the past.

Fair enough. I personally don't trust myself enough to create a secure brain wallet, but part of the beauty of crypto is a lot of options and self-reliance.

About your backup concerns, for future reference:

1) Good call on not storing your backup digitally, after all this would have made the whole point of a hardware wallet moot -- and I'm still baffled by how some people seem to seriously consider this approach.

2) Be aware that Trezor and Ledger Nano S allow for passphrases of 50 characters [1] and 100 characters [2] respectively, without which the wallet seed accounts for nothing. Not as secure as the full power of the seed phrase + passphrase, but still fairly secure when choosing a strong passphrase.

[1] https://blog.trezor.io/hide-your-trezor-wallets-with-multiple-passphrases-f2e0834026eb
[2] https://support.ledgerwallet.com/hc/en-us/articles/115005214529-Advanced-Passphrase-options
legendary
Activity: 1260
Merit: 1168
July 26, 2018, 03:24:13 AM
#25
Pretty cool, these enclaves! And pretty fancy lingo!
And yet I have recently driven my office chair over my hardware wallet and lost 5BTC!
From my point of view, there is nothing as secure as a brain wallet! I would rather trust a brain wallet than any other wallet that relies on storing stuff on some device that may die anytime!

5 BTC is quite a hefty sum for learning about the importance of backups. Usually you get this lesson for free by following your hardware wallet's quickstart instructions.

Unfortunately, they told me to write down my seed on a piece of paper that any house maid can copy with their phone camera ... didn't want to do it. And with at least 20 different people monitoring my computer (10 of which probably spy on my webcam and get the tingles), I didn't want to save it on my computer either. Also, it was not clear to me how the whole security thing would differentiate from any other paper wallet (in terms of [in]security). Anyway, I have learned my lesson" i'll just stick to good ol' brain wallets in the future. Haven't lost any of those in the past.
legendary
Activity: 3122
Merit: 2178
Playgram - The Telegram Casino
July 26, 2018, 02:57:50 AM
#24
Pretty cool, these enclaves! And pretty fancy lingo!
And yet I have recently driven my office chair over my hardware wallet and lost 5BTC!
From my point of view, there is nothing as secure as a brain wallet! I would rather trust a brain wallet than any other wallet that relies on storing stuff on some device that may die anytime!

5 BTC is quite a hefty sum for learning about the importance of backups. Usually you get this lesson for free by following your hardware wallet's quickstart instructions.
legendary
Activity: 1260
Merit: 1168
July 25, 2018, 04:54:16 PM
#23
Hardware wallets are obviously NB for any holder with a fair amount of $ invested in whatever, but Ledger seems to be filled with flaws - what's up with their insistence not to use a tamper-proof seal?
But the Nano S sold about 1 mil units. I'm assuming anyone buying does hodl quite a bit and would therefore be quite clued up... so why trust in this?
Trezor have also suffered firmware hacks... KeepKey hasn't really had any major issues yet, but have a tiny market share. So what exactly are you looking for in a hardware wallet? Is it more of a status symbol?

Just interested to hear thoughts...

Trezor - a relatively simple device that connects through the connector Micro-USB. It has a very simple case made of molded plastic with two plastic buttons and an LCD display. Interestingly, the plastic case is glued together with something like cyanoacrylate or superglue.
Trezor uses a single microcontroller, the standard STM32F205, which creates a large hardware attack surface. This is a very common 32-bit ARM Cortex M3 processor. It is not considered one of the secure ST microcontrollers, and it does not use Secure Enclave technology. In this general-purpose microcontroller, private keys are generated and stored. For these reasons, Trezor does not have a certificate in accordance with the general safety criteria.

Ledger Nano S also connects via Micro-USB, has two input buttons and a display. The main difference between Trezor and Ledger is that the latter uses not one but two microcontrollers: STM32F042K and ST31H320. STM32F042K is very similar to Trezor STM32F205, but it does not have external, but internal clock. It is also interesting that Ledger has a full-fledged bank-level microcontroller with Secure Enclave ST31H320 technology, where private wallet keys are stored. ST31H320 has already found many other applications, including banking, identification and pay-TV. In addition, it complies with safety standards according to the general criteria of the EAL6 + level. Combined architecture ST31 / STM32 has a lower, but decent level of certification EAL5 +. In addition to the secure storage of private keys, Secure Enclave can store the device key, which provides a high degree of confidence that the Ledger device is not fake and has not been hacked on the way to the user.

Pretty cool, these enclaves! And pretty fancy lingo!
And yet I have recently driven my office chair over my hardware wallet and lost 5BTC!
From my point of view, there is nothing as secure as a brain wallet! I would rather trust a brain wallet than any other wallet that relies on storing stuff on some device that may die anytime!
legendary
Activity: 1624
Merit: 2481
July 25, 2018, 07:35:26 AM
#22
What would be the best alternative to Trezor if this has so many flaws

Don't get confused by these posts with zero substance.

Trezor is perfectly fine as a hardware wallet. Each time a vulnerability appeared they were pretty fast fixing them.
An alternative to trezor would be ledgers nano s.

I'd say both are equally secure. But i would choose the nano s over a trezor because of the variety of coins ledgers wallet offers.


Note: Vulnerabilites will always be found. You will NEVER find a perfectly secure wallet without any vulnerabilities. Yet all vulnerabilities (ledger and trezor) has been fixed prety decently and no funds have been stolen. Each of these vulnerabilities required physical access to the wallet.


It is really up to you which wallet you prefer.
legendary
Activity: 1876
Merit: 3139
July 24, 2018, 05:18:29 PM
#21
Interestingly, the plastic case is glued together with something like cyanoacrylate or superglue.

The TREZOR’s chassis is sealed using ultrasound. Opening the TREZOR without destroying the case is nearly impossible. The TREZOR's packaging is also difficult to open without doing any damage to the box.

jr. member
Activity: 434
Merit: 4
July 24, 2018, 01:18:54 PM
#20
Hardware wallets are obviously NB for any holder with a fair amount of $ invested in whatever, but Ledger seems to be filled with flaws - what's up with their insistence not to use a tamper-proof seal?
But the Nano S sold about 1 mil units. I'm assuming anyone buying does hodl quite a bit and would therefore be quite clued up... so why trust in this?
Trezor have also suffered firmware hacks... KeepKey hasn't really had any major issues yet, but have a tiny market share. So what exactly are you looking for in a hardware wallet? Is it more of a status symbol?

Just interested to hear thoughts...

Trezor - a relatively simple device that connects through the connector Micro-USB. It has a very simple case made of molded plastic with two plastic buttons and an LCD display. Interestingly, the plastic case is glued together with something like cyanoacrylate or superglue.
Trezor uses a single microcontroller, the standard STM32F205, which creates a large hardware attack surface. This is a very common 32-bit ARM Cortex M3 processor. It is not considered one of the secure ST microcontrollers, and it does not use Secure Enclave technology. In this general-purpose microcontroller, private keys are generated and stored. For these reasons, Trezor does not have a certificate in accordance with the general safety criteria.

Ledger Nano S also connects via Micro-USB, has two input buttons and a display. The main difference between Trezor and Ledger is that the latter uses not one but two microcontrollers: STM32F042K and ST31H320. STM32F042K is very similar to Trezor STM32F205, but it does not have external, but internal clock. It is also interesting that Ledger has a full-fledged bank-level microcontroller with Secure Enclave ST31H320 technology, where private wallet keys are stored. ST31H320 has already found many other applications, including banking, identification and pay-TV. In addition, it complies with safety standards according to the general criteria of the EAL6 + level. Combined architecture ST31 / STM32 has a lower, but decent level of certification EAL5 +. In addition to the secure storage of private keys, Secure Enclave can store the device key, which provides a high degree of confidence that the Ledger device is not fake and has not been hacked on the way to the user.
newbie
Activity: 28
Merit: 0
July 21, 2018, 11:50:46 PM
#19
Problem is in reality every chip can be hacked using ion beams. but generally your safer with a hardware wallet than the alternatives.
sr. member
Activity: 1344
Merit: 307
July 20, 2018, 09:59:25 PM
#18
AmmbrPlatform, In your other thread I did post my statement

Since you did mention some functionality, I do would like to ask how does it justify the price? Bluetooth in itself does have its own risk as well while something like trezor/keepkey and ledger, while can be connected via usb, has security features builtin to prevent many different type of attacks. In trezor case, you would need the pin (and passphrase) to sign a transaction, retrieve the xpub, etc. They make sure the user confirm the address and transaction as well. Plus not every pc is going to have bluetooth while every pc will have some type of usb port. Taking that away pretty much limits the device to mainly the mobile market, which not everyone is going to want to use just to send cryptocurrency. Bring the price down a bit or add usb support because in my eyes, I see a clone of the ledger blue (which imo has failed in many ways at this point, mainly due to the company lack of support for the device, but thats a different story) with limited functionality, and the product may not go long without usb support.

What hardware is being used for the device and is the firmware (that is open source?) based on an existing project or your own? Is it available via github and if so could you provide a link?

While I do like the design of the device, its not something I would simply just buy right away, especially when you advertised it as secured with no source code, limited to just bluetooth, which has its own flaws, especially if the implementation is poor.

In regards to keepkey security, they are based on trezor firmware so whenever trezor does a security update, keepkey is usually notified and 9/10 they will update as well, which is why you hardly hear about security issues with keepkey.

With that said, it almost feels like youre avoiding trying to answer, which I hope isnt the case.
HCP
legendary
Activity: 2086
Merit: 4363
July 20, 2018, 03:08:43 AM
#17
What are your thoughts on it?
Not much details have been released yet, but first impressions?
Then release some details... given that the device is yours. Roll Eyes You might want to release some actual details of the device if you want anyone to consider purchasing it... especially with a $300 price tag!


Also... this:
Quote
Completely Air-gapped
Quote
02 Bluetooth Tethering
Ummm.... What??!? Huh Roll Eyes


Quote
No need to trust third-party software or networks.
Quote
"Visit the Google Play Store on your Android device, download and install the Blackbird Tethering App."
Uh huh... so, I don't need to trust the mobile OS, bluetooth stack or the network that the mobile device is connected to? Huh


And what security protections are in place to prevent someone uploading a malicious firmware or creating a "clone" site with malicious firmware and tricking people into downloading from it etc?
Quote
Visit blackbirdwallet.io/download to compare your version with the latest firmware version available. If a newer version is available, download it and extract the files to the SD card provided for firmware upgrades.


I appreciate a lot of the stuff on the website is just "marketing speak"... but you're trying to crack a niche market in a space full of very suspicious and paranoid people. Are you at least going to list the full specs and/or open source the code etc Huh
newbie
Activity: 26
Merit: 0
July 19, 2018, 07:55:41 AM
#16
I wasn't trying to look like a newbie. Just trying to find out what people think. What are your biggest concerns when it comes to hardware wallets? Do you think this solves any issue. Not trying to direct you to buy (although that would be nice). Just want to create a discussion... there are other areas to advertise, but I doubt I'll get better insights than a discussion on hardware wallets in general.
My apologies if it seems spammy. That wasn't the intention at all.
legendary
Activity: 3122
Merit: 2178
Playgram - The Telegram Casino
July 19, 2018, 07:15:25 AM
#15
Pretending to be a newbie asking questions about hardware wallets only to then link to your own online shop selling a previously unheard of product smells pretty scammy. I'm not saying that it's a scam, I'm just saying that at least in my opinion that's not exactly a way to gain the trust of people.
Pages:
Jump to: