Pages:
Author

Topic: Hardware wallets, types, security and safety (Read 492 times)

member
Activity: 80
Merit: 39
In addition to the wallets listed above, I have come across other hardware wallets like Coldcard and Archos Safe-T Mini.

Coldcard is the cheapest bitcoin hardware wallet. Coldcard lets you store and submit your transactions by revealing your private keys like other cryptocurrencies. You’ll need to confirm all your transactions on this external device physically.

Archos Safe-T Mini is a hardware altcoin wallet that is portable. It also has an offline private key storage using an encrypted chipset memory. It has a very easy setup and also multiple cryptocurrency support.

Read here to know more about these hardware wallets. I am sharing it as I came across that even these hardware wallets can be used which are not heard of much.
member
Activity: 518
Merit: 45
There has been no demonstrated successful physical attack against Ledger products, but that is not to say one doesn't exist. With an electron microscope and enough time and expertise, then it is like that even the secure element will be crackable and the seed able to be extracted, but we are now probably talking about in the order of weeks at a cost of several hundred thousand dollars. This differs obviously from Trezor wallets which can have the seed extracted for less than a hundred dollars in the space of a few minutes. Any hardware wallet shouldn't be viewed as infallible, but rather as a mechanism to buy you (hopefully plenty of) time to move your coins to new addresses.

That is why I prefer the ledger nano products, although I prefer two, he ledger nano x and s. Trezor is good too but I have read about some people saying cloning trezor is more common than cloning ledger nano.
jr. member
Activity: 82
Merit: 1
This is a good reference for newbies that is curious about hardware wallets. Aside from some articles in the web that also talks about hardware wallets. I might make a topic in the future and refer this topic as a point of info. Also having a hardware wallet is a must if you are into crypto for security purposes also in longevity.
newbie
Activity: 15
Merit: 0
Thanks for information! Right now I'm looking for hardware wallet
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
There has been no demonstrated successful physical attack against Ledger products, but that is not to say one doesn't exist.

Those who have been following the development of hardware wallets for a long time know about the case of Side channel attack which is released back in 2018. This attack demonstrated the possibility of a remote hack of user PIN, and it was successful (Ledger Blue). But PIN is of no use without physically accessing the device, so this vulnerability was declared "less dramatic" and I think it was fixed in next firmware.

Roth explained that they started by analysing the hardware architecture of the Blue. They noticed that there was a fairly long connection between the secure element and another processor. In other words, the wire that connected these two components was physically quite long, due to their physical distance apart on the circuit board (each on other side of the device’s relatively large battery).
So they built a small robotic device to press a button over and over while their antennae listened and logged data. This was used to build up training data for an artificial intelligence system to analyze.
They were able to get a very high likelihood of identifying each digit on a PIN on the tested device.
hero member
Activity: 1834
Merit: 759
Even if an attacker is able to distinguish a USB flash drive from a hardware wallet, it will not be easy to use it. Let's say the attacker took possession of my hardware wallet (Ledger Nano S), which has an eight-digit password.  In the case of three wrong combinations, the hardware wallet resets all settings to the initial state and the attacker simply can not get my coins.

Oh definitely, in the same way that a USB drive with coins in it wouldn't necessarily be easy to break into. I was just saying that if a random thief with the capability to steal your coins gets into your home, he's more likely to take your hardware wallet than a random USB drive (if not both lmao).

This is true, but I still wouldn't rely on the thief not discovering the coins for their safety. If you are storing coins on a plain USB drive, you should be encrypting it.

No arguments here; if a precaution can make storing your coins safer, you should definitely avail of it. I'll edit my post and credit you. I was just pointing out that an attacker getting his hands on it wouldn't necessarily mean he'd be able to steal what's in it.
legendary
Activity: 2268
Merit: 18587
One advantage it has though, is the attacker won't necessarily know the flash drive is holding coins (you could just be using it as an OS installer after all, like majority of the populace) unlike hardware wallets, so they could be less prone to thievery.
This is true, but I still wouldn't rely on the thief not discovering the coins for their safety. If you are storing coins on a plain USB drive, you should be encrypting it.

I'm not sure what kind of equipment is needed and whether Ledger has some protection to prevent such hacking attempts (in case your wallet is stolen).
There has been no demonstrated successful physical attack against Ledger products, but that is not to say one doesn't exist. With an electron microscope and enough time and expertise, then it is like that even the secure element will be crackable and the seed able to be extracted, but we are now probably talking about in the order of weeks at a cost of several hundred thousand dollars. This differs obviously from Trezor wallets which can have the seed extracted for less than a hundred dollars in the space of a few minutes. Any hardware wallet shouldn't be viewed as infallible, but rather as a mechanism to buy you (hopefully plenty of) time to move your coins to new addresses.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Even if an attacker is able to distinguish a USB flash drive from a hardware wallet, it will not be easy to use it. Let's say the attacker took possession of my hardware wallet (Ledger Nano S), which has an eight-digit password.  In the case of three wrong combinations, the hardware wallet resets all settings to the initial state and the attacker simply can not get my coins.

Device will reset if wrong PIN is entered 3 times in a row, but smart hacker will not try to obtain your PIN in that way. They will try to hack it with brute force, and 8 digit PIN is very limited in number of combination. I'm not sure what kind of equipment is needed and whether Ledger has some protection to prevent such hacking attempts (in case your wallet is stolen).

But let's say a PIN of 8-10 digits is small joke for any supercomputer or botnet :

To demonstrate the importance of password complexity, let's start with a pincode password such as "123456789". In this case, the character set (0123456789) consists of 10 characters. For a 9 digit password using this character set, there are 10^9 possible password combinations. Therefore, it will take (1.7*10^-6 * 10^9) seconds / 2, or 14.17 minutes, to break this password on average. On a supercomputer or botnet, we divide this by 100000, so it would take 0.0085 seconds to break a password.

Because of facts above, using of passphrase on hardware wallet is very desirable. Of course, only if the user knows what he is doing.

https://support.ledger.com/hc/en-us/articles/115005214529-Advanced-passphrase-security
legendary
Activity: 2268
Merit: 2039
~snip~

Even if an attacker is able to distinguish a USB flash drive from a hardware wallet, it will not be easy to use it. Let's say the attacker took possession of my hardware wallet (Ledger Nano S), which has an eight-digit password.  In the case of three wrong combinations, the hardware wallet resets all settings to the initial state and the attacker simply can not get my coins.
hero member
Activity: 1834
Merit: 759
This is a lot helpful. But you said, it is inconvenient. It is also can not be safe like the recommended HW wallets.

If your only intention is to keep your private keys offline, I would argue that it could be just as safe, since it does exactly the same thing.

One of the main advantages of hardware wallets, in addition to keeping your keys permanently offline, is that if they fall in to an attacker's hands your coins are still safe (or at least, safe for long enough for you to recover your backs ups and send them to a new wallet). Your set up misses out this important protection, unless you are also encrypting the USB drive.

Strong wallet passwords could also help, so it's not entirely vulnerable in the hands of a potential attacker. I mean, we've all heard about people getting locked out of their Electrum wallets, so you can possibly make this work in your favor. Hardware wallets are definitely better in this area though.

One advantage it has though, is the attacker won't necessarily know the flash drive is holding coins (you could just be using it as an OS installer after all, like majority of the populace) unlike hardware wallets, so they could be less prone to thievery.
newbie
Activity: 2
Merit: 0
Understanding the difference between a custodial and a non-custodial wallet is crucial for understanding a wallets security.

"A non-custodial wallet (also known as a light wallet) is simply a piece of software on your own computer or phone that puts you in full control of your cryptocurrency holdings. You hold your own private keys, which means no one else is able to make a transaction on your behalf." Meanwhile, if you use a custodial wallet your private key is stored by a third party.

If you are indeed using a hardware wallet than it is non-custodial/light wallet, which is certainly the most secure type of wallet.

Sources:
https://atomicwallet.io/custodial-non-custodial-wallets-comparison
https://www.cryptovantage.com/guides/custodial-vs-non-custodial-wallets/
https://medium.com/guarda/%EF%B8%8Fcustodial-vs-non-custodial-wallet-s-%EF%B8%8F-benefits-of-light-wallets-87cf701054d1
full member
Activity: 1442
Merit: 153
★Bitvest.io★ Play Plinko or Invest!
A hardware wallet isn't expensive. I understand that in some parts of the world $50 is considered a lot of money, but if you are planning to hold hundreds and thousands of dollars it simply isn't. 

I am going to go a bit off topic and explain why they are not expensive.
While I was in high school I wanted to go running with a friend who is a bit older than me and plays basketball. He is in great physical shape, I work out, so I though I could keep up. I didn't have proper running shoes so I figured there is no need to buy a new pair. They are 'expensive' and I am not going to use them that much. I went out running in a pair of old day-to-day sneakers.

While we were running I started experiencing intense pain in the area around my heels, but I wanted to push past it so I didn't stop and just continued until the point that I could no longer stay on my feet. I am not exaggerating.

The next morning, the pain was so intense I could barely walk. I went to the doctor who told me that the main cause for my injury was a combination of excessive exercising and bad foot wear.

Instead of buying proper foot wear because I though they were 'expensive' I had to pay for doctor appointments, injections, and pain killers, and spent 4-5 days lying around on the sofa.       
I can also say that it is way safer than online wallets, it is not that expensive yet it can prevent your funds to be hacked online. The only disadvantage I think is that when you lost it, that is why when you are using hardware wallet, you must still be careful and make sure that you placed it in a safe area that it will not be misplaced or be lost, there is also possibility that the device will be broken so make sure you are able to secure it and prevent from breaking so that your funds are also safe. It is also depending on the person what they really prefer to use because there are some people who are holding a lot of funds that are used to place their funds online without losing it, it is about knowledge and awareness.
legendary
Activity: 2268
Merit: 18587
In the case of Trezor or any other hardware wallet based on Trezor (all clones) someone has calculated that at least 37 characters are required for the protection to be adequate.
It depends heavily on what you class as "adequate". Since we know the seed can be extracted from Trezor wallets if an attacker has physical access to it, 37 random characters was recommended by the Ledger Donjon Team because that is what is require to have at least as much entropy as the 24 word seed itself would have. So for the passphrase on its own to be as secure as the seed on its own, then 37 random characters are needed. However, that does not mean that anything less than 37 random characters is automatically inadequate. It depends heavily on your risk model, and how long it would take you to firstly realize that your hardware wallet has been stolen, and secondly to access your back ups and send all the coins to a new wallet.

If, for example, a hardware wallet could be missing for several weeks before you noticed (for example, if it was stored in a safe deposit box), or it would take you several weeks to be able to access your back ups and move your coins (because they are stored in a different city or country to you), then you would certainly want a very long and random passphrase to make brute forcing it unfeasible. If, however, you would know at most within a couple of hours if your hardware wallets were stolen, and could access your back ups in a further hour or two, then a much shorter passphrase would be "adequate". If an attacker only has 12 hours between stealing your wallet and you moving all the coins, then even checking 1 billion passphrases per second would only give them time to check 4.32*1013 possibilities. Even if your passphrase was only 10 random characters, then they would only have time to check 0.00007% of potential passphrases before you secured your coins.

I would always advocate for everyone to use a long and random passphrase with their hardware wallets, but I wouldn't call anything less than 37 characters necessarily "inadequate".
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
The article is informative. That means, passphrase can futher protect your cryptocurrencies. Like the Trezor used as an example, if it is stolen, but you have already set up the passphrase, the theif will be unable to access your wallet unless he knows the phrase. Wallet owner is the only one that can reveal the passphrase.

Passphrase can help as additional protection, but it is susceptible to brute force if not complex enough. In the case of Trezor or any other hardware wallet based on Trezor (all clones) someone has calculated that at least 37 characters are required for the protection to be adequate. Such an attack is currently not possible on Ledger HW, and one of the most important differences between Ledger and Trezor is in The Secure Element which is special chip built in Ledger hardware wallets.
legendary
Activity: 2730
Merit: 7065
A hardware wallet isn't expensive. I understand that in some parts of the world $50 is considered a lot of money, but if you are planning to hold hundreds and thousands of dollars it simply isn't. 

I am going to go a bit off topic and explain why they are not expensive.
While I was in high school I wanted to go running with a friend who is a bit older than me and plays basketball. He is in great physical shape, I work out, so I though I could keep up. I didn't have proper running shoes so I figured there is no need to buy a new pair. They are 'expensive' and I am not going to use them that much. I went out running in a pair of old day-to-day sneakers.

While we were running I started experiencing intense pain in the area around my heels, but I wanted to push past it so I didn't stop and just continued until the point that I could no longer stay on my feet. I am not exaggerating.

The next morning, the pain was so intense I could barely walk. I went to the doctor who told me that the main cause for my injury was a combination of excessive exercising and bad foot wear.

Instead of buying proper foot wear because I though they were 'expensive' I had to pay for doctor appointments, injections, and pain killers, and spent 4-5 days lying around on the sofa.       
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
You are not new in the field

It doesn't matter how old or new is somebody on the field. You have to cross check the information as good as you can, no matter who answers and what's his rank, because you don't know his intentions and also anybody can make mistakes. And we talk about money here.

So... take care. Always.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
First of all, anyone who want to invest $25-$50 in hardware wallet has to wonder if he really needs it? Some start crypto trading, do it for a month, lose all their money and are no longer interested in crypto, they do not need such a device at all.

On the other hand, if there is a serious intention to make a long-term investment, I do not see how a $50 investment can be unnecessary or a bad move. Of course there are those who suggest some cheaper solutions (home made cold storage), and personally I do not mind, in the end, protection is the most important, no matter how it is realized.

For some people even $50 means a lot of money, so it should be understood that some still claim that hardware wallets are too expensive for them. But that will surely change in the future as the competition gets bigger, so anyone who wants to be able to secure their storage and transactions will be able to do so.

I would add that we currently have 2 manufacturers who definitely enjoy the highest reputation among users. In my opinion as Ledger user for years (Nano S&X) these devices are on the top on my list.

Yes, you are very right. If the hardware wallet is stolen, it will be difficult or not possible to get access to the private key and seed phrase by the pilferer .

That is not entirely true, and it depends on the wallet and wallet setup. Vulnerability that is detected in Trezor hardware wallets enables one who comes into physical possession of such device to extract seed if user is not set passphrase (at least 37 characters).

Read more about this here : Trezor&Keepkey - Unfixable Seed Extraction - A practical and reliable attack!
More good info about hardware wallets : Hardware wallets

The article is informative. That means, passphrase can futher protect your cryptocurrencies. Like the Trezor used as an example, if it is stolen, but you have already set up the passphrase, the theif will be unable to access your wallet unless he knows the phrase. Wallet owner is the only one that can reveal the passphrase.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
First of all, anyone who want to invest $25-$50 in hardware wallet has to wonder if he really needs it? Some start crypto trading, do it for a month, lose all their money and are no longer interested in crypto, they do not need such a device at all.

On the other hand, if there is a serious intention to make a long-term investment, I do not see how a $50 investment can be unnecessary or a bad move. Of course there are those who suggest some cheaper solutions (home made cold storage), and personally I do not mind, in the end, protection is the most important, no matter how it is realized.

For some people even $50 means a lot of money, so it should be understood that some still claim that hardware wallets are too expensive for them. But that will surely change in the future as the competition gets bigger, so anyone who wants to be able to secure their storage and transactions will be able to do so.

I would add that we currently have 2 manufacturers who definitely enjoy the highest reputation among users. In my opinion as Ledger user for years (Nano S&X) these devices are on the top on my list.

Yes, you are very right. If the hardware wallet is stolen, it will be difficult or not possible to get access to the private key and seed phrase by the pilferer .

That is not entirely true, and it depends on the wallet and wallet setup. Vulnerability that is detected in Trezor hardware wallets enables one who comes into physical possession of such device to extract seed if user is not set passphrase (at least 37 characters).

Read more about this here : Trezor&Keepkey - Unfixable Seed Extraction - A practical and reliable attack!
More good info about hardware wallets : Hardware wallets
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
But, I will consider to use paper wallet this way because if I use hard drive wallet, I will only stay offline because I will be insecure of hackers. But using hardware wallet like Trezor and ledger nano, I can still manage to connect to other wallets and exchanges. All someone need is to be careful of malware and to check if the wallet address he nput is correct while performing transacrion.

I can though use paper wallet, it is not convenient for me. So, I use hardware wallet. I think as said above, it is not bad to buy $60 larger nano s to save bitcoin. Not that expensive.

No-no-no, I think that there may me a confusion here.
Paper wallet is great if you don't want to spend. And only if you don't want to spend. As soon as you start spending, you don't call that paper wallet anymore.

For transactions the handiest is clearly hardware wallet. But if you have plenty of time, not too many spend transactions, and you don't want to spend money on a hardware wallet (and indeed 60$ is not that expensive), an USB stick with Tails OS (or similar) can help. (Tails OS already has Electrum on it. Some trust that setup, some don't. I do.)

I myself did some tests with Tails OS as cold storage and worked out nicely. One stick with the offline wallet, another stick for transporting the transaction for signing, and the main computer with a watch only wallet to see, make and broadcast the transactions. https://electrum.readthedocs.io/en/latest/coldstorage.html

If you make a similar Live OS and you trust it 100%, you can even use it as a hot wallet. But I am not good enough for that.

However, many may not like the fact they'd have to enter the seed every time and if you store the seed, as o_e_l_e_o said, you'll have to encrypt the stick. So we are back to the convenience of proper hardware wallets.


I appreciate how you explained this. I deleted the post before seeing this coming. But a lot helpful. You are not new in the field and also know better.

If hard drive works good for someone then it is fine but the user must also be careful. I get your point now, if someone don't want to spend much, hard drive wallet is an alternative.
You have claritfy this enough. It is informarive.
legendary
Activity: 2268
Merit: 18587
If the USB drive is a live OS and the private keys or seed are not saved in persistent storage, the solution can work.
I wouldn't really call that a wallet though, that's just a client (such as Electrum). You would need some other method of storing your seed and transporting it around to have whenever you want to transfer some coins.

You are right, the ledger nano x is portable and can can be use with a mobile phone through bluetooth. Although, if you use the ledger live app, you are limited to 23 cryptocurrencies.
The Nano S can also be used with Android phones (but not Apple phones) via a USB cable. Further, you are limited only to 23 apps being installed at the same time. You can freely uninstall and reinstall apps without losing your coins, so you in reality you can store as many coins as the Ledger supports.

From what I know (please let me know if I'm wrong) there were movies showing that it's not that difficult to "hack into" a hardware wallet if one has it physically.
There have certainly been attacks proven to be possible against Trezor wallets. Even wallets which have no known attacks against them shouldn't be assumed to be 100% safe for ever more. As you say, if one of my hardware wallets was stolen, I'd be recovering from back ups and transferring to a new wallet within a few hours.
Pages:
Jump to: