Topic: Is A Second-Hand Hardware Wallet Safe? (Read 382 times)

What if somebody actually studied specific Hardware Wallets for a long time and found a way to disassemble them, tamper with them and then assemble them looking just like new.  Asking to pry a Hardware Wallet open before purchasing it is strange anyway, nobody would do it, so maybe you find out only after purchasing it and prying it open back home.  But what if the tamper is not physically observable.

Even if it lies in the Code and you do have the capacity to Analyze the Firmware, mistakenly skipping a single line or not being able to connect the dots at the right time could lead to using a malicious Hardware Wallet and even Trusting it since you did analyze both its Firmware and the Hardware too.

Even if the Seller is reliable and trustworthy, you have no idea whether it was a device they purchased from official sellers themselves or if it was a device they got for free.  What if they are actually selling a device they thought they received as a gift in their Post.

So at the end of the day, there are so many possibilities it is still so much more convenient to either purchase it from a legitimate official source or to just create your own Airgapped Wallet.  While not the most convenient User Experience wise, it is the Safest choice for OP still.

The only way I would go as far as buying a second-hand hardware wallet it would be whether I am capable of analyze both hardware and software, seeking for irregularities and evidence someone maliciously tampered with the wallet, in order to steal other money. It would not be the first time I have seen something like that happening, actually, there have been some documented cases of Ledger hardware wallets being tampered with the sold on eBay.
If one as an user is not willing to go through all the hassle of analyzing the software and hardware of what one has bought, it is better just to go safe and buy directly from official vendors.

Needless to say, most of the average person interested in acquiring a hardware wallet does not have the capacity to analize both the firmware and the hardware of those products... 

Don't do it if you are buying it from an unknown person on the internet that you don't know and have never met. It might look like a good deal, and probably is if you are getting if for like 50% cheaper than a new one, but it's not really worth the worry. If you are buying a hardware wallet, it's fair to assume that you have or will have an amount that you feel is big enough to store on such a device. If that is the case, don't make shortcuts and try to save a few bucks by increasing the chances of hurting your crypto holdings.

Imagine if you have a really expensive car. Fill the tank at a gas station and don't trust the guy at the corner who says he can get you the same quality fuel for half the price. If you can afford the car, use quality fuel with it and not something that could be mixed with water or other fluids.

Not necessarily. If there is some automatic drainer, then yes, the sum would be stolen and sent to an address that the scammer controls. If that is possible, of course. Let's not forget that hardware wallets require physical confirmation to send transactions.

But if there is no drainer and someone is manually checking the addresses, they could wait. Let's think like scammers. If I had control of your keys and I am planning to steal from you, I am not going to do that after you send $5 worth of crypto to your wallet. I will wait a little, maybe for $500, $5000... Only then will I react. Doing it earlier will show you that something is wrong, and you would probably abandon the wallet. So, I'll wait.

First of all, why would someone sell their used wallet? I have a Bitcoin wallet in my smartphone and when I plan to change my smartphone with a new one, I simply destroy it instead of selling it because I had a Bitcoin wallet in my old smartphone and despite the fact that I can format it, I can't still risk to sell it to someone unknown.

I have never thought about that but that approach is very logical for safety. In that case, we have to use the help of friends or freight forwarder companies that let us to get items in different locations with different names.

What's safer, a laptop with HDD or a laptop with SSD? I have heard from many people that SSDs are good but I have a laptop with NVME SSD that I have used since 2020 and recently SSD got damaged itself, without any physical harm while my 10 years old PC with HDD still works fine.

Yes.

SeedSigner: $80
Blockstream Jade: $70
Krux: $45 running on a really nice device.

That's less than $200 for three hardware wallets, all of which can be run stateless and airgapped.  Very minimal DIY.  For SeedSigner, you just have to buy a kit and load the firmware onto a micro SD card.  Jade comes ready to go.  For Krux, you buy the device to run it on, download the firmware and run a command in Terminal to flash it to the device.

And that Krux price isn't even the cheapest option.  You can buy a Maix Cube for around $35 to install Krux on, but the Yahboom K210 module ($45) is a much better device for Krux since it has a larger screen, and it's a touchscreen.  Sometimes those Yahbooms can be found for even less.  I got one for $37.

OP would need to buy multiple Hardware Wallets from separate Sellers and meet them personally for the exchange under different identities.  Today you are Rob purchasing from A, tomorrow you have to be Jim purchasing from B.  Otherwise, the Seller could have different accounts under which they sell Hardware Wallets and if the same customer asks both, they can get a friend or a partner-in-crime sell it to you.  Purchasing from the same Seller implies the risk of owning multiple devices from the same perpetrator.  And even if you buy 5 devices from 5 different Sellers, nobody guarantees all 5 are not from the same group of perpetrators.

Then you would need to pay very little per piece so at the end of the day you get to pay less on the Multi Sig setup than you would on a single legitimate device from the original Seller.

It is useless trouble.  Just purchase a legitimate device.  If you can not purchase any device other than an already used one, just do Airgapped like you said.

I think that the only way to enhance your security is to buy several wallets and use the multi-signature feature, but the cost has not been reduced and there is still a risk, so building a wallet yourself or using airgapped is much better.

Since there's no way to deterministically verify that a used hardware wallet has not been tampered with, they are not safe to use. As everyone else has stated here.

There is no way to be sure that a hardware wallet has not been opened up and had parts and other firmware replaced with malicious counterparts, similar to how a credit card skimmer would work.

Even if we consider only wallets from a single vendor, it can't be guaranteed. As all vendors have different manufacturing processes.

If the firmware turns out to be in order after initialization in the manufacturer’s app (for example, Ledger Live allows to check the authenticity of the hardware wallet), then you can disassemble the device and check for traces of foreign intervention. Often, marks remain on the case if the HW device has been disassembled. After that, send a small test amount to your wallet. If hardware wallet is unreliable, then this money will be stolen immediately.

I don’t understand whether it’s worth bothering with this instead of buying a new hardware wallet, but I can’t think of any other testing methods.

And let's follow that thought through.  Is it really worth risking everything you have in order to save a few bucks?  I'd never do that.

Generally speaking, I think one could probably get away with buying a used hardware wallet, but why would anyone in their right mind take the risk?  I'd NEVER put my Bitcoin at risk like that.  Never, never, never.  Not even if I could get a used hardware wallet for free.  No way.


Absolutely.  In my opinion Krux is much better than most hardware wallets for singlesig, because it offers encrypted seedQR codes (among many other features).  And I think SeedSigner is better than most hardware wallets for single-custody multisig (in other words, multisig wallet for one person) because of how easy it is to load multiple seeds.  Either would be a great choice for a collaborative multisig wallet (where each person holds a key).

The most common answer seems to be: don't get a second-hand hardware wallet because it can be difficult to verify it hasn't been tampered.

Why would you want to get a second-hand device? OP hasn't answered this very valid question. To save a few bucks? Probably not worth the hassle, unless OP has severe difficulties to buy a genuine hardware wallet at his location for whatever reasons.

Most hardware wallets allow a factory reset. Some allow to verify their firmware is genuine and untampered. Could you trust it fully if it passes such a genuinity test? Would you be 100% confident with such a second-hand device? If only tiny doubts persist and won't disappear, it's better to get a new one (which you should check for genuinity, too // supply chain attacks are no myth).

I'm sure, I wouldn't buy a second-hand hardware wallet. I'd rather build my own from non-suspicious electronic parts (Seedsigner or Krux; awesome stateless hardware wallets; no revealing purchase traces).

OP, just hope you know that if anything goes wrong with your hard wallet, you are not getting any support or warranty from the manufacturer? They have no business with you, which means it is just you at the mercy of whoever you are getting the device from. This is why you should buy directly from a reputable manufacturer, at least you are certain it has not been tampered with and you would be getting neccessary assistance if the need arises.

@ContentWriter
Other users already answered your question, but I want to point to something else... If the second-hand HW that you were looking to buy is at the higher end of the price spectrum, it's worth noting that various cheaper brand-new models in the market can also provide similar protection to a certain degree: List of hardware wallets ^{[pick something that has a "secure element" while being "open-source" and having "reproducible builds"]}

OP, I don't know if you're asking this as a hypothetical or are planning on buying a second hand wallet for personal use, but if it's the latter I would strongly suggest not doing it--especially if you plan on keeping substantial amounts of funds on it.  The money you'd be saving by buying a used HW wallet just doesn't justify the risk IMO.

The only reason I could ever see for buying a used device would be as a collectible--and that's it.  Hardware wallets are generally inexpensive, so why take a chance that there's some malware installed on a used one when you could spend a little more on a new one and sleep better at night.

As long as it's not a Ledger.  New or used, if you view what they've done logically there's no way you could put funds on it and be able to sleep at all.  Just sayin'.

Thanks for the links, so people really do offer their used hardware wallets for sale and some people also look for used hardware wallets to buy, the number may not be high, but..yeah.

I don't mind buying second hand of a few things, but surely not something that's going to hold the keys to my money. Even if you may reset it, and follow all safety conditions before use, it still does not make sense trying to save a few $ with something that's going to store way more than that.

No other reason that I can think of because anything second hand of the same thing are cheaper than new of that thing.

I saw this online: https://www.reddit.com/r/ledgerwallet/comments/8i5y2l/is_it_safe_to_buy_a_2nd_hand_ledger_nano_s/

I make further research and I saw this.
This is a used Ledger Nano on eBay: https://www.ebay.com/itm/266817029817?itmmeta=01J0TQE3V4SFGN9HC9KYADAE74&hash=item3e1f88c6b9:g:jOQAAOSw~z5mDuT9&itmprp=enc%3AAQAJAAAA0MTsN6CFysn3nz%2Fmppd64FBvhzSm7A7E5f3Y74FI3F0tgH1qdBg1VkQwANDw6LE63H%2FgH7s%2Fbfxp6B7oBl24Rd4F2dT4Z1QC%2Foh6BCj0wvQwJqtdW4xLjX0RrYre0y8n3XrdDiV6MLUCRmjRqiJFnSxPCp1C5o5rIeaLAE0o%2FvoBedrCpE5Q%2Fs0lsMqxcF35R3noKOlPtyKfBMutYSB9jzUiIF3dtk2zr8ZYnbT8uOyfNXiaM36VI3Xyq95oI9%2BG1Q75UJoKoPDkXFw47u%2FiK4Q%3D%7Ctkp%3ABk9SR9K9uNeGZA

Despite the risks, it would be funny if the used one is expensive than the new one.

Hardware wallet is not a second hand t-shirt that you can buy and use. Technically, it is possible to format (reset to factory settings) HW, but should you rely 100% on these standard formatting tools as safe and reliable, I think not. Because it is unknown whether the previous owner of the HW device added malicious applications. Do you really want to play roulette and bet your savings?

It is better not to save money when it comes to storing cryptocurrencies and buy only directly from the manufacturer (or official dealers). In general, I agree with the answers of other users in this thread and would not recommend using second-hand hardware wallet.

Why do you want to buy a used hardware wallet, are you getting it cheaper? I just want to know the rationale behind it.

That aside, i would not do it, the safest option of purchasing a hardware wallet is from the manufacturers themselves and not just from anyone who wants to sell a device they have used. Is it a common thing to find people who want to sell their used hardware wallets? I have not read anything about it before.

I would skip the idea with out a doubt.

Why is the person selling their Hardware Wallet?  Why are they giving it away?  Why do they want to get rid of it?

There are so many ways this could go wrong.  And unless you are going to store 1 Dollars in your Wallet or want to keep it just as a Collectible, I truly believe it could end up as a huge mistake.  Think even about others.  You purchase the Wallet today, you die tomorrow, your closest relative inherits the Hardware Wallet and out of Trust will use it.  If the Hardware Wallet is malicious, they are screwed.  Like I said.  So many ways it can go wrong.

Just spend more and get a genuine one or build one yourself.  Or if both are impossible to do, just build an Airgapped Wallet instead.  Any thing other than a SECOND HAND Hardware Wallet sounds safer.  Not worth the risk.

In theory yes you can do it, but I would never do that unless I am performing a reset of my own old hardware wallet.
Hardware wallets are not like flash drives, they have different firmware structure and someone could always add malicious chips inside, sell this devices and steal and change addresses.
This is not some fantasy story because we alreday had examples for fake devices being sold on internet.

Condlusion:
Purchasing second hand Hardware Wallets is generally not safe.