Topic: Is that safe to buy a used hardware wallet ? - page 2. (Read 3940 times)

Hello my friends.

Is that safe to buy a used hardware wallet like Ledger Nano S or Trezor .

Is there any danger to use a second hand hardware wallet ?

If you update the firmware you are probably safe, but why take the chance? The Trezor itself (or even the included USB cable https://www.wired.com/2014/07/usb-security/) could have been corrupted/replaced by a sophisticated actor.

If someone gave me a used Trezor for free, I would throw it in the garbage. No discount would be sufficient enough for me to justify buying a used Trezor:

https://www.reddit.com/r/Bitcoin/comments/2dbjd9/trezor_tamper_proof_seal_doesnt_help_much_against/

Hello my friends.

Is that safe to buy a used hardware wallet like Ledger Nano S or Trezor .

Is there any danger to use a second hand hardware wallet ?

It is never recommended to buy a used hardware wallet because the other person who had this in use before selling it to you may have flashed the firmware or do some other nasty trick. This way even if you wipe your wallet that firmware installed there on the chip may have bugs and it may show your seed to the person who had this before. This happens very rarely but just to be sure because I suppose in a hardware wallet you will keep a good amount of bitcoin.

Reflashing the TREZOR with evil firmware
Official TREZOR firmware is signed by the SatoshiLabs master key. Installing unofficial firmware on the TREZOR is possible, but doing so will wipe the device storage and TREZOR will show a warning every time it starts. Reprogramming the bootloader is impossible because all TREZORs ship with their secure programming fuse blown.

Inspect the TREZORs memory with an electron microscope
You might imagine yourself dissolving the TREZOR CPU in acid, finding the reprogramming fuse, repairing it, and then loading evil firmware on the TREZOR. I’m no science fiction author, but my guess is – this might be possible. However, the Cortex M3 is a sensitive multilayer chip. The components inside are much smaller than those fake eBay amps. Chances are, all you’d end up doing is destroying the chip. Even if you succeeded in doing so, this will be a costly and time-consuming task. In the end, the bitcoins will be gone already because the original owner will have changed their recovery seed upon discovering that their TREZOR was stolen.

Evil maid attack - replace the TREZOR with a fake
It might be possible for an evil ninja, or your little brother, to steal your TREZOR and replace it with a fake TREZOR. If the fake TREZOR was embedded with a wireless transmitter, then the fake TREZOR could wirelessly transmit any PIN it received. The attacker would then have full access to your funds.

If you are concerned about such an attack, it is a good idea to sign the back of your TREZOR with a permanent pen. Don’t forget to check the signature before each use.

The TREZOR’s chassis is sealed using ultrasound. Opening the TREZOR without destroying the case is nearly impossible.

How to verify the security integrity of my Nano S?

On the hardware side, if you want to check that the Nano S has not been tampered with, or the applications running are the official apps, here are a few things that you might need to know:

1) The Secure Element checks the full microcontroller flash at boot (this is described in our blog post). If it has been modified, you'll get a warning at boot. As an additional check, you can open the device to verify that no additional chip has been added (referring to the attached picture) and that the MCU is an stm2f042k6 (with 32 Kb flash, as a bigger flash could contain code fooling the Secure Element validation). Markings on the chip can vary but you should see the string "042K6".

2) The Secure Element itself is personalized at factory with an attestation proving that it has been created by us. You can verify it by running

pip install --no-cache-dir ledgerblue

python -m ledgerblue.checkGenuine --targetId 0x31100002

The source code is available here: https://github.com/LedgerHQ/blue-loader-python/blob/master/ledgerblue/checkGenuine.py

3) Each individual application will display a "Non Genuine" warning if not signed when opened. A modified User Interface (as found in https://github.com/LedgerHQ/nanos-ui) will also display a warning message on boot.

4) The root of trust for the current batch is the following secp256k1 public key : 0490f5c9d15a0134bb019d2afd0bf297149738459706e7ac5be4abc350a1f818057224fce12ec9a 65de18ec34d6e8c24db927835ea1692b14c32e9836a75dad609 - as checked in checkGenuine.py https://github.com/LedgerHQ/blue-loader-python/blob/master/ledgerblue/checkGenuine.py#L72

How will you trust that someone did not record the recovery seed and then use that to recover the wallet onto another Trezor? The reason why

you have the recovery seed, is when your hardware wallet fail and you want to restore your wallet onto a new device. Will you trust someone if

they offered you a key to their used safe deposit box? {They could have made a duplicate of the key} 

I am paranoid enough to not trust used bitcoin hardware wallets.  If you upgrade firmware you probably should be fine,
but I am afraid the wallet might have been corrupted or replaced by a sophisticated fake, like Chinese copy or something.
If someone is giving you their trezor for free or is offering amazingly low price, don't take it. Better stay safe.

err.. I'm not sure if there's something the previous owner could do to steal your keys/bitcoins but if I were to use a hardware wallet for my investment, I definitely wouldn't risk getting a used one.

Value your investments. Get a new one instead, don't risk having potential big problems in the future.

I personally wouldn't trust used hw wallets. Just buy a new one if you're going to store any serious amount of coins in it.

Hello my friends.

Is that safe to buy a used hardware wallet like Ledger Nano S or Trezor .

Is there any danger to use a second hand hardware wallet ?