Pages:
Author

Topic: Is that safe to buy a used hardware wallet ? - page 2. (Read 3958 times)

hero member
Activity: 952
Merit: 513
Hello my friends.

Is that safe to buy a used hardware wallet like Ledger Nano S or Trezor .

Is there any danger to use a second hand hardware wallet ?



Yes, no matter how safe a factory reset or a complete wipe of the system is, technically there is still achance that someone that has evil intentions will scam you, not only with an unsafe Trezor, but anything that you deposit into it as well.

The chances of it happening is low, but when it happens, who's to blame? The seller? Sorry, you've got no proof, it could have been a virus on your laptop.

The whole idea of bitcoin and hardware wallets is to have trustless, secure storage of your coins. Obviously, nothing can be perfectly trustless, but personally by buying a used trezor i can't sleep well at night knowing that someone might have access to my coins. Just spend the extra $50 and buy a new one. Even if you buy from a reseller, it can technically still not be safe.

Quote from: stackexchange
If you update the firmware you are probably safe, but why take the chance? The Trezor itself (or even the included USB cable https://www.wired.com/2014/07/usb-security/) could have been corrupted/replaced by a sophisticated actor.

If someone gave me a used Trezor for free, I would throw it in the garbage. No discount would be sufficient enough for me to justify buying a used Trezor:

https://www.reddit.com/r/Bitcoin/comments/2dbjd9/trezor_tamper_proof_seal_doesnt_help_much_against/
newbie
Activity: 3
Merit: 0
Based on what I read here on the basics, there are a lot of ways that you can secure your bitcoins and one of which is the hardware wallet. That's the best thing you could do to avoid the hassle and just instantly use it. They could really protect it because you will be the one holding it. I'm planning to get one but I don't have the funds yet.
sr. member
Activity: 756
Merit: 251
Hello my friends.

Is that safe to buy a used hardware wallet like Ledger Nano S or Trezor .

Is there any danger to use a second hand hardware wallet ?



Hello there my friend. The first question will be, will you be storing a huge amount of bitcoin? If yes, I would say you do not compromise them. Why don't you buy a brand new one? The reason why you buy them in the first place is that you want to safe-keep them right? Well the safer way to do it is not to safe-keep them in a hardware wallet that is already used.  Wink
legendary
Activity: 1288
Merit: 1087
there may well be technical reasons why it's an ok idea. i'm not technical enough to be sure. i'd only buy new direct from the manufacturer. the whole point of them is to not take a chance. i ain't taking one now.
legendary
Activity: 2758
Merit: 6830
It is never recommended to buy a used hardware wallet because the other person who had this in use before selling it to you may have flashed the firmware or do some other nasty trick. This way even if you wipe your wallet that firmware installed there on the chip may have bugs and it may show your seed to the person who had this before. This happens very rarely but just to be sure because I suppose in a hardware wallet you will keep a good amount of bitcoin.
That wouldn't be possible. Both Trezor and Ledger have security measures to avoid the attempt of installing malwares in your hardware wallet. See above:

Trezor:

Quote
Reflashing the TREZOR with evil firmware
Official TREZOR firmware is signed by the SatoshiLabs master key. Installing unofficial firmware on the TREZOR is possible, but doing so will wipe the device storage and TREZOR will show a warning every time it starts. Reprogramming the bootloader is impossible because all TREZORs ship with their secure programming fuse blown.

Inspect the TREZORs memory with an electron microscope
You might imagine yourself dissolving the TREZOR CPU in acid, finding the reprogramming fuse, repairing it, and then loading evil firmware on the TREZOR. I’m no science fiction author, but my guess is – this might be possible. However, the Cortex M3 is a sensitive multilayer chip. The components inside are much smaller than those fake eBay amps. Chances are, all you’d end up doing is destroying the chip. Even if you succeeded in doing so, this will be a costly and time-consuming task. In the end, the bitcoins will be gone already because the original owner will have changed their recovery seed upon discovering that their TREZOR was stolen.

Evil maid attack - replace the TREZOR with a fake
It might be possible for an evil ninja, or your little brother, to steal your TREZOR and replace it with a fake TREZOR. If the fake TREZOR was embedded with a wireless transmitter, then the fake TREZOR could wirelessly transmit any PIN it received. The attacker would then have full access to your funds.

If you are concerned about such an attack, it is a good idea to sign the back of your TREZOR with a permanent pen. Don’t forget to check the signature before each use.

The TREZOR’s chassis is sealed using ultrasound. Opening the TREZOR without destroying the case is nearly impossible.



Ledger:

Quote
How to verify the security integrity of my Nano S?

On the hardware side, if you want to check that the Nano S has not been tampered with, or the applications running are the official apps, here are a few things that you might need to know:

1) The Secure Element checks the full microcontroller flash at boot (this is described in our blog post). If it has been modified, you'll get a warning at boot. As an additional check, you can open the device to verify that no additional chip has been added (referring to the attached picture) and that the MCU is an stm2f042k6 (with 32 Kb flash, as a bigger flash could contain code fooling the Secure Element validation). Markings on the chip can vary but you should see the string "042K6".

2) The Secure Element itself is personalized at factory with an attestation proving that it has been created by us. You can verify it by running

pip install --no-cache-dir ledgerblue

python -m ledgerblue.checkGenuine --targetId 0x31100002

The source code is available here: https://github.com/LedgerHQ/blue-loader-python/blob/master/ledgerblue/checkGenuine.py

3) Each individual application will display a "Non Genuine" warning if not signed when opened. A modified User Interface (as found in https://github.com/LedgerHQ/nanos-ui) will also display a warning message on boot.

4) The root of trust for the current batch is the following secp256k1 public key : 0490f5c9d15a0134bb019d2afd0bf297149738459706e7ac5be4abc350a1f818057224fce12ec9a 65de18ec34d6e8c24db927835ea1692b14c32e9836a75dad609 - as checked in checkGenuine.py https://github.com/LedgerHQ/blue-loader-python/blob/master/ledgerblue/checkGenuine.py#L72

Sources:
https://doc.satoshilabs.com/trezor-faq/threats.html
http://support.ledgerwallet.com/knowledge_base/topics/how-to-verify-the-security-integrity-of-my-nano-s
member
Activity: 76
Merit: 10
I didn't use trezor and similar, but logically, if I send you even a photo, I can implement a virus in this file,
is it a photo, txt file or wallet, it can be sent together with virus, trojan, etc.
another person already mentioned seed generated in advance, only one person should know the seed,
legendary
Activity: 2044
Merit: 1008
I will never use a second hand hardware wallet, under any circumstances. I know that these wallets are not cheap (for example, Trezor costs around $100 per piece). But if you have coins worth $20,000 or $30,000 with you, then what is wrong in spending 0.5% of that for a permanent storage solution?
newbie
Activity: 50
Merit: 0
The risk is exposure of the hardware itself to someone else, even if they can't implant a malware into it they can even replace the hardware with fake and possible maliciously modified hardware, either to cheat or worse, steal the bitcoin deposited later.
copper member
Activity: 1442
Merit: 529
It is never recommended to buy a used hardware wallet because the other person who had this in use before selling it to you may have flashed the firmware or do some other nasty trick. This way even if you wipe your wallet that firmware installed there on the chip may have bugs and it may show your seed to the person who had this before. This happens very rarely but just to be sure because I suppose in a hardware wallet you will keep a good amount of bitcoin.

My advice is always buy a sealed new one and always buy only from the official website. Even buying in Ebay and Amazon I am afraid. You may say I am a fanatic but when it comes to bitcoin, security is ranked at first.
newbie
Activity: 54
Merit: 0
By common sense, no, it was in the property of and under the ownership of someone else, if you completely trust they did not allow anyone (or the previous owner, too) to tamper with it, it could contain malware or be modified in anyway,
a brand new hardware wallet from the manufacturer directly is the best way IMO.
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
How will you trust that someone did not record the recovery seed and then use that to recover the wallet onto another Trezor? The reason why

you have the recovery seed, is when your hardware wallet fail and you want to restore your wallet onto a new device. Will you trust someone if

they offered you a key to their used safe deposit box? {They could have made a duplicate of the key}  Huh

You can wipe it and generate a new seed. The problem here is -

I am paranoid enough to not trust used bitcoin hardware wallets.  If you upgrade firmware you probably should be fine,
but I am afraid the wallet might have been corrupted or replaced by a sophisticated fake, like Chinese copy or something.
If someone is giving you their trezor for free or is offering amazingly low price, don't take it. Better stay safe.
legendary
Activity: 1904
Merit: 1074
How will you trust that someone did not record the recovery seed and then use that to recover the wallet onto another Trezor? The reason why

you have the recovery seed, is when your hardware wallet fail and you want to restore your wallet onto a new device. Will you trust someone if

they offered you a key to their used safe deposit box? {They could have made a duplicate of the key}  Huh
hero member
Activity: 994
Merit: 507
Hello my friends.

Is that safe to buy a used hardware wallet like Ledger Nano S or Trezor .

Is there any danger to use a second hand hardware wallet ?



err.. I'm not sure if there's something the previous owner could do to steal your keys/bitcoins but if I were to use a hardware wallet for my investment, I definitely wouldn't risk getting a used one.

Value your investments. Get a new one instead, don't risk having potential big problems in the future.

I agree. You might brought it cheaper than what the actual price is but the risk that it might brought to you will not be pleasing. I would also rather buy my own just to be sure. Also the possibility that it might be broken or whatever might bring a problem too. That's why you need the reason why he will sell it though you can't expect a 100% guaranteed honest answer especially if the reason might change your thinking to buy the used hardware wallet.
full member
Activity: 434
Merit: 100
It seems to me that this insignificant saving can bring problems in the future.
I would not do so if there is no complete trust in the seller.
legendary
Activity: 1400
Merit: 1001
I am paranoid enough to not trust used bitcoin hardware wallets.  If you upgrade firmware you probably should be fine,
but I am afraid the wallet might have been corrupted or replaced by a sophisticated fake, like Chinese copy or something.
If someone is giving you their trezor for free or is offering amazingly low price, don't take it. Better stay safe.
full member
Activity: 228
Merit: 100
I personally wouldn't trust used hw wallets. Just buy a new one if you're going to store any serious amount of coins in it.
Yes me too, i don't believe with any option for bitcoin wallet. that's why i keep bitcoin at exchange.
mk4
legendary
Activity: 2870
Merit: 3873
📟 t3rminal.xyz
Hello my friends.

Is that safe to buy a used hardware wallet like Ledger Nano S or Trezor .

Is there any danger to use a second hand hardware wallet ?



err.. I'm not sure if there's something the previous owner could do to steal your keys/bitcoins but if I were to use a hardware wallet for my investment, I definitely wouldn't risk getting a used one.

Value your investments. Get a new one instead, don't risk having potential big problems in the future.
full member
Activity: 139
Merit: 100
RatingExpertise.com
I personally wouldn't trust used hw wallets. Just buy a new one if you're going to store any serious amount of coins in it.
member
Activity: 132
Merit: 10
I thought it's not safe, as Trezor has recovery seed. This seed is generated the first time you run TREZOR and will help you recovering it’s contents (private keys, bitcoin balance, and transaction history) into a new device if you lose your TREZOR.
http://doc.satoshilabs.com/trezor-faq/software.html#what-are-a-recovery-seed-a-pin-and-encryption-passphrase-and-the-difference-between-them
legendary
Activity: 1736
Merit: 1023
It should be fine. You should just double check that it is running the stock firmware if it has the option to use a 3rd party firmware as some of them do. Other than that I don't think you have much to worry about.
Pages:
Jump to: