Pages:
Author

Topic: It is NOT secure to use hardware wallets (and it never was) - page 4. (Read 2237 times)

sr. member
Activity: 389
Merit: 250
I don't see me going back to downloading a block chain for each coin. And waiting to update or repair the blockchain before you can spend any coins Tongue.

Last weekend was spent updating and repairing 2 wallets, getting the coins out of a super secure offline signing wallet. And separating forks. I'm constantly helping users get access to their coins in their malfunctioning wallets:P. Corrupted data' human error etc etc etc. If your upgrade is tainted you could lose your coins that way.   
newbie
Activity: 69
Merit: 0
HArdware wallet is the safest wallest till now as you can store the btcs as the way you like Smiley
legendary
Activity: 1624
Merit: 2481
Don't just disable the networking, break or remove the adapter. Then you have a machine that can only be interfaced with through the USB or other ports.

But how do you actually do that? You need to do it physically?

Yes. Removing all network adapter physically gives you a 100% guarantee that your offline machine won't communicate with any other device in its proximity.
Note that being 100% secured against an attack vector can almost never be reached.
This is one of the few cases where it is possible to absolutely secure yourself against an attack vector.



I've been using an offline wallet to sign for a while, but I just disabled network adapters. I figured it was kinda bullshit, but the reality is that the risk is already pretty low. The offline machine was formatted clean and never connected to the internet. It seems to me that in either case (networking disabled vs. actually removed) the thumb drive you use for transporting raw transactions is a required attack vector.

Let's say Windows forces a shutdown/update and re-enables network adapters. What then? Some malware from the thumb drive keylogs my wallet password, swipes my private keys and......but there's no unprotected network to connect to. I'm not crazy for thinking the risk is low here am I? If there's malware sophisticated enough to do the above, then copy itself to the thumb drive and push the data from the online computer, then it seems like a PC with network adapter removed is prone to the same attack.

You are right, the risks are very low. But it still exists.
It all depends on how much you want your storage to be secured against which attack vectors.

And you are also right with the USB drive being the attack vector which would probably be the first one abused.
And it is indeed independent from your network adapters.

But there are other possibilities to transfer your unsigned TX to your offline machine and move your signed TX to your online pc.
The simpliest would probably be witht he help of two webcams:
  • Create unsigned TX on online pc
  • Display QR code of this TX
  • Scan the QR code with webcam connected to your offline machine
  • Sign the TX
  • Display the QR code of the signed TX
  • Scan this QR code with your webcam connected to your online PC
  • Broadcast transaction

Note that to be on the safe side, you should NOT connect your webcam to an online PC after connecting it to your offline storage.
This attack vector (flashing webcam firmware with malicious version) is pretty unlikely.. but it also does exist.
sr. member
Activity: 251
Merit: 257
Don't just disable the networking, break or remove the adapter. Then you have a machine that can only be interfaced with through the USB or other ports.

But how do you actually do that? You need to do it physically?

I've been using an offline wallet to sign for a while, but I just disabled network adapters. I figured it was kinda bullshit, but the reality is that the risk is already pretty low. The offline machine was formatted clean and never connected to the internet. It seems to me that in either case (networking disabled vs. actually removed) the thumb drive you use for transporting raw transactions is a required attack vector.

Let's say Windows forces a shutdown/update and re-enables network adapters. What then? Some malware from the thumb drive keylogs my wallet password, swipes my private keys and......but there's no unprotected network to connect to. I'm not crazy for thinking the risk is low here am I? If there's malware sophisticated enough to do the above, then copy itself to the thumb drive and push the data from the online computer, then it seems like a PC with network adapter removed is prone to the same attack.
legendary
Activity: 2926
Merit: 1386
Right, although the "someone" who has unfettered access to a computer with Intel ME is Intel themselves (and anyone else holding the code signing key for executing code on the ME processor). I think exploits were discovered last year where an attacker circumvented the use of the Intel code signing key, but I forget the specifics.

You see we can agree on somethings but few MS developers have woken up to the fact that Microsoft is locking them
out from the OS all over the place let alone are spying on every byte of data they can see.

Who would ever had thought that you would be getting a merit from me and take it from me, I don't get many to
give away but I am stuck with MS because it's all I know.

I suspect Goolge on Android devices is nearly as bad, they both have a bad track record, both work for the CIA/NSA

Just take an old laptop, load your favorite wallet and coins, then break or disable the wireless networking. Then break or disable the wired networking.

Although hardware wallets may have some issues, those issues are nothing compared to the problems of binding a machine to the greater world, uploading data and reporting in fashions the user is not privy to, and requiring downloading of supposed "updates" that are not comprehensible.

Yeah, but you don't want just any old laptop to do that on.  Like if you were to get one of your old laptops from 10 years ago that you were downloading a whole bunch of sketchy stuff on through limewire, I wouldn't think to recommend using something like that.  The most secure way is to buy a cheap laptop that has no wireless or bluetooth capabilities, and then load trusted/gpg verified files on the computer through booting it on a live-USB.

Any old laptop?

An old laptop with a new SSD running a new Linux can be a pretty nice and secure computer. I say "a new SSD" only because an old hard drive is pretty risky.

Look, it's important to think clearly about the issues in this thread. Most any machine is safe, if it is loaded with a wallet that allows you access to your private keys, and if it is not capable of getting on the internet.

Don't just disable the networking, break or remove the adapter. Then you have a machine that can only be interfaced with through the USB or other ports.
newbie
Activity: 4
Merit: 0
These kind of hardware wallets will grow stronger with time.
A indestructible and safe wallet is a very hard thing to accomplish.
but thease days there is no ather option to secure your funds without using coldstorage.....
but need somting more secure in future
newbie
Activity: 60
Merit: 0
I wish we could already live in a world where only secured digital wallets exist... I know there are many technological safety measures that could be implemented within digital wallets that could ensure the users' privacy and personal security. This can even be much better in time!
full member
Activity: 312
Merit: 111
There is normally in every branch a trade off between security and ease of use. Question is how much do you trust a storage method for how much bitcoin.
newbie
Activity: 4
Merit: 0
It is somewhat misleading to say that hardware wallets are not safe. Of course, if you lose your hardware wallets, there is a chance that the seed can be recovered through some of the ways highlighted in the article there but most people would not know how to break it.

So the key point here is that you should ensure you purchase directly from the company or a reliable vendor and ensure that you setup the device from scratch. This should go a long way in keeping your funds secure.

With paper wallets or web wallets, there is always a risk of key logging or malware that can exploit your data. Hardware wallets are safe.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I haven't heard of anyone losing coins in a hardware wallet yet. Other than a device that already had been previously opened. They set the seed words and password. Then sent the device and a copy of the seeds words-password to the new owner. The new owner thought he bought a new device and didn't reset it. The crooks just waited until the coins were in the wallet and stole them.   

It's true,so far there is no report about such a case,and the reason is very simple-hack a hardware wallet is not easy work,it is much easier for hackers to focus on online wallets/exchanges and business with fake wallets/phishing links.

That example you mentioned is something completely different,human ignorance and stupidity are endless.I think that is partly the fault of the manufacturers who should sell devices only directly from the factory with great security measures.Buying hardware wallet from e-bay or or some similar site is nothing but an extra risk.

However manufacturers can not stop people to sell their wallets,but notice on the site that such purchase is not advisable would be a good move.
legendary
Activity: 1624
Merit: 2481
Yeah, but you don't want just any old laptop to do that on.  Like if you were to get one of your old laptops from 10 years ago that you were downloading a whole bunch of sketchy stuff on through limewire, I wouldn't think to recommend using something like that.  The most secure way is to buy a cheap laptop that has no wireless or bluetooth capabilities, and then load trusted/gpg verified files on the computer through booting it on a live-USB.

Using an old processor doesn't also mean you have to use your old (non-wiped) hard drive.
An old laptop with a formatted hard drive and wireless adapter removed does its job very well.

There is also no need for running an OS as live version from an USB stick. It is absolutely fine to install an OS to your hard drive.
No connection adapters mean no connection. Regardless of the OS you are running and from how you boot it.
sr. member
Activity: 389
Merit: 250
I haven't heard of anyone losing coins in a hardware wallet yet. Other than a device that already had been previously opened. They set the seed words and password. Then sent the device and a copy of the seeds words-password to the new owner. The new owner thought he bought a new device and didn't reset it. The crooks just waited until the coins were in the wallet and stole them.   
copper member
Activity: 168
Merit: 0
No it doesnt worth mentioning that it was found by whom because whoever have found it just awsome discovery
full member
Activity: 533
Merit: 100
I would still use it. Of course that they can make the modifications on hardware wallet and steal your coins after you use it.
So buy it from the official seller and update it if needed.
legendary
Activity: 1316
Merit: 1004
Right, although the "someone" who has unfettered access to a computer with Intel ME is Intel themselves (and anyone else holding the code signing key for executing code on the ME processor). I think exploits were discovered last year where an attacker circumvented the use of the Intel code signing key, but I forget the specifics.

You see we can agree on somethings but few MS developers have woken up to the fact that Microsoft is locking them
out from the OS all over the place let alone are spying on every byte of data they can see.

Who would ever had thought that you would be getting a merit from me and take it from me, I don't get many to
give away but I am stuck with MS because it's all I know.

I suspect Goolge on Android devices is nearly as bad, they both have a bad track record, both work for the CIA/NSA

Just take an old laptop, load your favorite wallet and coins, then break or disable the wireless networking. Then break or disable the wired networking.

Although hardware wallets may have some issues, those issues are nothing compared to the problems of binding a machine to the greater world, uploading data and reporting in fashions the user is not privy to, and requiring downloading of supposed "updates" that are not comprehensible.

Yeah, but you don't want just any old laptop to do that on.  Like if you were to get one of your old laptops from 10 years ago that you were downloading a whole bunch of sketchy stuff on through limewire, I wouldn't think to recommend using something like that.  The most secure way is to buy a cheap laptop that has no wireless or bluetooth capabilities, and then load trusted/gpg verified files on the computer through booting it on a live-USB.
legendary
Activity: 1316
Merit: 1004
These kind of hardware wallets will grow stronger with time.
A indestructible and safe wallet is a very hard thing to accomplish.

Right, and honestly I like that these hardware wallets are being heavily scrutinized, broken down, rebuilt, and broken down again while Bitcoin and other cryptocurrencies are still relatively early in the game and not that many people are actively using cryptos.

Having the simplicity and "security" of hardware wallets are crucial for mainstream adoption.
legendary
Activity: 2926
Merit: 1386
Right, although the "someone" who has unfettered access to a computer with Intel ME is Intel themselves (and anyone else holding the code signing key for executing code on the ME processor). I think exploits were discovered last year where an attacker circumvented the use of the Intel code signing key, but I forget the specifics.

You see we can agree on somethings but few MS developers have woken up to the fact that Microsoft is locking them
out from the OS all over the place let alone are spying on every byte of data they can see.

Who would ever had thought that you would be getting a merit from me and take it from me, I don't get many to
give away but I am stuck with MS because it's all I know.

I suspect Goolge on Android devices is nearly as bad, they both have a bad track record, both work for the CIA/NSA

Just take an old laptop, load your favorite wallet and coins, then break or disable the wireless networking. Then break or disable the wired networking.

Although hardware wallets may have some issues, those issues are nothing compared to the problems of binding a machine to the greater world, uploading data and reporting in fashions the user is not privy to, and requiring downloading of supposed "updates" that are not comprehensible.
full member
Activity: 312
Merit: 111
A hardware wallet can be safe, just cut the connection. That's what DigiSafeGuard is working on right now. There is no 100% security, but its as secure as it can get. At least as secure as a paper wallet.
https://www.digisafeguard.com

Any other hardware wallet having a usb connection or relaying on a chip security is not safe enough to put more than 5000 usd on it.
legendary
Activity: 2310
Merit: 1422
If that's the case what can we do then? What kind of microprocessor is your machine using? I mean f*c*ing intel is everywhere! I am about to change my old 2010 laptop (amd)? Do you have any suggestions?

1. Keep that AMD laptop

Best advice right now is to keep pre-2013 AMD and (I think) pre-2007 Intel hardware (which in a stroke of irony are not receiving patches for those kernel memory access exploits that made the news for Intel recently).  

Thanks, I'll do my best to make my old laptop a long lasting machine. It's not going to be easy but everything I need is backed on my hard drives. So sad this is the situation we are in.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Pages:
Jump to: