Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Hardware wallets
Pages:
Author

Topic: It is NOT secure to use hardware wallets (and it never was) - page 8. (Read 2133 times)

kbdwarrior
newbie
Activity: 14
Merit: 9
Re: It is NOT secure to use hardware wallets (and it never was)
March 22, 2018, 10:26:09 AM
#10
Quote from: AGD on March 22, 2018, 03:32:02 AM
I have been warning people about hardware wallets for years. Bitcoin is the most personal store of value. Don't break it by using untrusted third party soft/hardware:

https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

Worth mentioning, that the guy who found this exploit is 15 ys young.

Also worth mentioning, he says a hardware wallet is still the safest practice unless you're top 1% of infosec experts.

Source: https://twitter.com/aantonop/status/976633545136443392
bitmover
legendary
Activity: 2324
Merit: 6006
bitcoindata.science
Re: It is NOT secure to use hardware wallets (and it never was)
March 22, 2018, 10:15:39 AM
#9
Quote from: DaveF on March 22, 2018, 10:03:31 AM
Quote from: bitmover on March 22, 2018, 06:50:18 AM
This is a problem, and was already fixed by a firmware update.

I think it's also worth mentioning that this vulnerability, although scary, occurs only if the the attacker has physical access before setup of the seed.
Not 100% true, from what he said it was vulnerable to the "Evil Maid attack"
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/


Quote from: bitmover on March 22, 2018, 06:50:18 AM
This is a problem, and was already fixed by a firmware update.
Which took them close to 4 months to put out and still is not properly alerting & forcing users to update.

Quote from: bitmover on March 22, 2018, 06:50:18 AM
And if you care at least a minimum about security, you would never buy a Ledger Wallet from third party re-sellers.
Assuming you can trust everyone who handled the package from when it left their shipping dock till when it wound up in your mailbox.

Quote from: bitmover on March 22, 2018, 06:50:18 AM
TLDR: ledger hardwallet is still pretty safe, much safer than any hot wallet. Unless you have an airgapped PC, hardwallet is still a good choice.

THAT I agree with. And pretty safe is good for most people. But it's still not REALLY REALLY REALLY safe.

Just because you are paranoid does not mean that there are not people out to get you.....

-Dave


Well, this evil maid attack is even less risky. How would a hacker access my hardwallet, inside my house?
If he can get inside your house , well, he can force you to give your btc to him even on an airgapped PC using Bitcoin core, he doesn't even need to be a hacker, he just needs a weapon.

When you buy a ledger nano they come securely closed, and if the seal was violated you should discard it, as ledger recommendation. You don't need to trust anyone who handles the package..


If the user is the problem (like using infected pendrives, using violated hardwallets), any method is unsafe

Any other wallet on desktop or smartphone is exposed to the risk of keyloggers, Trojans... Hardwallets are not. Unless you have an airgapped PC , they are the best option. Even Bitcoin core on a daily use computer is not as safe.

But this discussion is pretty worthless.. it's a selected Paranoia. Hardwallets are safe enough. Ledger nano is also open source.
AGD
legendary
Activity: 2070
Merit: 1164
Keeper of the Private Key
Re: It is NOT secure to use hardware wallets (and it never was)
March 22, 2018, 10:08:59 AM
#8
Quote from: Rath_ on March 22, 2018, 05:11:45 AM
So what ways of keeping bitcoins safe do you recommend then? Many people consider hardware wallets as something that is not possible to breach because they were told so. In both Ledger and TREZOR there were discovered vulnerabilities which allowed potential attacker to extract the seed. I haven't heard of any issues with KeepKey. I was thinking of using an air-gapped computer for storing large amount of BTC and a hardware wallet in case I needed to travel and have some bitcoin with me just in case. Have you ever used any hardware wallet?

I think it is good to reduce the attack vectors to a minimum.
Bitcoin Core for example is a software that I trust. It is open source and some of the best developers (that I trust) are revisiting the code. So if you use an encrypted Bitcoin Core wallet with a very strong password for your cold storage, you should feel a lot safer, than with any hardware solution.

Of course, the fact that we have to use closed source computers to run Bitcoin Core, makes it impossible to be 100% safe esp. against state actors.
DaveF
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Re: It is NOT secure to use hardware wallets (and it never was)
March 22, 2018, 10:03:31 AM
#7
Quote from: bitmover on March 22, 2018, 06:50:18 AM
This is a problem, and was already fixed by a firmware update.

I think it's also worth mentioning that this vulnerability, although scary, occurs only if the the attacker has physical access before setup of the seed.
Not 100% true, from what he said it was vulnerable to the "Evil Maid attack"
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/


Quote from: bitmover on March 22, 2018, 06:50:18 AM
This is a problem, and was already fixed by a firmware update.
Which took them close to 4 months to put out and still is not properly alerting & forcing users to update.

Quote from: bitmover on March 22, 2018, 06:50:18 AM
And if you care at least a minimum about security, you would never buy a Ledger Wallet from third party re-sellers.
Assuming you can trust everyone who handled the package from when it left their shipping dock till when it wound up in your mailbox.

Quote from: bitmover on March 22, 2018, 06:50:18 AM
TLDR: ledger hardwallet is still pretty safe, much safer than any hot wallet. Unless you have an airgapped PC, hardwallet is still a good choice.

THAT I agree with. And pretty safe is good for most people. But it's still not REALLY REALLY REALLY safe.

Just because you are paranoid does not mean that there are not people out to get you.....

-Dave
bitmover
legendary
Activity: 2324
Merit: 6006
bitcoindata.science
Re: It is NOT secure to use hardware wallets (and it never was)
March 22, 2018, 06:50:18 AM
#6
Quote from: AGD on March 22, 2018, 03:32:02 AM
I have been warning people about hardware wallets for years. Bitcoin is the most personal store of value. Don't break it by using untrusted third party soft/hardware:

https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

Worth mentioning, that the guy who found this exploit is 15 ys young.

This is a problem, and was already fixed by a firmware update.

I think it's also worth mentioning that this vulnerability, although scary, occurs only if the the attacker has physical access before setup of the seed.

It's nothing you need to really worry about if you buy directly from Ledger.
And if you care at least a minimum about security, you would never buy a Ledger Wallet from third party re-sellers.

TLDR: ledger hardwallet is still pretty safe, much safer than any hot wallet. Unless you have an airgapped PC, hardwallet is still a good choice.
klaaas
hero member
Activity: 1568
Merit: 544
Re: It is NOT secure to use hardware wallets (and it never was)
March 22, 2018, 06:26:06 AM
#5
These kind of hardware wallets will grow stronger with time.
A indestructible and safe wallet is a very hard thing to accomplish.
OmegaStarScream
staff
Activity: 3500
Merit: 6152
Re: It is NOT secure to use hardware wallets (and it never was)
March 22, 2018, 05:27:24 AM
#4
The only alternative I can think of would be paper wallets but, these are not suitable for spending on a regular basis. Hardware wallets are still a great choice IMO and since they are not vulnerable for remote attacks, they still have some credibility. Ledger nano statement on this when they released their latest firmware update:
Quote from: Rath_ on March 22, 2018, 05:11:45 AM
I haven't heard of any issues with KeepKey.

The reason why no one found security issues on KeepKey is probably due to the small userbase they have compared to Trezor and Ledger nano S.
Rath_
legendary
Activity: 1876
Merit: 3132
Re: It is NOT secure to use hardware wallets (and it never was)
March 22, 2018, 05:11:45 AM
#3
So what ways of keeping bitcoins safe do you recommend then? Many people consider hardware wallets as something that is not possible to breach because they were told so. In both Ledger and TREZOR there were discovered vulnerabilities which allowed potential attacker to extract the seed. I haven't heard of any issues with KeepKey. I was thinking of using an air-gapped computer for storing large amount of BTC and a hardware wallet in case I needed to travel and have some bitcoin with me just in case. Have you ever used any hardware wallet?
ricreis394
newbie
Activity: 37
Merit: 0
Re: It is NOT secure to use hardware wallets (and it never was)
March 22, 2018, 05:08:21 AM
#2
I'm amazed  Shocked
And I was about to buy one hardware wallet, but now, I will definitely not buy.
AGD
legendary
Activity: 2070
Merit: 1164
Keeper of the Private Key
Re: It is NOT secure to use hardware wallets (and it never was)
March 22, 2018, 03:32:02 AM
#1
I have been warning people about hardware wallets for years. Bitcoin is the most personal store of value. Don't break it by using untrusted third party soft/hardware:

https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

Worth mentioning, that the guy who found this exploit is 15 ys young.
Pages:
Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Hardware wallets
Jump to: