Pages:
Author

Topic: OVERVIEW: BITCOIN HARDWARE WALLETS █████████████████ Secure your Coins - page 8. (Read 122464 times)

full member
Activity: 133
Merit: 100
I have an older HW.1, which did not come with a Security Card.  This means I can never use the secure screen user validation option with it, right?

You can update its firmware on https://fup.hardwarewallet.com/ and print your own security card while you do that, then use the Ledger Chrome app with secure screen validation.

Wow, that's really cool! Thank you for this info.  I thought I was stuck with Electrum and the unplug-text verification-re-plug method.
legendary
Activity: 2968
Merit: 1895
I have never heard of a hardware wallet but NOW I REALLY want one. Smiley


Yes!  You really do want a hardware wallet.  Especially if you have over, say, 1 BTC.  They are not that hard to learn to use (I am not a pro in BTC nor in computer science), I was able to figure how to use the two I own out (Trezor and Ledger Nano).

It looks like there are going to be a number of products before long.  Already there are several, at different price points.  I am looking forward to more hardware wallets coming.

And I cannot remember anyone having a really big problem with any of them (someone correct me if I am wrong).
newbie
Activity: 18
Merit: 0
I have never heard of a hardware wallet but NOW I REALLY want one. Smiley
hero member
Activity: 623
Merit: 500
CTO, Ledger
Thank you very much for the information.

It is good to know that the hardware wallet is in charge of the secure screen validation. With the use of this function, it seems Ledger has the same level of transaction security as Trezor, but with a smaller form-factor (not counting the mobile phone, which you already carry around).

about the same, minus the secure initialization requirement and the still existing possibility of the dual-malware-synchronized attack.

I have an older HW.1, which did not come with a Security Card.  This means I can never use the secure screen user validation option with it, right?

You can update its firmware on https://fup.hardwarewallet.com/ and print your own security card while you do that, then use the Ledger Chrome app with secure screen validation.


Why does HW.1 cost much more cheaper than the trezor or keepkey.

Maybe it is backdoored or pre-malware installed? How safe could the bitcoins be in this wallet

The architecture is quite different - everything fits on a single chip (no PCB, no external components at all, not even passive components) which is itself way cheaper than a generic STM32 microcontroller, allowing it to scale almost as well as SIM cards for large volumes - I'll let you guess the target retail price for a few million chips Smiley
hero member
Activity: 532
Merit: 500
Trezor/Keepkey = 100% open source, but more vulnerable to physical attacks on its generic controller to extract plaintext mnemonic. (mitigated by use of passphrase)

Ledger Nano/HW.1 = partially closed-source smartcard element to store plaintext seed (no passphrase option), on which physical attacks are much more difficult than on a generic controller, but possibly backdoored?

that's about right - just consider that the STM32 could also be backdoored at a lower level. That's a common issue with hardware, you have no way to be sure unless you build it yourself, which is not possible to achieve.
-snip

Why does HW.1 cost much more cheaper than the trezor or keepkey.

Maybe it is backdoored or pre-malware installed? How safe could the bitcoins be in this wallet
full member
Activity: 133
Merit: 100
I assume it is not actual multi-sig, but rather an internal security function built into the chrome app? If the Ledger chrome app gets compromised, couldn't it then display the same malicious transaction details on your computer and on the phone app?

The algorithm is described here  - the chrome app just forwards the encrypted transaction details to the phone, which decrypts it.

So a malware would need to compromise both and keep synchronized to display the same information on the desktop computer and the phone.

Thank you very much for the information.

It is good to know that the hardware wallet is in charge of the secure screen validation. With the use of this function, it seems Ledger has the same level of transaction security as Trezor, but with a smaller form-factor (not counting the mobile phone, which you already carry around).

I have an older HW.1, which did not come with a Security Card.  This means I can never use the secure screen user validation option with it, right?
hero member
Activity: 623
Merit: 500
CTO, Ledger
Trezor/Keepkey = 100% open source, but more vulnerable to physical attacks on its generic controller to extract plaintext mnemonic. (mitigated by use of passphrase)

Ledger Nano/HW.1 = partially closed-source smartcard element to store plaintext seed (no passphrase option), on which physical attacks are much more difficult than on a generic controller, but possibly backdoored?

that's about right - just consider that the STM32 could also be backdoored at a lower level. That's a common issue with hardware, you have no way to be sure unless you build it yourself, which is not possible to achieve.

Also, btchip can you explain more details about how the mobile phone second-factor works?  Is the pairing with the Security Card performed only once, or for each transaction? 

The pairing is performed once when the firmware is initialized.

I assume it is not actual multi-sig, but rather an internal security function built into the chrome app? If the Ledger chrome app gets compromised, couldn't it then display the same malicious transaction details on your computer and on the phone app?

The algorithm is described here  - the chrome app just forwards the encrypted transaction details to the phone, which decrypts it.

So a malware would need to compromise both and keep synchronized to display the same information on the desktop computer and the phone.
full member
Activity: 133
Merit: 100
As far as I know, both the Trezor and the Ledger have the same disadvantage of storing the seed (Ledger) or mnemonics (Trezor) UNENCRYPTED on the device.

This means that if someone gets physical possession of the device, they might be able to use tricks such as partially dissolving the security chip in acid and extracting the plaintext seed/mnemonic.

However, this is where I think the Trezor is actually more secure than the Ledger.  The option to require a passphrase in combination with the mnemonics means that even if someone in is able to physically get the mnemonics off the Trezor, they still need the passphrase to reconstitute the seed.

We (Ledger) actually use smartcards for two reasons : cost at scale, and because they're specifically designed to withstand physical attacks - if you store secrets on a generic purpose microcontroller and are worried about physical attacks, you shall use a good passphrase in my opinon. It's not an option. Physical attacks against generic purpose microcontrollers are not widespread yet, but the more people use them to store secrets the more common it will be, and we'll be looking at physical kits to dump their memory in a couple of seconds / minutes, similar to old console modchips.


btchip, AussieHash

Is it fair to categorize the two options like this?

Trezor/Keepkey = 100% open source, but more vulnerable to physical attacks on its generic controller to extract plaintext mnemonic. (mitigated by use of passphrase)

Ledger Nano/HW.1 = partially closed-source smartcard element to store plaintext seed (no passphrase option), on which physical attacks are much more difficult than on a generic controller, but possibly backdoored?

Also, btchip can you explain more details about how the mobile phone second-factor works?  Is the pairing with the Security Card performed only once, or for each transaction?  I assume it is not actual multi-sig, but rather an internal security function built into the chrome app?  If the Ledger chrome app gets compromised, couldn't it then display the same malicious transaction details on your computer and on the phone app?
hero member
Activity: 692
Merit: 500
KeepKey edges out Trezor only because the recovery process for KeepKey is more secure than the method used by Trezor. If you read the references you will note that Trezor is still "uncrackable for all but well funded governments."

The KeepKey developer notes "On KeepKey, you don't even need to store your private key on the device. The recovery process is secure enough, that you can use it only as a transactional device for your paper (recovery sentence) wallet. Then just wipe the device after each use."

Extracting secrets from Trezor + KeepKey is fairly trivial - there are companies you can find via google in Russia and China which will enable JTAG or extract secrets from a ST Microcontroller for under 5 btc

Both devices store the mnemonic seed in plaintext in the storage sector.
https://www.reddit.com/r/Bitcoin/comments/3v2fq4/just_got_a_trezor_in_the_mail_i_love_it_but/cxjsdf8

stick discussed the JTAG attack vector in the 2013 Q&A session
https://www.reddit.com/r/Bitcoin/comments/2cj620/trezor_is_an_isolated_environment_for_offline/cjg18bj
legendary
Activity: 1806
Merit: 1164
I have read the arguments about the Case wallet multisig architecture and am OK with the security. Once you use a Case you find out it is the easiest way to send bitcoin, very cool device. They even sold out the first production run of 1000.
hero member
Activity: 960
Merit: 502

I have a Ledger Unplugged card and it works OK with Mycelium on my Android phone. Realize if you get one you will have to use the security card to authorize transactions. No way around that. Case hardware wallet is out of stock but I think they will be selling more soon.

i have have had a look at the Case, but i have hard time to see if they have the 12-24 word recovery (bip 32??) option, so i am not sure on how you would recover your wallet if your case is lost or something els happens. Also you cant see you balance on the case itself, so you would need to sync it with a third party to see that. or you would need to keep track of it by youself.

I think Case prefers not to show bitcoin balance on device itself for privacy. You can keep a running tally in your head or check your balance at the Case owners website. If you lose your Case you can recover your bitcoin using an online process for $75 per their FAQ.

yeah i saw that on their FAQ page, i just dont like the fackt that i need to rely on them to restore my BTC if i lose my case. but on the other hand, i dont see the happening. but that also means that they can get to my coins, if they turn "dark"
legendary
Activity: 1806
Merit: 1164

I have a Ledger Unplugged card and it works OK with Mycelium on my Android phone. Realize if you get one you will have to use the security card to authorize transactions. No way around that. Case hardware wallet is out of stock but I think they will be selling more soon.

i have have had a look at the Case, but i have hard time to see if they have the 12-24 word recovery (bip 32??) option, so i am not sure on how you would recover your wallet if your case is lost or something els happens. Also you cant see you balance on the case itself, so you would need to sync it with a third party to see that. or you would need to keep track of it by youself.

I think Case prefers not to show bitcoin balance on device itself for privacy. You can keep a running tally in your head or check your balance at the Case owners website. If you lose your Case you can recover your bitcoin using an online process for $75 per their FAQ.
hero member
Activity: 960
Merit: 502

I have a Ledger Unplugged card and it works OK with Mycelium on my Android phone. Realize if you get one you will have to use the security card to authorize transactions. No way around that. Case hardware wallet is out of stock but I think they will be selling more soon.

i have have had a look at the Case, but i have hard time to see if they have the 12-24 word recovery (bip 32??) option, so i am not sure on how you would recover your wallet if your case is lost or something els happens. Also you cant see you balance on the case itself, so you would need to sync it with a third party to see that. or you would need to keep track of it by youself.
legendary
Activity: 1806
Merit: 1164
I am looking at the Mycelium card, i was i not sure one one thing.

Can i only use the card to send BTC and other fudns form card to card? or cna i also send btc from my card to other normal wallets? it seems like they are going to work like a closed money/banking network.

As I read it is a closed system. You use the Mycelium card to pay at a merchant who has one of the Mycelium Hubs set up or to another Mycelium card holder. The system is based on Colored Coins called IoUs. You have to convert fiat to IoUs to load your card. I can find no information on how to exchange fiat to their Colored Coin or back. The Mycelium Card is not really a hardware wallet and I do not think the system is even in beta yet.

Thanks for the fast help, Right now i am using the ledger nano as my cold storrage, to store all the bitcoins i am saving and not planing on using in the near future (atleast 3 years) and i am looking for a hardware wallet to use for "everyday uses" i just lost around 0.8 btc on my tablet (mycelium wallet) beacouse my tablet went black a few moments before i got the chance to write down the 12 backup words. all the Phone/tablet repairshops says they cant get my data back.

so i am looking for a hardware wallet that i can use on a for my everyday uses, i would prefer if it was a standalone wallet, like the ledger blue but it seems like it will take a few months before that comes out.

so i am thinking about getting the Ledger Unplugged, and just use that until the Ledger blue comes out. or do you guys know of any other HW wallet that are good for holding and spending?

(sorry if this does not fit in here)

I have a Ledger Unplugged card and it works OK with Mycelium on my Android phone. Realize if you get one you will have to use the security card to authorize transactions. No way around that. Case hardware wallet is out of stock but I think they will be selling more soon.
hero member
Activity: 960
Merit: 502
I am looking at the Mycelium card, i was i not sure one one thing.

Can i only use the card to send BTC and other fudns form card to card? or cna i also send btc from my card to other normal wallets? it seems like they are going to work like a closed money/banking network.

As I read it is a closed system. You use the Mycelium card to pay at a merchant who has one of the Mycelium Hubs set up or to another Mycelium card holder. The system is based on Colored Coins called IoUs. You have to convert fiat to IoUs to load your card. I can find no information on how to exchange fiat to their Colored Coin or back. The Mycelium Card is not really a hardware wallet and I do not think the system is even in beta yet.

Thanks for the fast help, Right now i am using the ledger nano as my cold storrage, to store all the bitcoins i am saving and not planing on using in the near future (atleast 3 years) and i am looking for a hardware wallet to use for "everyday uses" i just lost around 0.8 btc on my tablet (mycelium wallet) beacouse my tablet went black a few moments before i got the chance to write down the 12 backup words. all the Phone/tablet repairshops says they cant get my data back.

so i am looking for a hardware wallet that i can use on a for my everyday uses, i would prefer if it was a standalone wallet, like the ledger blue but it seems like it will take a few months before that comes out.

so i am thinking about getting the Ledger Unplugged, and just use that until the Ledger blue comes out. or do you guys know of any other HW wallet that are good for holding and spending?

(sorry if this does not fit in here)
legendary
Activity: 1806
Merit: 1164
I am looking at the Mycelium card, i was i not sure one one thing.

Can i only use the card to send BTC and other fudns form card to card? or cna i also send btc from my card to other normal wallets? it seems like they are going to work like a closed money/banking network.

As I read it is a closed system. You use the Mycelium card to pay at a merchant who has one of the Mycelium Hubs set up or to another Mycelium card holder. The system is based on Colored Coins called IoUs. You have to convert fiat to IoUs to load your card. I can find no information on how to exchange fiat to their Colored Coin or back. The Mycelium Card is not really a hardware wallet and I do not think the system is even in beta yet.
hero member
Activity: 960
Merit: 502
I am looking at the Mycelium card, i was i not sure one one thing.

Can i only use the card to send BTC and other fudns form card to card? or cna i also send btc from my card to other normal wallets? it seems like they are going to work like a closed money/banking network.
legendary
Activity: 1806
Merit: 1164
Security from most secure to least: KeepKey > Trezor > Ledger

KeepKey edges out Trezor only because the recovery process for KeepKey is more secure than the method used by Trezor. If you read the references you will note that Trezor is still "uncrackable for all but well funded governments."

The KeepKey developer notes "On KeepKey, you don't even need to store your private key on the device. The recovery process is secure enough, that you can use it only as a transactional device for your paper (recovery sentence) wallet. Then just wipe the device after each use."

If you read the references Ledger is criticized for lack of security during initialization (corrected by Ledger Starter) and transaction authorization. The security card and phone pairing app are also not considered safe from malware.

References:

https://www.reddit.com/r/btc/comments/3w81k1/securitywise_is_there_really_any_difference/
https://www.reddit.com/r/Bitcoin/comments/3e6ir3/eli5_how_devices_like_trezor_legder_keepkey_can/
sr. member
Activity: 406
Merit: 252

Nice and detailed review.

But the price of one KeepKey = price of 14 Ledger HW.1 wallets. In fact both of them are secure and are having the same functionality of 2 factor authentication.

I think KeepKeys' price is bit of an overkill for just the addition of display feature. What opinions do you have OP?
legendary
Activity: 1148
Merit: 1014
In Satoshi I Trust
Pages:
Jump to: