Hardware Wallets and Attack Surface

People who own cryptocurrencies have the option to store their coins either in hot wallets or online wallets which are always connected to the internet or in cold wallets which are hardware devices not connected to the internet. Hot wallets have a reputation of being subject to hacks and theft because of their perpetual connection to the internet, but the integration of multi-signature technology in which multiple parties hold the private keys to the wallet. This reduces the aspect of a single point of failure but it’s still not 100% unbreachable as seen in the case of BitGo where hackers still managed to hack multi-sig wallets and steal funds.

With cold wallets or hardware wallets, one needs to connect these devices to a computer with an internet connection to access their funds. The private keys are stored onto the device which only the user has access to.

Hardware wallets were first introduced in 2013.

A Bitcoin wallet doesn’t hold bitcoin.

The word “wallet” is misleading. It is one of the problems with naming in our industry. Bitcoin doesn’t stay in your wallet, it is always on the blockchain and cannot be anywhere else. Strictly speaking, there are no coins either, but just a ledger. The bottom line is, what we call a wallet is actually a keychain. It contains keys, which are numbers.

Your wallet contains the numbers that allow you to unlock and sign for bitcoin on the blockchain. This applies to all open public cryptocurrencies. Your wallet contains keys. If someone steals your keys, then they can do the unlocking and signing part too. Bitcoin that you thought was yours, based on the possession of keys, is no longer yours.

That can happen fairly easily because stealing a number out of a digital device is not that hard.

The more complex the digital device is, the more opportunities there are to get inside and steal it. The more applications it runs, the more interfaces it has, the more network traffic it has. There is a very big security difference between a device that is connected to the internet, where you browse any old site that you happen to fancy and type things to go all over the internet.

Sampling things, downloading little apps that device will not be very secure. Compared to a personal computer, a hardware wallet is a small stripped down device, leaving only a screen, some buttons, and only software that controls keys and signs transactions. That makes it as secure as possible, by taking a minimalist approach to security.

There are metal versions but it is usually a USB device and you connect it to your computer. Your computer can prepare transactions, interact with web or desktop interfaces, go to merchant stores, scan QR codes, etc.

But the only device that signs transactions is the hardware wallet, where the keys are. Your computer will pass transaction information to the hardware wallet, where you can see on the screen that it will pay a certain amount to an address.

Even if you plug this into the most virus-infected machines, you can still do a secure transaction. As long as you check the information on the screen of this device, received through a limited connection, is the correct transaction, you can sign it and transmit it out onto the network.

They are designed so the keys never leave the device; nothing leaves other than a signed transaction, which isn’t secret anyway, as it will be recorded on the public blockchain soon. That is what a hardware wallet does. They cost between $35 and $150 on average. If you have any significant amounts of cryptocurrency, you should own one of these devices to store it.

Today, most hardware wallets can hold multiple cryptocurrencies, easily the top ten by market cap. They can control keys for bitcoin, ether (including tokens), litecoin, and a bunch of other coins. They are very flexible, convenient, easy-to-use, and most importantly they are easy to use securely.

You don’t have to be an expert to maintain the security of your keys with these devices.

They are a great balance between ease-of-use and security for new and beginner users.

You may be wondering, “So if the keys are on the device, what happens if I lose the device or drop it in the toilet?”

When you first initialize the keys on this device, it will display twenty-four English words, a mnemonic phrase. Those twenty-four words can recreate every key that device will ever produce; if you write those down and store them safely, they are a complete back-up of every address and key. Then you worry about how to protect those words.

You can add a passphrase but either way, you are still much better off than if you stored your keys on your personal computer or smartphone, as it is a lot harder to hack. Physical security is something our species has millions of years of experience with.

‘Hide the nut under the rock, don’t let the other caveman see it is under the rock.’

Information security with computers is something we have about 30 years of experience with. We’re still bad at it, so one advantage of hardware wallets is that they allow you to convert something purely digital into a paper list of words. The device itself has a PIN and it can’t be easily compromised even if someone has physical access.

By turning the keys into written words, you can apply physical security practices; all your ancestral knowledge with castles, locks, bolts, hardware keys, dogs, and alarms comes in.

You can start applying all of that to the domain of Bitcoin.

People are generally much more comfortable understanding what it takes to secure a piece of paper, than what it takes to secure their own personal computer. That is the idea with hardware wallets: make the virtual, physical.

Can the USB cable that connects your hardware wallet to your desktop be compromised? Can it leak sensitive information?

The same question applies to the Chrome applet or the user interface of the wallet.

Could that compromise sensitive information?

If you use a hardware wallet correctly, no. The hardware wallet is designed so that no sensitive information travels out of the device. A hardware wallet will receive all of the information it needs to make a transaction, it will sign that transaction and then transmit it back to the computer you are using.

That signed transaction, which is not sensitive, will be broadcast to the network. Even if that computer was compromised, there is no sensitive information for it to capture in the communication with the hardware wallet.

There are two ways some hardware wallets use to protect against the capture of the PIN:

1) A combination of button clicks on the hardware wallet device to enter the PIN. Second-generation hardware wallets have touchscreens to enter the PIN directly on the device, not on your desktop or whatever machine you use to interface with a hardware wallet.

2) First-generation hardware wallets use a PIN scrambling technique, where you see a mixed grid of dots on your desktop and numbers on the hardware wallet to identify your PIN. Your desktop doesn’t actually know what PIN number you enter, just the location on this scrambled grid.

If properly used, a compromised desktop can be used with a hardware wallet in a way that doesn’t compromise the hardware wallet.

The other way you have some risk in the desktop environment is if you are using a passphrase. I would still recommend that you do use a BIP-39 passphrase with your hardware wallet, because it offers that extra layer of protection that improves the security of your backup seed, as well as your device itself in the event of theft. But when the passphrase is typed on a desktop, you have a problem. It could be compromised by a key logger.

One of the great developments in second-generation devices has been the introduction of the ability to select the passphrase letter by letter on the hardware wallet itself, so it is never typed on your desktop. You can do that with the Ledger Nano S, the Trezor Model T, and the Ledger Blue.

The Model T is a new hardware version of the Trezor. Those allow you to interface directly with the hardware wallet for PIN and passphrase entry. So you should never type that into the desktop.

The final point about using hardware wallets with a potentially compromised desktop: One of the easiest ways to compromise end users of cryptocurrency is a clipboard or screen attack, whereby the address you choose to pay is compromised before it is sent to your hardware wallet.

For example, let’s say I want to receive some money on my Trezor. I would copy the Trezor address, paste it into an exchange, or send it to someone else who will pay you. As your desktop is compromised, in the clipboard it will replace the address where you intended to receive money, with the attacker’s address. Then you paste it into an exchange; if you don’t check it carefully, they will pay the attacker instead of you.

The opposite can be done when you are in a check-out for an e-commerce website, or you are trying to deposit in an exchange. You receive a bitcoin address and you see it on your screen, but is it the real address the exchange sent?

Sometimes it is very difficult to verify that information. If you copy-paste it into the desktop application or plugin used to run an interface for your hardware wallet, how do you know that is the address you will be sending funds to?

There are a couple of tricks or techniques you can use to protect yourself against these types of attacks. Most hardware wallets have a feature that allows you to display the receive-address on their screen. If you want to receive money into your hardware wallet, before you copy that address to an external source, you press a button – usually a little eyeball icon or something like that – on your desktop interface.

That tells the hardware wallet to display the receive-address on its own screen. If you can see it on the screen of your hardware wallet, that is a secure channel for the most part, it is much more secure than your desktop.

On the other hand, let’s say you are trying to pay a merchant or an exchange like Coinbase. Under certain circumstances, you can verify the receive-address you will send money to. The Coinbase interface says something like, ‘Here is the deposit address for bitcoin.’

Can you trust your browser? Can you trust your screen? Can you trust your clipboard with a copy of the address Coinbase gave you?

One way to double-check is to take your smartphone, log in to your wallet or exchange account there and look at what receive address appears on your smartphone. Maybe your desktop is compromised; maybe there is a man-in-the-middle between you and the exchange; maybe there is an SSL or TLS vulnerability and they are breaking into your session.

Can the attacker also do that on your smartphone, over a cellular network, with a completely different browser?

Unlikely. If you use two different channels to look at the address and they both show the same information, then you have a higher level of confidence when you use your hardware wallet to sign a transaction. Just before you hit that ‘send’ button, carefully read the address and think, ‘Is that the one I saw on my screen?’

‘Is that the one I actually pasted?’

‘Is that the one that I want to send the money to?’

It sounds paranoid and painstaking. It will not be easy for new users. But the rule of thumb when you’re operating with these things is, the hardware wallet screen is one where you can trust what you’re seeing, for the most part.

It is the desktop or smartphone screen you can’t trust as much. Check, then double-check, then triple-check, etc. Maybe it takes a few more seconds, but if you follow these steps you will feel increasingly confident that you know where you are sending money.

Bitcoin Core does not support hardware wallets. To set up Electrum as a full node requires maintaining an Electrum server or the Electrum personal server, which is very new and only maintained by one developer. What options are there to have transactions signed on a hardware wallet and validated through your own full node, that is relatively safe and easy?

The Bitcoin Core client does not currently support the use of hardware wallets. However, just because you are using a full node to validate your own transactions, does not mean that full node must sign them.

Here is a set-up that is much easier to do:

Bitcoin Core does support BIP-39 and BIP-32, hierarchical deterministic (HD) wallets. You can initialize Bitcoin Core to have what is called a “watch only” mode, where Bitcoin Core has the public keys and addresses of your entire HD wallet, but doesn’t have any private keys.

It cannot sign transactions. That allows you to use a full node to monitor the value of your transactions, the balance of your various accounts, and to independently verify payments made to you.

If you want to sign a transaction, you open another platform, such as a simple Electrum wallet or any of the other wallets that support hardware wallets as the backend. You can sign your transaction there, then go back to Bitcoin Core to verify that it has been propagated. And you can see your balance update.

This article is a transcription of Andreas Antonopoulos’ explanation on Hardware Wallets and Attacks Surfaces.

Want to share your thoughts on this?