Cryptocurrency hardware wallets may not be as secure as you think

For any crypto holder, secure storage of funds is a major concern that requires research and planning. Hardware cryptocurrency wallets are generally considered to be the safest choice among cryptocurrency investors. However, this does not mean that these wallets are safe from fraud.

Hardware wallet maker Ledger has spoken out against security vulnerabilities found in Coinkite and Shapeshift wallets, and shows how their products can be attacked. If someone gets their fingers in the physical wallet, they may be able to find the PIN. Although these threats were quickly addressed by companies, there are still other ways for malicious actors to access user resources.

A data breach at Mailchimp recently revealed a mailing list of users belonging to another company. The email marketing service was later sued by one of the users. A lawsuit filed by Alan Levinson claims he lost $ 82,000 due to negligent stored data.

A similar phishing scam targeting Trezor users has been discovered by CoinLoan’s anti-fraud team. The hackers attached a link to a forged version of the Trezor website to an email received by a member of the CoinLoan team. The goal was to steal the seed phrase and gain access to users’ wallets. This security issue was quickly resolved and saved many Trezor wallet users from losing their money. However, this case underscores the importance of addressing all possible security threats regarding hardware cryptocurrency wallets.

What is a hardware wallet?

Let’s first find out what a hardware cryptocurrency wallet is. Unlike digital wallets, hardware wallets are physical devices, just like USB drives. Private keys are stored offline, making them inaccessible to online threats. Direct communication of data with the computer on the hardware eliminates the risk of vulnerable software. This way, the private keys can only be used and stored on the device and never stored on a computer or online, making them immune to viruses and online hacks.

The disadvantages of using hardware wallets include higher upfront costs than the average digital wallet software. Devices from major manufacturers like Trezor and Ledger cost between $ 50 and $ 1,200. In order for users to use their hardware safely, they also need to know how to configure it. Funds can be accessed by malicious parties if the wallet is mismanaged. To gain access to sensitive data such as PINs or private keys stored in a physical hardware wallet, hackers can use the following methods.

Possible vulnerabilities

Side channel attack

A side channel attack uses an oscilloscope, a type of electronic test device. It measures power consumption and then compares its behavior with random PINs. By analyzing the measurements for each PIN digit, a database is created, which can then be used together with a script to guess the digits one by one. This vulnerability was discovered in some Trezor hardware and has since been fixed.

Software attack

Attacks on a hardware security module (HSM) can lead to the retrieval of cryptocurrency keys and other data providing access to the wallet. The software in the wallet has been analyzed and reverse-engineered to understand how its security works. This vulnerability in popular HSMs was discovered by the Ledger team. One of the researchers explained: “The attacks presented allow for the remote recovery of all HSM secrets, including cryptocurrency keys and administrator credentials.”

Voltage slip

This potentially fatal error has been identified by Kraken Security Labs. They found that by applying a reduced voltage to a microcontroller, they could read the chip’s RAM. Once the firmware is installed, the chip moves the cryptocurrency seed into RAM to protect it, giving access to all memory content.

Best practices for safety

While most identified vulnerabilities are usually addressed by manufacturers, there may be several other ways to hack existing hardware wallets. The first step for users to protect themselves is to store their devices in a safe place away from third-party access. Another important rule is to never share sensitive information such as private keys, PINs and recovery seeds with anyone.

The recovery seed can be saved by avoiding writing it or saving it online, taking a picture of it, or taking other actions that could compromise it. It is best to just write it down and keep it in a safe place. Moreover, it is crucial to communicate only with the wallet using a trusted PC. Any online exposure to the PC may lead to vulnerability.

Although many of these hacking techniques require physical access to the device, a phishing attack is also possible. They could target users via email, cell phone, social media, fake websites and instant messaging apps. This was the email scam discovered and prevented by CoinLoan, and saved Trezor users from falling victim to it. In this case, the key to keeping the wallet safe was not only the user’s alertness, but also the quick response of CoinLoan fraud detection specialists. As CTO and co-founder Max Sapelov commented: “This incident highlights the inherent risks associated with (cold) wallets, including software, connections to third-party vendors and possible insider leaks. prevent fraudsters from a) accessing and b) moving or withdrawing the crypto in the event of a leak.Service providers and manufacturers should always be on the lookout for possible hacks to protect users who may not be aware of these vulnerabilities.

Leave a Comment