We continue to deal with various wallets for cryptocurrency. Last time I did a bit of digging in software wallets, and today I’ll tell you a little about the hardware. At the beginning a small reminder.
Under the wallets in cryptocurrencies understand at the same time:
- set of keys for access to money;
- programs that manage these keys and allow you to conduct transactions on the crypto currency network.
In order not to be confused when we talk about the key set, I will use the term “private key”. Although we all understand that in the key pair there is also an open pair, and also that the pairs themselves can be several.
We will talk about the wallet exactly as a means of managing, storing and conducting transactions. Without a wallet, you cannot receive, save or spend your bitcoins or funds in another cryptocurrency. The wallet is your personal interface to a cryptocurrency network, similar to a bank account for a currency.
So, hardware wallets. Let’s start with the definition. Hardware wallets are physical devices designed to safely store cryptocurrency. Some software and online-wallets support the storage of funds on hardware wallets.
Before we start comparing specific models of hardware wallets, let’s see what most of these wallets are able to do, and we will dwell in detail on the features of each of them.
Spherical hardware wallet
So, any hardware wallet (from the considered):
Generates and stores a non-retrievable private wallet key inside the device.
- All operations necessary for carrying out the transaction are made inside the device. From the device only the result is given – the electronic signature of the transaction.
- Has a screen for displaying various information.
- Has one or more physical buttons to interact with the device.
- When transferring funds from the wallet, it displays information about the transaction on the screen.
- Requires manual confirmation of operations using the physical button on the device.
- Allows you to create a backup copy of the keys in case the device breaks or is lost.
- Requires installation of additional software from the manufacturer of the hardware wallet.
- It is supported on all modern versions of Windows, Linux, MacOS.
- Supported on Android.
- It does not allow you to install any additional software inside the wallet itself.
- To work requires knowledge of a special PIN-code (or even several PIN-codes).
- It’s worth the money, unlike most other wallets.
- Not all possible cryptocurrencies are supported, but only the most popular ones.
A little more detail on the threats from which you are protected by the use of hardware wallets, unlike other types of wallets.
Since in the case of online wallets your private keys are stored on remote servers, you inevitably expose yourself to the risk of losing funds in the following situations:
- The computer was hacked, which led to the theft of the password from the online-wallet.
- The server on which the online-wallet was deployed was hacked and funds of all users of the wallet were stolen.
- The company-creator of the web-wallet went bankrupt.
- The FBI confiscated the servers, and in the end, the users’ funds.
- The owners of the developer of the online-wallet stole the funds of users and fled.
- A software error in the online-wallet code resulted in a loss of funds.
- The attacker stole a mobile phone, which opened a session on working with an online wallet, which led to a loss of funds.
Unlike software wallets on the computer
Hacking or infecting a computer with a virus will result in the theft of the private key of your wallet.
The computer has 1000 times the attack surface, in comparison with the hardware wallet.
Unlike mobile wallets on your smartphone
Such wallets for smartphones can be divided into 2 groups:
- Interfaces to online- wallets. In this case, they are subject to the same risks to which online- wallets are exposed (see above).
- Complete mobile applications. In this case, the situation is very similar to the software wallets on the computer. The ubiquitous spread of smartphones and tablets has led to a rapid development of viruses for these devices. So your money is no longer safe
Obviously, flash drives have never been created as a means of security, but not everyone understands this.
- Any software can read or copy private keys from the USB flash drive.
- Malware can replace the recipient’s addresses in the transaction.
- Theft or loss of such a flash drive can lead to a complete loss of funds.
By the way, from theft or loss can be protected, if you use a special flash drive, which require entering a PIN-code to access the data.
Unlike the encrypted wallet
Even if you use a complicated password to encrypt a wallet, you can not protect private keys from compromise. The virus software will simply try to get your password, and already using the password, access to the wallet. Or it will just wait until you enter the password yourself and unlock the private keys. Not to mention the possibility of just copying the wallet file and then sorting through the code phrase in the dictionaries.
Unlike storing keys on paper
In fact, the proper storage of a private key on a piece of paper is quite safe. That’s just very uncomfortable. Plus to work with such a wallet, you still have to enter your private key into one of the above wallets. And after that, you will not be able to sleep peacefully.
Risks and Potential Vulnerabilities of Hardware Wallets
At the moment there was not a single confirmed case of theft of the cryptocurrency from the hardware wallet. Despite the fact that they appeared not so long ago, they have already proven themselves.
However, it is worthwhile to understand that hardware wallets are not a silver bullet for protecting your funds in the cryptocurrency. There are several security risks to which all or some of the wallets are susceptible. These risks must be taken into account when you decide which hardware wallet to purchase and how many cryptocurrencies you can store on it.
- Address substitution in the transaction. A hardware wallet will not protect you from sending your cryptocurrency at a fake address. For example, malware on your computer can monitor transactions with a large amount of cryptocurrency, and then replace the recipient’s address with the wallet address that the attacker owns. If the rates are high, then you need to use a multifactor confirmation of the recipient’s address – for example, by phone.
- Bad RNG. Hardware wallets rely on the safety of the RNG, which is inside the device and is used when generating your private key securely. Unfortunately, checking the key for randomness is not a simple task. Vulnerable RNG can create such wallet keys that can be recreated by the attacker, generating a pseudo-random number that looks like an accidental number.
- Implementation errors. The security of all computer systems, both software and hardware, is based on the quality of their implementation. Hardware wallets are no exception. Errors in software, firmware, or hardware may allow an attacker to gain access to the internal structures of the hardware wallet, and then to your secrets. Even if the device was originally designed correctly, it is very difficult to prove the security of implementation in a particular device.
- The compromised production process. Even the ideal software and hardware implementation is vulnerable to intentional or unintentional implementation in the production process. Various bookmarks can be embedded in the device either by accident or under the pressure of various special services.
- A compromised delivery process. It is even easier to integrate into the delivery process and remove or modify part of the protection of the device in a way that it will not be noticeable to the user. It is known that various state programs include, inter alia, the interception and modification of various hardware with the purpose of implementing backdoors.
Despite the fact that hardware wallets do not protect you from all possible threats, choosing a hardware wallet from a trusted, technically competent manufacturer with a good reputation will allow you to protect yourself from much more threats than using software wallets.
The ideal solution for long-term storage can be a solution based on open source software that uses a public hardware platform (for example, raspberry pi), and the use of a trusted source of entropy (such as a normal cube).
However, manufacturers of hardware wallets are aware of these risks and potential vulnerabilities and are trying to offer various solutions. I decided to make a short review of the most popular and interesting hardware wallets, so that you yourself can draw conclusions about their security.
The device was introduced in 2014.
- Currently supports work with Bitcoin, Ethereum (+ all ERC-20 tokens), Ethereum Classic, ZCash, Litecoin, Namecoin, Dogecoin, Dash and Bitcoin Testnet.
- When manufacturing the device, after its packaging, the box into which it is placed is sealed with a holographic safety tape. Its presence confirms that the device is original. And also partially protects you from opening and substituting or modifying the device during its delivery.
- Also offers the Password Manager for the browser (no master passwords – each password is encrypted on its key; to enter it is enough to just press the button on the device; if the device is lost, your passwords are not lost, it works through the browser extension mechanism).
- Supports U2F (Universal Second Factor).
- SSH / GPG agent.
- It is supported by a large list of software purses and online services (for a full list see here – https://doc.satoshilabs.com/trezor-apps/index.html).
- Each time you connect your device to a computer or mobile device, you need to enter a PIN. After that, the device goes into the unlocked state and allows you to conduct operations. After the device is turned off, the device returns to the locked state again.
The mechanism of entering the PIN-code is quite original. In order not to describe, just give you a video:
What’s nice, the manufacturer gives you very reasonable recommendations for the safe storage of this password phrase.
Price – $ 99
The main drawback is that it supports less crypto currency than the «Ledger».
Ledger Nano S
- Supports Ark, Bitcoin, Bitcoin Cash, Dash, Dogecoin, Ethereum, Ethereum Classic, Komodo, Litecoin, PoSW, Ripple, Stratis, Zcash, and all ERC20 tokens.
- Supports U2F, GPG and SSH.
- It uses 2 microcontrollers inside itself: ST31H320 (protected) + STM32F042.
I will also attach a video showing the input of the PIN code. In my opinion, not the most convenient way. It is especially difficult to enter words in this way to restore a backup copy of the wallet.
Price – 58.00 €
The main drawback is the quality of the device itself. The left button sometimes perceives a single tap as double.
- Supports Bitcoin, Litecoin, Dogecoin, Namecoin, Testnet, Ethereum, and Dash.
- The main feature is a 3.12 “OLED display with a resolution of 256 × 64.
- Internally, STM32F205RGT6 is used.
- This is the only hardware purse, of the considered, which allows you to use your firmware. For security reasons, when using third-party firmware, the device displays a warning when it is turned on.
- Complies with FIPS PUB 140-2 and FIPS PUB 180-2.
- Just like Trezor comes in a special package, which can not be opened unnoticed.
The mechanism for entering the PIN code is the same as in Trezor, so there will not be a separate video.
Price is $ 129.00. More than competitors, but the screen is really good.
If the previous wallets were more like classic tokens or devices of the TrustScreen class, then this one mimics smart cards.
- It supports Bitcoin and, more recently, Ethereum.
- It contains a battery inside, which is charged by Micro USB.
- Interacts via Bluetooth LE.
- Only 4 mm in thickness.
- Display eink – 2 “.
- It supports several PIN-codes: for connecting a device, for working with purses, for conducting a transaction.
- The random number generator was certified by NIST.
- Also has a special PIN, the input of which will lead to a complete cleaning of the device.
- There are services for working through TOR (BITLOX2twvzwbzpk.onion) or I2P (BITLOX.i2p).
A distinctive feature of this hardware wallet is an unpleasant for the eyes site. And also explicit positioning is not so much to protect the funds, but to privacy and use in Darknet.
Another interesting device. Although it does not have a screen for displaying transaction information, I decided to include it in my mini-review. It’s a very unusual idea.
- Supports Bitcoin (BTC) and Ethereum (ETH, ETC, and ERC20 tokens). The developers claim that they are working to expand this list.
- Supports U2F.
- You can at any time extract or make a backup copy of the microSD card.
- Supports work with Tor and Tails OS.
- Closed keys are stored on a secure chip that is protected from physical data extraction.
- Simple design does not call for additional attention.
- Verification of payments and two-factor authentication on the mobile application.
- Does not require displaying or typing words on the screen to restore access to the wallet. You simply insert the microSD with a backup.
- All communication over the USB protocol is encrypted using AES-256-CBC.
- One button for working with the device.
It is impossible not to mention the history of hacking hardware wallets. Josh Datko and Chris Quartier at the conference DEF CON made a presentation on which they shared their tools and methods that allow you to crack some hardware wallets for crypto currency.
The application of these techniques to the STM32F205 microcontroller was demonstrated, which was used in devices from Trezor and Keepkey.
The presentation was based on a study carried out by Jochen Hoenicke in 2015, which resulted in a compromised Trezor private key with an $ 70 oscilloscope. The vulnerability was closed by the manufacturer. This, however, does not exclude the possibility of the appearance of new similar attacks both on these devices and on devices of other manufacturers.
Let’s sum up.
Hardware wallets will not protect your funds from all possible threats, but their correct use will in most cases protect your funds in crypto currency, unless, of course, you have them 🙂 At least they are many times safer than software wallets. There are already many models on the market, so there is plenty to choose from, including the price.