Hardware Wallets: Independent Tester Saleem Rashid Reveals Nano, Trezor Vulnerabilities
Whenever a new coin or token appears, one of the first questions is whether the asset would be supported by the two leading hardware wallets - Trezor and Ledger. Bitcoin's appreciation to nearly $20,000 has made investors expect other assets to achieve a similar feat, while seeking a way to protect the potential fortune from loss.
A hardware wallet has significant security features compared to other storage options. However, the devices also have vulnerabilities, allowing several types of attacks.
The attacks and vulnerabilities of a Ledger hardware wallet were recently detailed by Saleem Rashid, a teenaged tech wiz, considered a "rock star" in the crypto community. He has been known for the Trezor SRAM exploit, and for participating in the story of unlocking about 7 BTC from a hardware wallet. Later, the knowledge on how to remove the seed from a Trezor served to increase the wallet's security.
At the moment, Saleem Rashid is becoming one of the influential voices in the crypto space, and his tweets are a source of information on hardware wallet safety.
"As @matthew_d_greensays, don't take this as a 'freak out and switch to other brands'. Don't put all your eggs in one basket. Don't take unnecessary risks (such as buying from eBay). Don't assume it is physically secure. That is a 'nice to have' extra layer, just in case." – Saleem Rashid (@spudowiar) March 20, 2018
As @matthew_d_greensays, don't take this as a "freak out and switch to other brands". Don't put all your eggs in one basket. Don't take unnecessary risks (such as buying from eBay). Don't assume it is physically secure. That is a "nice to have" extra layer, just in case.
Trezor Security Update
Hardware wallets are continuously updating themselves whenever a bug is found. The most recent update is for Trezor, releasing a new security version:
"PSA: TREZOR One Security Firmware Update 1.6.1 released. Please go to https://t.co/PC3jOdxwXm to update your TREZOR One. For more information, refer to the blog post linked below: https://t.co/aCYKaq8LXi" – TREZOR (@TREZOR) March 21, 2018
PSA: TREZOR One Security Firmware Update 1.6.1 released. Please go to https://t.co/PC3jOdxwXm to update your TREZOR One. For more information, refer to the blog post linked below: https://t.co/aCYKaq8LXi
Meanwhile, Ledger, the producer of the Nano series hardware wallets, has taken the approach of a bounty program.
"Ledger's security bounty program has been launched! Prove your worth in security & cryptography-related security challenges to win 13 Nano S Bounty Edition, and win 1.337 BTC in the hardware security related second stage https://t.co/JKiG8JVkBK" – Ledger (@LedgerHQ) March 20, 2018
Ledger's security bounty program has been launched! Prove your worth in security & cryptography-related security challenges to win 13 Nano S Bounty Edition, and win 1.337 BTC in the hardware security related second stage https://t.co/JKiG8JVkBK
Saleem Rashid and the Ledger Nano Update
"Full technical write-up, video demonstration and proof-of-concept code for @LedgerHQ hardware wallet vulnerability. https://t.co/kC4409sqxK" – Saleem Rashid (@spudowiar) March 20, 2018
Full technical write-up, video demonstration and proof-of-concept code for @LedgerHQ hardware wallet vulnerability. https://t.co/kC4409sqxK
Before the launch of the new firmware, a hacker could exploit the Nano wallet either by intercepting it during delivery and before a user sets it up, or later, by tampering or other ways to make the user install a fake firmware. The new firmware release ensures that a successful installation protects the device.
Because hardware wallets are relatively simple electronic devices, they can be made to divulge the private seed, and sometimes have even physical vulnerabilities allowing that.
This also means that the hardware wallet should remain protected, by only downloading official firmware, and avoiding phishing links. The work of Rashid reveals those dangers, and while the exploits may serve to recover lost seeds, there is always the chance that a hardware wallet may become compromised.
Hardware Wallet Awareness
As hardware wallets ship even more devices, users may want to exercise extreme caution. Buying from dubious sources may lead to losses if an attacker has had a chance to make the device divulge its private seed.
"This is fantastic. eBay sells Used, Lightly Used, Pre-Owned, and even, according to the description, “Used Brand New” wallets #heisensalepic.twitter.com/Y7lZ8eADQu" – Kenn White (@kennwhite) March 20, 2018
This is fantastic. eBay sells Used, Lightly Used, Pre-Owned, and even, according to the description, “Used Brand New” wallets #heisensalepic.twitter.com/Y7lZ8eADQu
"What is important from a user perspective is to able to prove the genuineness of your device and the authenticity of the firmware you load. Those two security claims remain intact."
"What is important from a user perspective is to able to prove the genuineness of your device and the authenticity of the firmware you load. Those two security claims remain intact."
Stay up to date with market trends and exclusive crypto news!
Stay up to date with market trends and exclusive crypto news!
Thanks for subscribing!
You're one step away from getting industry's latest news and updates. Please check your inbox/spam for a confirmation email and click on the link to confirm your subscription.