Can Hardware Wallets Be Hacked

Cold storage has rightfully been considered the safest cryptocurrency storage tool by users and cybersecurity experts, but while it is almost impractical to hack hardware wallets due to their offline nature, the careless handling of the device could result in the loss of funds like with any other type of cryptocurrency storage.

Hardware wallets, commonly known as offline wallets, cooperate with a wallet interface in a safe manner to provide users with features like send/receive assets. Technically speaking, hardware wallets are signing-only wallets that in order to be able to perform basic operations such as transferring funds, would need to connect to a wallet interface.

The wallet interface here refers to the application on an online device or a web application, to which your hardware wallet gets connected when performing basic operations. Your hardware wallet contains your parent private key which once connected to the online device for sigining transactions.

The wallet interface, or the application, or the interface you are using for filling in transaction details (such as the address of the receiver, or the amount to be transferred), sends information provided by you to the hardware wallet. Once the information is displayed on the screen of the hardware wallet, you are good to confirm the transaction, after a careful observation of transaction details.

The last sentence shows the exact reason why a hardware wallet is known as a signing wallet. After the transaction is signed on the hardware wallet, it will be uploaded to the wallet interface, so that it can be distributed across the network.

That was a brief explanation of the way hardware wallets operate, and how through the offline storage of parent private, and public keys, the chances of an online attack are reduced to almost zero. Although quite rare, there have been cases of a hardware wallet getting hacked, and the conditions under which the hack was attempted.

Hardware Wallet Hacking Methods

Although hardware wallet exploitations are pretty rare, since manipulations on these devices rely on having physical access to them, they are not at all impossible. When talking about hardware wallet manipulation, it is not just the device that could be tampered with; personal data and other pieces of useful information could also be traced back to you.

Most hardware wallets you receive come with firmware installed on them, what if this firmware is manipulated? Well, researchers have found that manipulated firmware could result in the loss of private keys. The danger is extremely high if passphrases have not been set, which is very common with beginner-level users.

Manipulated firmware could also result in manipulated transactions; transferring funds to unknown wallets without users knowing about them. In this case, transactions would be confirmed remotely, and the information displayed on the screen on the wallet changed in a way so that users would not know they are about to send funds to unknown wallets.

Firmware weaknesses could also result in PIN leakages if the connection between the device’s motherboard and color-touchscreen is set up through abnormally strong radio waves. Radio waves, when strong enough, can be interpreted into useful information, and in this case PIN entries.

Despite common belief about hardware wallets being resistant to phishing attacks, phishing the private keys stored on a hardware wallet, while more complicated than the ones stored on a software wallet, is not at all impossible; all needed for a phishing attack to lead to the private keys stored on a hardware wallet is an exploited link sent to you.

The manipulated link might have been sent via Twitter, telegram, or any other social messaging app. Once clicked on, the link will take you to a duplicate page of your hardware wallet’s official website. The manipulated website would be designed in a way to include all security details and the measures that need to be taken against phishing attacks to make users believe they are truly on the official website, and not on a clone.

If you follow the instructions regarding how to connect your hardware wallet to the wallet interface, a box will suddenly pop up notifying you about a hardware error, and to repeat the process, your recovery seed is required. If you buy it and enter your recovery seed, all will be lost, and all your private keys would be open to being accessed by a complete stranger. be aware that a hardware wallet company never asks you to enter your recovery seed on application or website.

The attacks through firmware bugs explained in the previous section cannot be made possible if the device is not tampered with. Most hardware wallet manufacturers take special measures against possible exploitations on the device through the supply chain with hologram seals being the most applied method for verifying the device’s authenticity.

But as you can imagine, it is not a difficult task to exploit a hologram seal or replace it with a similar one. This is why many manufacturers rely on much more advanced methods for confirming if the device is genuine. When purchasing a hardware wallet, it is especially important to pay attention to the processes, and methods applied by the developers to verify the firmware installed on the device is genuine, and not an exploited one designed by hackers to steal private keys.

What If You Lose Your Hardware Wallet

Of course, there is always a possibility that your hardware wallet could be lost, stolen, or stop working all of a sudden. In such cases, there is a high likelihood that your private keys, and therefore assets could be stolen, but there is still a way to protect your funds from stranger’s access, and that is to sweep your private keys into a new hardware wallet.

In case of a lost hardware wallet, you will want to enter your recovery seed into a new one to gain access to all the private keys associated with it. While importing your recovery seed into a new wallet will require access to your private keys, there is no guarantee that it is only you having access to them.

To get rid of all the older wallets with your recovery seed, and block strangers’ access to your private keys, you could sweep the recovery seed instead of importing it. Sweeping empties your old wallet of all the funds stored on it and transfers them to the new one through a transaction.

Although cyberattacks on hardware wallets are pretty rare, to guarantee the safety of your coins, and tokens, it is best to take precautionary measures against situations that could put the safety of your digital belongings under threat, those cases include weak firmware, manipulated devices, and phishing scams. To minimize the chances of falling victim to such scenarios, choosing a hardware wallet with an open-source firmware, which could be freely examined by IT specialists, and an authentication method more-reliable than hologram seals seems necessary.

Originally published at https://prokey.io.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prokey

Blockchain and Cryptocurrency Security, Hardware Wallets, and Some Articles in Between!