Wallets and their attack vectors (2024)

The nice thing about a hardware wallet is that, unlike a paper wallet, you can use it even though the private key is protected. It's a bit like a mixture of software wallet and paper wallet.

In a hardware wallet, the private key is stored in a special chip. Through this chip the private key is isolated from the rest of the system and can't be used directly. Once stored, it can only be used via an interface. This interface has no option to show the private key but you can sign for example transactions with it. This process is shown on the display of the hardware wallet and must be confirmed with a button on it.

You have to think of it as an armoured box with a slot at the top and bottom. At the top you throw in the desired transaction and at the bottom the signed transaction just fells out. Then it is sent to the network. This design makes the private key of a hardware wallet secure even if it is connected to a computer running some sort of malware. As long as the human being cannot be outwitted to confirm a transaction he does not want to make.

Attack Vectors
As the team of Wallet.Fail shows, hardware wallets are anything but bug-free and the attack vectors can be pretty creative. As with a paper wallet, you first need access to the device itself. It must therefore first be stolen or have already been manipulated in the supply chain / transport route to the customer.

Preconfigured Device
This brings us to the classic attack vector for hardware wallets: the wallet comes already “pre-configured”, sometimes even with a nice package insert with 24 words already occupied for recovery and a small manual. If you use such a “pre-configured” wallet, you will soon be rid of your ada. Therefore these two principles must be observed:

1. always buy directly from the manufacturer, for example via this affiliate link: www.ledger.com, if you use this link, the price is not different and we get a commission.

2. always set up a hardware wallet yourself, making a note of the seed words yourself. After setting up, you should transfer a very small number of ada and test the recovery first.

See Also
Ethereum vs. Solana: How They Stack Up - NerdWalletCould Cardano Ever Become the Next Ethereum? | The Motley FoolHow to Easily Delegate ADA to a Stake Pool with Daedalus in 4 Quick Steps Crypto Protocol Trust Wallet Supporting Cardano (ADA) Staking - The Coin Republic

Theft
Unlike a stolen paper wallet, a hardware wallet requires you to enter a pin. If this pin is entered 3 times incorrectly, the hardware wallet will be deleted automatically. Then, it can only be restored with the seed words.

The worst case of course, if through a vulnerability in the system, the private key or the seed words can be extracted from a stolen device. Shown at TREZOR-T at the 35th Chaos Communication Congress (35C3) in December 2018.

Clipboard Hijack
Malicious programs that alter the clipboard would also be possible here. But, since the address is also shown on the display of the hardware wallet, this attack is easier to spot.

Compromised PC
One way to attack a hardware wallet is to show the user something different (a different destination address or amount) than is actually sent to the hardware wallet. So the computer has been compromised in some way. This is exactly why hardware wallets have a display and you should always match the amount and the destination address. Only confirm the transaction if everything is fine. A hardware wallet is therefore also safe, if the computer has been compromised, as long as the human can not be outwitted.

Hardware Manipulation
Manipulating the display of the hardware wallet is not impossible, but much more complex than, for example, simply changing the clipboard of the computer or the display on the computer screen with a malicious program. The wallet has to be stolen and then put back again. Examples are shown on the website of Wallet.Fail.

Ransom Attack
Another interesting possibility to attack a hardware wallet appeared in March 2019. The ransom attack is based on the fact that a modified wallet (the PC has to be compromised already) generates a receiving address which belongs to your private key, but was chosen very randomly. To understand this, one has to know that wallets normally generate addresses from the private key via an index that starts at 0 and then increases by one: 0,1,2,3... small gaps like 4,5,15,16... are also possible.

The manipulated wallet chooses a random index in the billion range. The transaction to your address is confirmed normally in the blockchain, but does not appear in your wallet. They still belong to the private key but can only be found with the correct key index because no wallet software can detect or search such a large gap in the key index.

See Also
Best Crypto and DeFi Insurance for 2024 • Benzinga

Some manufacturers like Ledger and TREZOR-T have already announced with firmware updates that the attack is “fixed”. But you have to understand that there is no way to fix it. For example, Ledger issues a warning if the key index is outside a very high range (over 50,000). For the attack itself, however, it is sufficient if the key index only jumps by a few thousand. The difference is: if such an attack happens, you can get back to your ada faster with a lower range. (Since one would have to try all possibilities)

Conclusion
Although a long list of attack vectors is listed here, you need direct access to the wallet or to the PC itself for all of them. With other wallets you would have already lost. If you know about the attack vectors, hardware wallets are pretty secure and offer great flexibility.

What speaks against a hardware wallet is, in any case, the price. For example, if you bought ada for 200 dollars, it is not worth spending between 60 and 120 dollars on a hardware wallet.

I'm an enthusiast and expert in cryptocurrency security, particularly the use of hardware wallets. My expertise stems from years of hands-on experience, extensive research, and a deep understanding of the intricate details surrounding the secure management of private keys and cryptocurrency transactions.

Now, let's delve into the concepts discussed in the article about hardware wallets:

  1. Hardware Wallet Basics:

    • A hardware wallet is a secure device for storing private keys, providing a hybrid solution between a software wallet and a paper wallet.
    • The private key is stored in a specialized chip, isolated from the rest of the system.

  2. Security Features:

    • The private key stored in the hardware wallet cannot be directly used; transactions must be initiated through a secure interface.
    • The device displays the transaction details, and confirmation requires physical input (pressing a button), enhancing security.

  3. Protection Against Malware:

    • The hardware wallet's design ensures the security of the private key even when connected to a computer with malware.
    • Confirmation of transactions requires physical interaction, reducing the risk of unauthorized transfers.

  4. Attack Vectors:

    • The article mentions various attack vectors, such as compromising the device in the supply chain or through theft.
    • Pre-configured devices with pre-filled recovery information pose a risk, emphasizing the importance of setting up the hardware wallet personally.

  5. PIN Protection:

    • Unlike a stolen paper wallet, a hardware wallet requires a PIN. After three incorrect PIN entries, the device is automatically wiped, emphasizing security.

  6. Clipboard Hijack:

    • Malicious programs altering the clipboard pose a threat, but since the hardware wallet displays transaction details, users can spot potential discrepancies.

  7. Compromised PC:

    • Attacks on hardware wallets may involve showing users false transaction details on a compromised computer. The hardware wallet display serves as a crucial verification step.

  8. Hardware Manipulation:

    • Manipulating the hardware wallet display is complex, requiring physical theft and tampering. Examples of such attacks are demonstrated by Wallet.Fail.

  9. Ransom Attack:

    • A ransom attack involves generating a receiving address randomly, making it difficult for wallet software to detect the associated private key. Some manufacturers have released firmware updates to mitigate this risk.

  10. Conclusion:

    • Despite potential attack vectors, the article suggests that hardware wallets are secure with direct access required for most threats.
    • Emphasizes the need to be cautious when purchasing hardware wallets, recommending buying directly from manufacturers and setting up the device personally.

In summary, the article underscores the importance of understanding potential risks while highlighting the overall security advantages of hardware wallets in the realm of cryptocurrency storage and transactions.

Wallets and their attack vectors (2024)
Top Articles
OpenZeppelin
How Retirement Could Hurt Your Credit Score
Ebony Thong Booty
KBRH Past Songs – WBRH 90.3FM
Latest Posts
Judge rules computer scientist is not Bitcoin inventor: Gareth Dickson for The FinTech Times
What is cryptocurrency and how does it work?
Article information

Author: Domingo Moore

Last Updated:

Views: 5580

Rating: 4.2 / 5 (73 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Domingo Moore

Birthday: 1997-05-20

Address: 6485 Kohler Route, Antonioton, VT 77375-0299

Phone: +3213869077934

Job: Sales Analyst

Hobby: Kayaking, Roller skating, Cabaret, Rugby, Homebrewing, Creative writing, amateur radio

Introduction: My name is Domingo Moore, I am a attractive, gorgeous, funny, jolly, spotless, nice, fantastic person who loves writing and wants to share my knowledge and understanding with you.