Cryptocurrency hardware wallets may not be as secure as you think

For any crypto holder, storing funds safely is a major concern that requires research and planning. Hardware crypto wallets are generally regarded as being the most secure choice among cryptocurrency investors. This does not mean, however, that these wallets are immune to fraud.

Hardware wallet manufacturer Ledger spoke out against security vulnerabilities found in Coinkite and Shapeshift wallets, showing how their products could be attacked. In the event that someone got their hands on the physical wallet, they might be able to figure out the PIN. Although these threats were quickly addressed by the companies, there are still other ways for bad actors to gain access to user funds. 

A data breach at Mailchimp recently exposed an email list of users belonging to another company. The email marketing service has subsequently been sued by one of the users. A lawsuit filed by Alan Levinson alleges he lost $82,000 due to negligently stored data. 

A similar phishing scam targeting Trezor users was detected by the CoinLoan anti-fraud team. Hackers attached a link to a counterfeit version of the Trezor website to an email received by a member of the CoinLoan team. The purpose was to steal the seed phrase and access users’ wallets. This security concern was promptly addressed, saving many Trezor wallet users from losing their funds. However, this case emphasizes the importance of dealing with all possible security threats when it comes to hardware crypto wallets.

What is a hardware wallet?

First, let’s figure out what a hardware crypto wallet is. Unlike digital wallets, hardware wallets are physical devices, much like USB thumb drives. Private keys are stored offline, making them inaccessible to online threats. Direct data communication with the computer on the hardware eliminates the risk of the vulnerable software. This way, private keys can only be used and stored on the device and are never stored on a computer or online, making them immune to viruses and online hacks. 

The downsides to using hardware wallets include initial costs that are higher than average digital wallet software. Devices from major manufacturers like Trezor and Ledger cost anywhere between $50 and $1,200. For users to use their hardware safely, they should also know how to configure it. Funds can be accessed by malicious parties if the wallet is handled improperly. In order to gain access to sensitive data such as PIN codes or private keys stored in a physical hardware wallet, hackers may use the following methods.

Possible vulnerabilities

Side-channel attack

A side-channel attack uses an oscilloscope, a type of electronic test device. It measures the power consumption and then compares its behavior to random PIN codes. Analyzing the measurements of each PIN digit helps build a database that can then be used with a script to guess the digits one by one. This vulnerability was detected in some Trezor hardware and has since been fixed.

Software attacks

Attacking a Hardware Security Module (HSM) can result in obtaining the cryptographic keys and other data that grants access to the wallet. The software that is contained in the wallet device is analyzed and reverse-engineered to understand how its security works. This vulnerability in popular HSMs was discovered by the Ledger team. One of the researchers explained: “The presented attacks allow retrieving all HSM secrets remotely, including cryptographic keys and administrator credentials.”

Voltage glitching

This possibly fatal flaw was identified by Kraken Security Labs. They found out that applying lowered voltage to a microcontroller allows them to read the chip’s RAM. After the firmware is installed, the chip moves the cryptographic seed into RAM to protect it, therefore, granting access to all the memory contents.

Best security practices

While most identified vulnerabilities are usually fixed by manufacturers, there are possibly multiple other ways to hack into current hardware wallet devices. The first step for users to protect themselves is to keep their devices in a safe place away from any third-party access. Another important rule is never sharing sensitive information like private keys, PINs, and recovery seeds with anyone. 

The recovery seed can be safeguarded by avoiding typing or storing it online, taking pictures of it, or any other action that may compromise it.It’s best to simply write it down and store it in a safe place. Furthermore, it’s crucial to only communicate with the wallet using a trusted PC. Any online exposure to the PC might lead to a vulnerability. 

Even though a lot of these hacking techniques require physical access to the device, there is also a possibility of a phishing attack. They could be targeted at users via email, mobile phone, social media, fake websites, and instant messaging apps. This was the email scam uncovered and prevented by CoinLoan, saving Trezor users from falling victim to it. In this case, the key to ensuring wallet security was not only users’ vigilance, but also the quick response from the CoinLoan fraud detection specialists. As CTO and co-founder Max Sapelov, commented: “This incident does shed light on the inherent risks associated with (cold) non-custodial wallets, including software, connections to third-party vendors, and possible insider leaks. In contrast, custodial wallets such as CoinLoan often implement a series of checks and holds which prevent fraudsters from a) gaining access and b) moving or withdrawing crypto in the event of a leak.” Service providers and manufacturers should always be alert to possible hacks in order to protect users who may not be aware of these vulnerabilities.

---