According to a recent research report from Ledger, one of the largest manufacturers of cold wallets, it was revealed that there are several loopholes in their products.
The hackers can exploit these weak points easily to get into it and steal the funds stored there.
Now the question is why these hardware wallets, that are advertised to be safe and most secure, are vulnerable to attacks.
Well, you are in the right place to know about it all.
Well, most people think that the hardware wallets are pretty safe from the hackers because they cannot actually get hold of the device physically and so that they can exploit it.
However, according to the Ledger report, even the hardware wallet of the highest standards can be compromised by the hackers.
All they have to do is access the PIN codes that are designed to make these wallets secure.
However, most manufacturers of hardware wallets have fixed this type of vulnerabilities in their product but there are some amounts of risks that still remain.
Though physical loss of the hardware wallets and fixing of the PIN hacking possibilities have made them quite safe and secure, the lack of firmware update can be a strong reason that these hardware wallets are still so vulnerable to attacks.
Here, in this article, the research reports of such vulnerabilities of the hardware wallets are discussed so that you have a comprehensive knowledge about the security aspect of hardware wallets.
Why Crypto Hardware Wallets Too are Vulnerable to Attacks?
In order to make sure that you are using a safe and secure wallet for your crypto venture, you will not only need to know the differences between the different types available for use but also know about the safety aspects.
In addition to that, you will also need to know how you can protect your wallet and funds from being hacked or stolen.
But first, you must know about the vulnerabilities of the wallets which are present even in the hardware wallets that are considered to be the safest by many.
Since covering every aspect in one single article will be a bit of a messy affair, here are the set of safety risks that you should know about the hardware wallets.
However, before talking about the safety and vulnerability of the hardware wallets, it is important to know a little bit about the basics of the hardware wallets.
You may know that the crypto wallets actually do not hold any coins, unlike leather wallets.
This is true for all types of wallets that are available such the hot wallets that are with the exchanges or in the computer or in a mobile device or the physical hardware device or cold wallets.
This means that irrespective of the type of crypto wallet you use, there are no coins in it.
Instead, these wallets hold the passwords to get access to them on the blockchain, which are called the private keys.
It is these private keys that the hackers are after. They input these keys into the interface of their own wallet and move the crypto from your wallet to anywhere they want.
Now you may think that there is a serious flaw in the principle itself. Well, debatable as it is, this is where the hardware wallets come into the picture and to your rescue.
But, can anyone hack these hardware wallets may be the million dollar question.
Well for that you should first know why these hardware wallets are considered to be far superior in comparison to the hot wallets.
To explain it in simple words, when you use the hot wallets it is inevitable that your private keys will be exposed to a bad actor and it will be much easier for a hacker to exploit those keys than those stored in a hardware wallet.
This is because the hot wallets work through a mobile device or browser, and there lies the big issue.
In comparison, the hardware wallets, on the other hand, are specially built physical devices that are designed to be immune to malware.
It is their design and functionality that removes the attack vectors that most hackers usually exploit.
The hardware wallets do this by removing the unnecessary complexities outside of signing transactions and storing keys.
But can these be hacked? You will need a much deeper look in order to understand that.
One of the most significant features of the hardware wallets is that these work offline to store the private keys.
Though this feature makes it pretty safe and difficult to hack, mind it, it is ‘difficult’ and not ‘impossible.’
The hardware wallets can be hacked in several different ways by the malicious actors. Some of which are:
- Phishing scams – This is one of the most common ways the hackers try to trick the users. You will find a lot of scammers out there trying this trick so that users give away their private keys to their wallets to them.
- The $5 wrench attack – This is a particular type of threat in which some kind of physical force is involved so that the hackers can have control over your crypto.
- Changed devices and tampering – The hardware wallets can be tampered with while shipping, and there are several instances of it available. Sometimes, even fake or counterfeit wallets are also sent to the users to phish details of the private keys of the users.
Now the answer to your primary question, why these hardware wallets are vulnerable to attacks, brings to the next section of this article.
Research Report on Vulnerability
Several research reports, new and old, show that the hardware wallets are vulnerable to attacks that would reveal the PIN of these popular cold storage options.
Reports show that the majority of the crypto users think that the safest place to store the crypto coins is in the hardware wallets.
These physical devices look much like an ordinary USB drive. These wallets store your private keys and crypto locally and offline and therefore are considered to be the safest option.
However, ‘safest’ does not necessarily mean ‘perfect’ and that is corroborated by these research reports.
As said earlier, a research report of Ledger showed that their products such as the Coinkite and Shapeshift come with loopholes that can reveal the PIN to the hackers. These issues are however fixed by Ledger.
However, there can be other flaws in the hardware which would require frequent updating of the firmware.
However, even after that a hacker can quickly grab the PIN of a target wallet by gaining information due to the ever-evolving hacking techniques, as mentioned above.
Some of these techniques are so advanced that the necessary information can be gathered even when the hardware wallets are locked.
One primary reason for such vulnerability is the memory chips used in them.
These memory chips can give out voltage outputs that may be different at different times.
This results in a notable fluctuation in the power consumption. It can also affect the data that is being processed by the memory chip when such changes are displayed.
These physical changes are known as ‘side channels.’ Through these side channels data and information is leaked without requiring any direct access to it. Instead, it is leaked through physical and indirect means.
Further examination of the memory chips that store the authentication PIN of the users revealed that these chips can monitor the changes in the voltage output while receiving PIN inputs to find out the PIN itself.
This, however, does not mean the PINs can be read from the voltage of the memory chip of the wallet.
It needs taking thousands of measurements of the voltage output of the processor of the PIN for each known value of it.
Later on, the hacker can detect the desired PIN of the wallet of a target user by using a kind of decoder to analyze the voltage outputs of different phases of the PIN retrieval process.
Once the hacker attacks a device these facts and figures are compared with the different measurements in the dictionary to find out the best match as well as those that are most likely to be the correct PIN.
Though a firmware update can fix these vulnerabilities that may enhance the security and functionality of the PIN verification process, the fix however makes it more complicated to build up a reliable and strong directory of different outputs of power consumption that would help in mapping the PIN values.
Sometimes, the hardware wallet owners may not receive an update and in such situations they can add a passphrase, which should preferably be a long one, to their wallets. This will act as a secondary layer of authentication.
You may also use those hardware wallets that specifically come with a special secure memory.
This will prevent the side channel attacks from happening and will also limit PIN guessing.
However, even this is not 100% foolproof because the hackers can use techniques called the ‘fault injection attack.’
This is a special type of hack in which a tactical and unintended glitch is triggered to exploit the behavior of the computer.
This may even push the memory chip into an unsafe and insecure restoration or debugging mode.
In such a situation the guess limit of the PIN in the memory chip is not in effect.
This enables the attacker to execute brute force and try doing anything that is possible with the PIN so that the wallet eventually unlocks.
Ideally, the research shows that there is no particular way in which you can prevent a hacker with or without the physical possession of the hardware wallet to get access to it.
This is because the hackers use the most sophisticated technologies, resources, and techniques to ‘pawn’ the wallets eventually.
Key to Securing Hardware Wallets
The primary purpose of a crypto wallet, hot or cold, is to:
- Store the private keys
- Prove actual ownership of crypto to the blockchain
- Sign transactions cryptographically using the private keys and
- Broadcast transactions to the blockchain.
In order to make sure that it performs all of these functions properly, you will need to secure your wallet so that your crypto assets are safe and protected from the bad actors.
Therefore, it is recommended that you exercise the same caution to protect your hardware wallet as you would for any other valuable instrument or investment.
You should ‘protect it like it could be stolen tomorrow.’ This will make it quite difficult for the hacker to carry out any attack on your wallet.
Remember, it ultimately boils down to how easy for a hacker it is to get access to your wallet and steal the private key information stored in it. Therefore, you should be responsible in using the wallet and take the security to the next level.
One of the best ways to secure your crypto wallet and prevent it from being hacked is to set it up using a 24 word seed phrase.
You can even make this security more proven and effective by following these two steps:
- You may consider using a multi-sig cold storage which will need more than one set of private keys to access and sign on a transaction. This multi-sig solution will add an extra layer of protection to your wallet and its funds stored because when one set of private keys is compromised, there will be others to still protect it.
- You may also consider using a 25th passphrase. As the number indicates, it is adding an additional word to the 24 word seed phrase making it 25 in total. The usefulness of this last additional word is that it is not stored on the gadget itself.
These additional security precautions along with the in-built security features of the hardware wallets as well as your best practices will offer a very strong security solution to your wallet.
However, remember that no solution is 100% foolproof because the hackers, undoubtedly, are smarter these days.
So, after reading this article you know that even the hardware wallets are not 100% safe, as opposed to their claims. However, thanks to the article, you also know the reasons and the ways in which you can secure them for your benefit.