So whether reliable hardware crypto wallets? How to protect your savings?

How to securely store a crypto-money? This question is concerned, holders of the cryptocurrency more. Today, users have multiple solutions. The most secure way to store is to use hardware wallets. However, time has shown that even cold storage can not provide reliable protection. What are the problems inherent in modern hardware wallets and how to protect yourself from criminals?

The experts Kraken Security Labs has informed has informed about the detection of "holes" in the security toolbar for cold storage KeepKey. Identified the bug would allow the attacker provided physical access to the wallet to break in somewhere for 15 minutes, spending about $75. It is already known that to eliminate the vulnerability is quite difficult, as the manufacturer should make changes at the hardware level. The existence of problems is not only KeepKey, but also other popular crypto-wallets. What you should know to the holders of such devices?

The contents

1. Bug KeepKey
2. Reaction KeepKey
3. Bugs Best Wallet
4. Vulnerabilities Ledger
5. safety Rules for interacting with hardware wallets for cryptocurrencies
6. Reliability of hardware devices

Bug KeepKey

For hacking KeepKey the attacker would need to implement an attack called "power supply failure" (eng. voltage glitching). This would allow to access seed phrase, and then to take over, and funds in your wallet. This attack requires the attacker specialized equipment and specific knowledge. For those who are knowledgeable about the functioning of the protection system, it will not be a problem.Having physical access to the machine of the victim, the hacker uses a relatively cheap device, which can cause a failure of the microcontroller due to power surges. It is interesting that the market for such instruments is not presented, however, you can build your own, spending about $75. After that a hacker gets access to the same seed phrase, and a required 9-character password without a problem chosen by brute force. After this, the access to funds. Experts draw attention to the fact that the vulnerability exists in all products KeepKey.

The Reaction KeepKey

It is worth noting that the bug was discovered and used back in April of this year. The white hacker Sergey Volokitin managed to crack the wallet and upload your own, BY using a power supply failure. Currently, the implementation of the purses has been the company ShapeShift, which acquired KeepKey in 2017. Interestingly, ShapeShift knows about the problems, however, is of the opinion that the main goal is achieved – from remote attack user keys are securely protected. In July, the company said that anyone with the right equipment and knowledge, while obtaining physical access to the development from any company, can take action that will cope with any digital protection.

Bugs Best Wallet

Security issues products best wallet started to be discussed in 2017, in particular the bugs reported ethical hacker Salim Rashid, who also failed to detect defects in the devices Ledger.

It is worth noting that the company best wallet uses only one universal chip based on ARM architecture (he is responsible for cryptography, and the principles of connection of the purse). In remote mode, such a product would be difficult to crack, however, if you have direct access to the wallet attack can be done successfully. For example, experts Wallet.fail turned wallet hack with the help of the same attack "power supply failure". A low level voltage triggered a crash caused the reboot. Meanwhile, as part of the update, the device moved the seed-phrase in RAM. If the owner did not care about setting the password, the data can be detected. Representatives of best wallet has acknowledged the existence of problems, but also drew attention to the fact that the script is unlikely to be fulfilled in reality.

It is noteworthy that in the spring of 2019 for bugs in the products Model T and Model One of best wallet has drawn the attention of researchers Ledger (this company is a competitor of best wallet). It is known that the best wallet you managed to eliminate only one vulnerability.

Among the bugs found by the representatives of the Attack Lab:

1. Holographic sticker can be erased by using a conventional dryer (the threat that attackers can buy original product, hack it and then return it back – in that case, if the company once again someone will get the purse, the new owner risks to lose money).
2. In the crypto library best wallet One do not have the required tools to counter hardware attacks.
3. Have a way to steal personal information from your wallet (if you receive direct access to the device, you will have access to personal data that is stored in flash memory).

Ledger Vulnerabilities

Among the major manufacturers of hardware devices for the storage of cryptocurrency: Ledger, as well as best wallet and KeepKey. Also known companies like Digital BitBox, CryoBit and CoolWallet. The creators promise to provide users with the highest level of security, but white hackers continue to find in each of these products certain vulnerability.

The French manufacturer is no exception. It should be noted that the Ledger and best wallet products are the most popular among crypto holders. In December last year, experts of the Wallet.fail identified the problem of the two projects, the results of developments, the researchers were able to demonstrate in practice, in the event the Chaos Communication Congress. Experts drew attention to the fact that the wallets have similar problems. To eliminate a vulnerability is possible by replacing the microcontroller or firmware updates.

Meanwhile, the products from the Ledger and best wallet you do not function the same way. In the purses of the French company developers use 2 microcontrollers: cryptographic and universal (he is responsible for managing the external connection and the approval of the transfers). As it turned out, to implement the hack first microcontroller (Secure Element) is difficult, but the second is not.

At the conference, researchers demonstrated the following:

1. In the French design experts have implemented cheap hardware implant (costs about $3), through which the remote format has been able to confirm the transaction. In The Wallet.fail then stated that in this way it is possible to hack any device, but Ledger said that the danger is exaggerated, as demonstrated method is not practical.

2. In the Ledger Nano's happened to realize hacking the bootloader and do the firmware upgrade. It is noteworthy that the wallet has protection from such actions, the firmware is tested by using methods of cryptography. And all the experts cheated the system, the problem is already solved.

3. The Ledger wallet Blue managed to hack through the interception of PIN-code through the use of radio waves. In order to use the bug, the attacker needs to be almost in several meters from the device at the time when it will enter the PIN. In practice, the implementation of this scenario is also unlikely, but still the manufacturer has promised to fix the problem.

Despite providing users with protection from remote attacks, it is also possible the cases in which the attacker has physical access to the wallet. Particularly relevant, these issues will be with the spread of cryptocurrency and the need for storage.

Safety rules for interacting with hardware wallets for cryptocurrencies

As it turned out, the holder of cryptocurrency risks losing funds mainly in the case hardware wallet will be directly in the hands of the attacker. The "skilled" criminals are a number of tools and techniques using which you can quickly hack the device and, in particular, we are talking about attacks of a mediator, the firmware, implementing, aftermarket purses, the hacking of the computer from which the wallet is connected, and the introduction of special hardware implants, the theft of seed phrases.

The following recommendations will protect yourself from attack:

1. Hardware wallet should be stored in a safe place where there is no access from the outside people do not need to pass the device to others.
2. To buy equipment for cold storage only in the official outlets or the online stores of trusted manufacturers.
3. When buying, you should inspect the packaging (there are no suspicious injuries, signs of opening).
4. It is recommended to use the maximum possible number of passwords, the options of granting the consent for implementation of transaction (it is not necessary to facilitate the process of interaction with the purse if you wish to save money, because the more complex process of the transaction, the harder it is for an attacker to carry out an attack).
5. You should choose a wallet that supports multipages (they are more difficult to use but more reliable).
6. You should make sure that no one has the opportunity to observe the entering of passwords (for example, there may be cases when criminals establish surveillance using a web camera, etc.).
7. It is also recommended to double-check the recipient's address during the transaction.

The reliability of hardware devices

Despite the fact that the to date the products have problems, they provide users with protection from remote attacks. However, when physical attacks still have the possibility of losing money (while ignoring safety rules). You should not be disappointed in available in the market wallets, because the producers are working to improve their developments and implement new solutions to enhance security. When choosing a purse, you should pay attention to the readiness of the company, which is engaged in creation of purses, eliminate vulnerabilities. When using the device, it is sufficient to observe safety rules in order to avoid unpleasant incidents.