Stop blindly trusting hardware wallets
I've written a lot about this topic. I've done my research and I know what I'm talking about. We tend to blindly trust hardware wallets and "cold storage" even though at the end of the day they're grounded on a foundation of trusting a centralized agent. It's a topic I've been discussing as far back as 2020, and this latest Dark Skippy vulnerability reconfirms everything I've said and then some.
What is Dark Skippy?
It's a tainted firmware update that can steal your keys by encoding them publicly on the blockchain. The software creates weak signatures on purpose to hide the data inside of legitimate transactions. When enough of these weak signatures are combined together they reveal the master seed that secures all the crypto on that wallet.
When this vulnerability first made the rounds it required dozens of transactions and weak signatures to be posted to the blockchain. Now it only requires two or three. Two transfers out of wallet and the seed for all the crypto on that device will be exposed to the attacker. Not great.
Every time I get a notification saying I need to update my firmware I cringe. Trezor does this ALL THE TIME. It's so bad. What is the point of a hardware wallet if code from outside the device is constantly being injected into it? It's crazy to think that a protocol like Dark Skippy would completely circumvent even the security of an air-gapped hardware wallet because the data is pulled directly from the public blockchain rather than extracted from the device.
Dark Skippy" Vulnerability
How do I protect myself from this type of attack?
1. Order hardware signing devices straight from the vendors, if possible. The more direct, the lower the likelihood of tampering.
2. Use hardware vendors that have tamper-resistant mechanisms in place, such as tamper-evident sealed bags, firmware attestation, etc.
3. Use hardware that employs a secure bootloader and enables you to easily verify the integrity of the source firmware and its updates.
4. Use hardware that follows security standards in generating nonces. One such standard is RFC6979 (deterministic nonces).
5. Verify the authenticity of the firmware every time you upgrade. (Tip: bookmark the vendor website to avoid phishing).
6. Avoid upgrading firmware unless you absolutely have to. Use another device if you want to experiment with firmware features that you don’t actually need for your main wallet.
7. Use multisig, preferably multi-vendor multisig. This alone significantly increases the difficulty of executing the attack.
lol... notice anything?
In pretty much ALL CASES it is blatantly implied that we have to trust the firmware that we download from "official" sources. This is the problem that I bring up time and time again. How much longer until governments around the world demand (behind closed doors of course) that companies like Trezor and Ledger embed these kinds of backdoors into the firmware on purpose so they can "fight terrorism" or whatever other flavor of excuse they decide to use? In fact it would honestly be foolish to think that this type of thing isn't already going on. Does the NSA already know your seed phrase? It's very possible, and you'd never know it.
‘Dark Skippy’ method can steal Bitcoin hardware wallet keys
According to the report, a hardware wallet’s firmware can be programmed to embed portions of the user’s seed words into “low entropy secret nonces,” which are then used to sign transactions. The resulting signatures get posted to the blockchain when transactions are confirmed. The attacker can then scan the blockchain to find and record these signatures.
So once this has happened there's basically no way to check if the signatures being created are tainted or not. Maybe one day there will be a way to check but how many users are actually going to do that? What's the real solution here?
Hm well yet again Hive has already solved this problem.
How many times have you updated your Hive firmware over the last few years? The answer is zero because we don't have firmware or hardware wallets, and we don't need them either. The seemingly unique ability to have multiple layers of security (owner/active/posting/memo) once again proves itself to be the superior solution.
Even active keys that find their way onto a hardware wallet (like Ledger) can't be reverse-engineered in order to find the master key. Hive master-keys exist as an offline tool and aren't even a requirement for creating keys or using the network. And even if it was possible to somehow extract an owner key (which it's not because it doesn't exist on these devices) we have another failsafe behind it with account recovery. That's multiple layers of better security than a hardware wallet, all made possible with timelocks and yield/staking/governance incentives to insure that a majority of users actually partake in the solution.
It's actually somewhat embarrassing at this point that top tier assets like Bitcoin and Ethereum don't have timelocked wallet recovery using their extensive multisig operations. What is the excuse at this point? I guess it's just anther signal that we are very far away from mainstream adoption. It's simply not a priority, until it is. Make no mistake that once people start dying (hopefully from old age) and we require better transitions for succession: this type of technology will become an absolute requirement of any network.
Conclusion
Are you scared anon? Maybe you should be depending on how your crypto is secured and how you're getting those firmware updates. It's exploits like these that prove that putting all the eggs in one basket is never the answer despite how good the security of that basket may seem. I would sooner store my crypto across ten centralized exchanges than put it all on a single hardware wallet.
When the overwhelming consensus to a firmware attack is "make sure you get the official software" we have a huge problem and conflict of ideals. The cognitive dissonance is strong. We arrived here in the first place because we didn't trust authority. Now we're being told to trust authority all over again. It will not end well.
The production of hardware wallets themselves has to be decentralized, airgapped, and verifiable by the user. It is not acceptable for centralized "trustworthy" companies to be making these devices and acting as though the government can't force them to inject backdoors into the firmware. Now that we see just how powerful those backdoors can be (public and also undetectable) this is a topic worth taking much more seriously.
We arrived here in the first place because we didn't trust authority. Now we're being told to trust authority all over again. It will not end well. Hahaha, the manipulation continues. If decentralization was the backbone of blockchain tech we are still far behind.
I agree.
Nakamoto's wallet remains untouched. What's that worth nowadays?
Thanks!
If Nakamoto moves any tokens, even a penny, it's going to create a panic that crashes the price quite a bit so there's no telling how much 1M BTC is actually worth because it can't be sold.
Personally I believe the same as Saylor in that there shouldn't be any inheritance or succession. We should just like the coins rot and take them off the market, effectively distributing them to everyone in the network. Very communist.
The limitation of BTC to 21M tokens reduces the utility of the token. Since Sats are already being used, that temporarily resolves the issue, but population will rise, and eventually Sats will not suffice. Of course they can be again subdivided, but Nakamoto's provision of 21m tokens, and a variety of features of BTC that have been replaced by industry, dramatically change the functionality of BTC.
I am incompetent to parse the consequences, but deeply distrust the industry, so innately suspect such alterations are le bad.
I totally agree with this assessment; the difference is my conclusion is that this is a feature and not a bug of the protocol. Printing inflation is a risk, and thus printing zero Bitcoin has the least risk and consequently the least reward. The utility is it provides a stable base for every other cryptocurrency out there to experiment and take risks that a bedrock token should not be making.
On a fundamental level your assessment assumes that cryptocurrencies are in competition with each other, which is in line with the tribalism and greed that we see within the ecosystem. Fortunately for everyone these opinions and projected zero-sum games are absurd from a perspective of open-source opt-in governance structures. Any crypto with a niche that provides a useful service is beneficial to every other crypto. This includes Bitcoin, as Bitcoin is very useful for what it does (not what people way it does; what it actually does).
Great post! Thanks for enlightening me. Arent some hardwarewallets open sorce and would make it hardere for a backdoor?
Es bueno
Yea, you need diversification on cold wallets as well.... I now use multiple from different companies
Excelente mi amigo
@bpcvoter3, sorry! You need more $IDD to use this command.
The minimum requirement is 50.0 IDD balance.
More $IDD is available from Hive-Engine or Tribaldex
@bpcvoter3, sorry! You need more $HOP to use this command.
The minimum requirement is 1.0 HOP balance.
More $HOP is available from Hive-Engine or Tribaldex
A very insightful summary and I appreciate your extrapolations.
I agree you are safer with ten decentralized exchanges then one shakey hardware wallet.
I think I will take my chances with the later.
You raise a good question; Why haven't Bitcoin and Ethereum developed better wallet security?
Jack Maller, the CEO of Strike says Bitcoin/ Bitcoin Foundation doesn't fund development, and most Bitcoin developers are volunteers or funded by a private companies or individuals and thus lawsuits against them have had a chilling effect on Bitcoin Development. So the development we have seen, is driven by the desires of a few, not the needs of the many. He speculates and I concur that Bitcoin could be much further along developmentally, if it had a planned foundation like Ethereum. But he says such a Foundation, which some say was funded by a Premine and reeks of centralization, is the wrong solution to Bitcoins Development finance problems.
But despite it's Foundation, Ethereum still uses wallets which are from it's date of origin like My Ethereum Wallet, or ones developed by non-Ethereum Fdundation sources. Their focus just seems to be elsewhere, like defi, but I don't know how they continue to ignore the continued rugs, and other thefts on the blockchain. The security of users funds just doesn't seem to be their priority.
I am sad to say that one of the things that attracted me to Steem and Steemit was the wallet security. Because I had lost funds. A frequent happenstance for my early years in crypto was websites where I staked funds just shut down and founders disappearred with hundreds or thousands of peoples staked coins. Cryptocurrency security, it's supposed strong point, was it's inherent weakness when most of the ways to make money involve moving your crypto out of your wallet to someone else's wallet.
In regards to Steem, and now Hive, the fact that I could stake my crypto in my wallet, in my savings account in my wallet and still use this staked form to make money while it was protected multiple ways in my wallet was a game changer for me. I actually sold my Bitcoin for Steem, and later my Steem for Hive. I considered for a time, Bitcoin to be a early form of cryptocurrency and I did not foresee the value it took on with time. But that was my fault for understanding part of Bitcoins story, but not all of it. Bitcoin has a big story, and when you first hear it, it is a bit far fetched, and goes in one ear and out the other. At least it did for me. But time has shown the white paper to be correct about the dollar, taxes, money printing and everything else. bitcoin and cryptocurrency are like a education with multiple classes and multiple exams. It takes a few years to earn your degree and arrive at a point of decent understanding. All the while we are busy, going about our daily lives making a living and contending with lifes challenges.
Hive has it's issues, but security usually isn;t one of them. I am praying I am not jinxing us and no exploit is developed for Keychain or our native wallet.