What's wrong with hardware wallets?
Purpose-built cryptocurrency devices are fine to use, but carry a curious security caveat: they can be physically swapped with impostor devices whose private keys are held by an attacker. Unwitting users acquire these devices through online retailers, where they are innocently labeled "used." See the thread.
Technical & Updates
"In this disclosure, we will focus primarily on the case of supply chain attacks. That is: whether or not you can trust your hardware wallet when you purchase it from a reseller or third party. But, as I explain briefly at the beginning of this article, the methods described here can be applied to the other two attack vectors."
This is a formal write-up of the exchanges between security researcher Salem Rashid and Ledger CEO. The original Twitter thread can be found here:
As one of the security researchers, I urge to update now. This article doesn't make it clear enough how dangerous this issue can be.— Saleem Rashid (@spudowiar) March 6, 2018
Potential issues include compromised recovery seed generation or private key extraction. https://t.co/Z2WGFZnFAA
The CEO of Ledger responded on Reddit...
There is a common architectural theme in certain embedded devices: they incorporate a secure processor (or processor component) to protect critical secrets or ensure correct behavior. I’ve seen this in all kinds of devices, not just cryptocurrency wallets. 2/— Matthew Green (@matthew_d_green) March 20, 2018
On the same day, Ledger published a detailed, step-by-step guide to update the fix, and acknowledged Salem and his colleagues' work.
"Take away: the firmware update patches three security issues. The update process verifies the integrity of your device and a successful 1.4.1 update is the guarantee that your device has not been the target of any of the patched attack. There is no need to take any other action, your seed / private keys are safe."
Hardware wallets are not perfectly secure. Other wallets such as Trezor could also be exploitable in different way (the company promptly released an update firmware 1.5.2). For users, it is important to follow best practice, and upgrade whenever a security fix is announced. Most importantly, do not buy used hardware wallets on Ebay.
Decred is now traded on Lithuanian exchange Kaiserex. Twitter
Particl released Particl Core 0.16.0.1: merges the latest Bitcoin 0.16.0, and adds Ledger Hardware wallet support. Twitter
News & Commentary
"Telegram, the encrypted messaging app that’s prized by those seeking privacy, lost a bid before Russia’s Supreme Court to block security services from getting access to users’ data, giving President Vladimir Putin a victory in his effort to keep tabs on electronic communications."
It is worth noting that Russia is Telegram's largest market, and Telegram is in the middle of raising a $1.6 billion ICO. A commentary on Telegram's ICO can be found here:
"Even assuming the Telegram team is up the task the company says it is ready to tackle, there is simply too much money in the deal."
Man if you're upset about a little company called Cambridge Analytica, wait until you hear about this little company called Palantir— Kevin Slavin (@slavin_fpo) March 20, 2018
"Let's face it: Users are routinely tricked to obtain such consent. Tech companies make giving it, or agreeing to complex terms of service, look like a low-engagement decision."
"This is what they’ve built. These are the governance problems that come with this kind of market dominance. Mark Zuckerberg created a service and a corporate structure that centralized power in himself. And that means we need transparency from him because there is no other way to get it."
"As the cyberthreat landscape continues to expand and grow more sophisticated, small and medium-sized businesses (SMBs) are at an increased risk of falling victim to cyber attacks, often due to a lack of resources to combat threats."
"If China and the United States exhaust the alternatives and take the disengagement route, it would be wise for their policy professionals to build in opportunities for reengagement down the road, because the current divergence in political and economic models may not last forever."
Look for the "Subscribe" link on our site to receive curated news, delivered daily or weekly to your inbox.