What's wrong with hardware wallets?

Leo Zhang

By Leo Zhang

Purpose-built cryptocurrency devices are fine to use, but carry a curious security caveat: they can be physically swapped with impostor devices whose private keys are held by an attacker. Unwitting users acquire these devices through online retailers, where they are innocently labeled "used." See the thread.

Technical & Updates

Breaking the Ledger security model
(Salem Rashid)

"In this disclosure, we will focus primarily on the case of supply chain attacks. That is: whether or not you can trust your hardware wallet when you purchase it from a reseller or third party. But, as I explain briefly at the beginning of this article, the methods described here can be applied to the other two attack vectors."

This is a formal write-up of the exchanges between security researcher Salem Rashid and Ledger CEO. The original Twitter thread can be found here:

The CEO of Ledger responded on Reddit...

... In this comment from a thread about the "critical flaw" update having a two-week deadline.

Commentary from security researcher Matthew Green (Zcash lead scientist, Johns Hopkins CS professor)

On the same day, Ledger published a detailed, step-by-step guide to update the fix, and acknowledged Salem and his colleagues' work.

Firmware 1.4: deep dive into security fixes
(Ledger Blog)

"Take away: the firmware update patches three security issues. The update process verifies the integrity of your device and a successful 1.4.1 update is the guarantee that your device has not been the target of any of the patched attack. There is no need to take any other action, your seed / private keys are safe."

Hardware wallets are not perfectly secure. Other wallets such as Trezor could also be exploitable in different way (the company promptly released an update firmware 1.5.2). For users, it is important to follow best practice, and upgrade whenever a security fix is announced. Most importantly, do not buy used hardware wallets on Ebay.

Decred is now traded on Lithuanian exchange Kaiserex. Twitter

Particl released Particl Core 0.16.0.1: merges the latest Bitcoin 0.16.0, and adds Ledger Hardware wallet support. Twitter

News & Commentary

Telegram loses bid to block Russia from encryption keys
(Bloomberg, by Ilya Khrennikov)

"Telegram, the encrypted messaging app that’s prized by those seeking privacy, lost a bid before Russia’s Supreme Court to block security services from getting access to users’ data, giving President Vladimir Putin a victory in his effort to keep tabs on electronic communications."

It is worth noting that Russia is Telegram's largest market, and Telegram is in the middle of raising a $1.6 billion ICO. A commentary on Telegram's ICO can be found here:

Telegram ICO: scam among cryptocurrency scams
(Forbes, by Jason Bloomberg)

"Even assuming the Telegram team is up the task the company says it is ready to tackle, there is simply too much money in the deal."

Commentary on Cambridge Analytica

The problem is Facebook, not Cambridge Analytica
(Bloomgerg, by Leonid Bershidky)

"Let's face it: Users are routinely tricked to obtain such consent. Tech companies make giving it, or agreeing to complex terms of service, look like a low-engagement decision."

Where is Mark Zuckerberg?
(The Atlantic, by Alexis C. Madrigal)

"This is what they’ve built. These are the governance problems that come with this kind of market dominance. Mark Zuckerberg created a service and a corporate structure that centralized power in himself. And that means we need transparency from him because there is no other way to get it."

The average SMB website is attacked 44 times per day
(TechRepublic, by Allison DeNisco Raymo)

"As the cyberthreat landscape continues to expand and grow more sophisticated, small and medium-sized businesses (SMBs) are at an increased risk of falling victim to cyber attacks, often due to a lack of resources to combat threats."

Is trade war the only option?
(Foreign Affairs, by Daniel Rosen)

"If China and the United States exhaust the alternatives and take the disengagement route, it would be wise for their policy professionals to build in opportunities for reengagement down the road, because the current divergence in political and economic models may not last forever."

Look for the "Subscribe" link on our site to receive curated news, delivered daily or weekly to your inbox.