Bitcoin Q&A: Hardware wallets and attack surface


[AUDIENCE] Thanks, Andreas. I thought that was
fantastic. Can you talk a bit about hardware wallets? [inaudible] Those devices… [ANDREAS] Absolutely. How many people in
this audience have used a hardware wallet? [AUDIENCE raises hands]
Okay, great. That is good practice. Hardware wallets were first introduced in 2013. Let me backtrack just a tiny bit since and say
something else, which is an important clarification: a Bitcoin wallet doesn’t hold bitcoin. The word “wallet” is misleading. It is one of
the problems with naming in our industry. Bitcoin doesn’t stay in your wallet, it is always on
the blockchain and cannot be anywhere else. Strictly speaking, there are no coins [either].
There is just a ledger, but let’s not go into that. The bottom line is, what we call a wallet is actually
a keychain. It contains keys, which are numbers. Your wallet contains the numbers that allow you
to unlock and sign for bitcoin on the blockchain. This applies to all open public cryptocurrencies. Your wallet contains keys. If someone steals your keys,
then they can do the unlocking and signing part [too]. Bitcoin that you thought was yours, based
on the possession of keys, is no longer yours. That can happen fairly easily because stealing
a number out of a digital device is not that hard. The more complex the digital device is, the more
opportunities there are to get inside and steal it. The more applications it runs,
interfaces it has, network traffic it has… There is a very big security difference between a device
that is connected to the internet, where you browse… any old site that you happen to fancy,
and type things to go all over the internet. Sampling things, downloading little apps…
that device [will] not be very secure. [Compared to a] personal computer, a
hardware wallet is a [small stripped down device], leaving only a screen, some buttons, only software
that controls keys and signs transactions. That makes it as secure as possible, [by
taking] a minimalist approach to security. [There are metal versions but] it is usually a USB device,
about this big, and you connect it to your computer. Your computer can prepare transactions,
interact [with web or desktop interfaces], go to merchant stores, scan QR codes, etc. But the only device that signs transactions
is the hardware wallet, where the keys are. Your computer will pass transaction
information to the hardware wallet, where you can see on the screen that
it will pay this amount to this address. Even if you plug this into the most virus-infected
machines (your local library computer, my dad’s laptop), you can still do a secure transaction. As long as you check [the information] on the screen of
this device, received through a [limited connection], is the correct transaction, you can sign it
and transmit it out onto the network. [They are designed so] the keys never leave the device;
nothing leaves other than a signed transaction, which isn’t secret anyway, as it [will be]
recorded on the public blockchain soon. That is what a hardware wallet [does].
They cost between $35 – 150 on average. If you have any significant amounts of cryptocurency,
you should own one of these devices to store it. Today, most hardware wallets can hold multiple
cryptocurrencies, easily the top ten [by market cap]. They can control [keys for] bitcoin, ether (including
tokens), litecoin, and a bunch of other coins. They are very flexible, convenient, easy-to-use,
and most importantly they are easy to use securely. You don’t have to be an expert to maintain
[the] security [of your keys with these devices]. I think they are a great balance of ease-of-use
and security for new [and beginner] users. You may be wondering, “So if the keys are on the device,
what happens if i lose the device or drop it in the toilet?” “I’ve done that with my phone twice.” When you first initialise the keys on this device, it will
display twenty-four English words, a mnemonic phrase. Those twenty-four words can recreate
every key that device will ever produce; if you write those down and store them safely,
they are a complete back-up of every address and key. Then you worry about how to protect those words. [Laughter] You can add a passphrase, but
[either way] you are still much better off… than if you [stored your keys] on your personal
computer or smartphone, as it is a lot harder to hack. Physical security is something our species
has millions of years of experience with. ‘Hide the nut under the rock, don’t let the
other caveman see it is under the rock.’ Information security [with computers] is something
we have about 30 years of experience with. We still suck at it, so one advantage of
hardware wallets is that they allow you… to [convert] something purely digital
into a [paper list of words]. The device itself has a PIN and it can’t be easily
[compromised] even if someone [has physical access]. By turning [the keys] into written words,
you can apply physical security [practices]; all your ancestral knowledge with castles, locks,
bolts, [hardware] keys, dogs, and alarms comes in. You can start applying all of
that to the domain of Bitcoin. People are generally much more comfortable
understanding what it takes to secure a piece of paper, than what it takes to secure
their own personal computer. That is the idea with hardware wallets:
make the virtual, physical. “Can the USB cable that connects your hardware
wallet to your desktop be compromised?” “[Can it leak] sensitive information?” The same question applies to the Chrome
applet, or the user interface of the wallet. [Could that] compromise sensitive information? If you use a hardware wallet correctly, no. [The hardware wallet is designed so that] no
sensitive information travels out of the device. A hardware wallet will receive all of the
information it needs [to make] a transaction, it will sign that transaction and then transmit it
back to the computer you are using. That signed transaction, which is not sensitive,
[will be] broadcasted to the network. Even if that computer was compromised, there is no sensitive information for it to capture
in the communication with the hardware wallet. Two exceptions, and these
are important to understand. The PIN you enter [to unlock the wallet interface]. There are two ways some hardware wallets
use to protect against capture of the PIN: 1) a combination of button clicks on the
hardware wallet device to enter the PIN. Second-generation hardware wallets have
touchscreens to enter the PIN directly on the device, not [at all on] your desktop or whatever
machine you use to interface with a hardware wallet. 2) first-generation hardware wallets use a
PIN scrambling technique, where you see… a mixed grid of [dots on your desktop and]
numbers [on the hardware wallet to] identify [your PIN]. Your desktop doesn’t actually know what PIN number
you enter, just the location on this scrambled [grid]. If properly used, a compromised desktop can
be used with a hardware wallet in a way… that doesn’t compromise the hardware wallet. The other way you have some risk in the desktop
environment is if you are using a passphrase. I would still recommend that you do use a BIP-39
passphrase with your hardware wallet, because it offers that extra layer of protection
that improves the security of your backup seed, as well as your device itself [in the event of] theft. [But when] the passphrase is typed
on a desktop, you have a problem. It could be compromised by a key logger. One of the great developments in second-generation
devices has been the introduction of the ability… select the passphrase [letter by letter] on the hardware
wallet itself, so it is never typed on your desktop. You can do that with the Ledger Nano S,
the Trezor Model T, and the Ledger Blue. The Model T is a [new hardware version] of the Trezor. Those allow you to interface directly with
the hardware wallet for PIN and passphrase [entry]. So you should never type that into the desktop. The final point about using hardware wallets
with a [potentially] compromised desktop: One of the easiest ways to compromise end users
of cryptocurrency is a clipboard or screen attack, whereby the address you [choose] to pay is
compromised before it is sent to your hardware wallet. For example, let’s say I want to receive some money
on my Trezor. I would copy the Trezor address, paste it into an exchange, or send it
to someone else who [will] pay you. Because your desktop is compromised, in
the clipboard it will replace the address… [where] you intended to receive money,
with the attacker’s address. Then you paste it into an exchange; if you don’t [check it
carefully], they [will] pay the attacker instead of you. The opposite, you are in a check-out for an e-commerce
website, or you are trying to deposit in an exchange. You receive a bitcoin address and you see it on your
screen, [but] is it the real address the exchange sent? Sometimes it is very difficult to verify that information. If you copy-paste it into the desktop application or plugin
used to run [an interface for] your hardware wallet, How do you know that is the address
you [will be] sending funds to? There are a couple of tricks or techniques you can use
to protect yourself against these types of attacks. Most hardware wallets have a feature that allows you
to display the receive address on their screen. If you want to receive money into your hardware wallet,
before you copy that [address] to an external source, you press a button — usually a little eyeball icon
or something like that — on your desktop interface. That tells the hardware wallet to display
[the receive address] on its own screen. If you can see it on the screen of your hardware wallet,
that is a secure channel for the most part, It is much more secure than your desktop. Before receiving [cryptocurrency], I always press that eyeball icon to display the
receive address on the hardware wallet’s screen… to confirm what my desktop is telling me,
because I don’t trust my desktop or laptop. The other way around… let’s say you are trying
to pay a merchant or an exchange [like Coinbase]. Under certain circumstances, you can verify
the receive address you [will] send money to. [The Coinbase interface] says something like,
‘Here is the deposit address for bitcoin.’ Can you trust your browser? Can you trust your screen?
Can you trust your clipboard [with a copy]… of the address Coinbase gave you? One way to [double-check] is to take your smartphone,
log in to your [wallet or] exchange account there… and look at what receive address
[appears] on your smartphone. Maybe your desktop is compromised; maybe there is
a man-in-the-middle between you and the exchange; maybe there is an SSL or TLS vulnerability
and they are breaking into your session. Can the attacker also do that on your smartphone, over
a cellular network, with a completely different browser? Unlikely. If you use two different channels to look at the
address and they both show the same information, then you have a higher level of confidence when you
[use] your hardware wallet to [sign a transaction]. Just before you hit that ‘send’ button, carefully read the
address and think, ‘Is that the one I saw on my screen?’ ‘Is that the one I actually pasted?’ ‘Is that
the one that I want to send the money to?’ It sounds paranoid and painstaking.
It will not be easy for new users. But the rule of thumb when you’re operating with
these things is, the hardware wallet screen is one… where you can trust what you’re
seeing, for the most part. It is the desktop or smartphone
screen you can’t trust as much. Check, then double-check, then triple-check, etc. Maybe it takes a few more seconds, but if you follow
these steps you will feel increasingly confident that… you know where you are sending money. Mark asks, “Hardware wallet and a full node?” “I have been wanting to run a full node and
ensure good security of my private keys.” “You recommend a hardware wallet as the most secure
and user-friendly way of storing private keys, as the Glacier Protocol, or air-gapping [a laptop],
is more difficult to secure for new users.” “But Bitcoin Core does not support hardware wallets.” “To set up Electrum as a full node requires
maintaining an Electrum server… or the Electrum personal server, which is very new
and only maintained by one developer.” “What options are there to have transactions
signed on a hardware wallet and validated… through your own full node,
that is relatively safe and easy?” Mark, that is a great question and you are right. The Bitcoin Core [client] does not currently
support the use of hardware wallets. However, just because you are using a
full node to validate your own transactions, does not mean that full node [must] sign them. Here is a set-up that is much easier to do: Bitcoin Core does support BIP-39 and BIP-32,
hierarchical deterministic (HD) wallets. You can initialize Bitcoin Core to have
what is called a “watch only” [mode], where Bitcoin Core has the public keys and addresses of
your entire HD wallet, but doesn’t have any private keys. It cannot sign transactions. That allows you to use a
full node to monitor the value of your transactions, the balance of your various accounts, and to
independently verify payments made to you. If you want to sign a transaction, you open another
platform, such as a simple Electrum wallet… or any of the other wallets that support
hardware wallets as the backend. You can sign your transaction there, then go back
to Bitcoin Core to verify it has been propagated. And you can see your balance update.

36 thoughts on “Bitcoin Q&A: Hardware wallets and attack surface

  1. Andreas, thanks once again. I've bought a BitFi "unhackable" wallet… but I'm not sure if it is safe or not since BitFi company did not release their algorithm to the public yet and I don't know what device hardware really does.
    Would you have any advice on this, please. Cheers!

  2. Just on the mnemonic phrase topic, say that Trezor is stolen, the race to sweep the wallet begins. as ordering a new Trezor may take some time. what do you suggest to open that 24 word phrase to re send the funds somewhere else? this is a very very important step.

  3. thank you, just Patreoned last week! Hardware wallet are extremely cool! yes huge amount of rich paranoid or just investor type of people might wanna use ''banks'' or ''Coin Vaults'' like Coinbase that might become one of the biggest bank in my opinion, but never the less like keeping some cash, the point of a hardware wallet is extremely relevant because its the true decentralized way of accessing your keys instead of using a third party that really cancel the benefit of this technology!!
    keep posting more video this tech is so relevant and revolutionary im starting a new Youtube channel and with video in French since theres not a lot to try to help all french Canadians here that think that Open Borderless Censorshipresistant cryptocurrencies like BTC ETH are scams…

  4. Very informative . A.A. – What is the best way to store the BIP 39 phrase? Perhaps encode it in some way and keep it online, to protect from the sock drawer attack? Or bury it in the ground, or a bank safe?

  5. Is it possible to run the bitcoin software in offline mode to generate addresses and sign transactions? I read you can get it to connect with localhost on startup.

  6. It"s good, that Bitcoin core support BIP 39 and pip 32 hierarchal deterministic wallets?

  7. Andreas, security wise would you recommend trezor one or model t? They say firmware is different on model t implying like it is " better ". Is that just marketing to sell new more expensive option or it actually is?

  8. Great, I was just getting into wallets! Will watch later as I'm looking for a "vault" that can hold most coin's keys.

  9. Andreas, at 16:55 you state that one can initialize a „watch-only“ bitcoin core node with an xpub key so that it watches the balance of your wallet. I‘ve tried importing my xpub key into my satoshi 0.16.1 node, but get error messages „…must be hex string“. How exactly are you supposed to do that? The answers on stackexchange say it’s impossible…

  10. Please guys tell me how much time will take to find the keys for satoshi's wallet, for any "lost forever" wallet. if the key is just a number-letter line in the right order then find it by simple guessing is just a matter of time and energy, right?

  11. Very interesting FAQ, thank you. About hardware wallet, I would add the following question: How can we be sure that hardware wallet are not pre-seeded or there is no failure (like not well randomized seed generator) ?

  12. How is this concept ever going to be adopted cheaply, securely and to be easy to use worldwide? In the way this sounds, this will never reach all the poor people in the world in which this was initially intended and promoted along that lines in the beginning. And my first and foremost concern is having my personal information (ID) online in order to have a variety of transactional wallets.

  13. I have a hardware wallet but what about Saleem Rashid who found the Ledger vulnerability? Couldn't other bad actors find vulnerabilities?

  14. What happens when the hardware wallet company goes out of business and you lose the hardware wallet? How can you re-create the private keys from the seed phrase?

    Another question is: Can I use Trezor when Trezor company goes out of business?

Leave a Reply

Your email address will not be published. Required fields are marked *