{"id":25547,"date":"2023-04-20T03:47:44","date_gmt":"2023-04-20T07:47:44","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/five-threats-hardware-crypto-wallets\/25547\/"},"modified":"2023-05-10T00:20:26","modified_gmt":"2023-05-09T18:50:26","slug":"five-threats-hardware-crypto-wallets","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/five-threats-hardware-crypto-wallets\/25547\/","title":{"rendered":"Five types of attacks on hardware crypto wallets"},"content":{"rendered":"<p>Hardware wallets are considered to be the most reliable cryptocurrency storage solution of all. A special device that signs all of its owner\u2019s blockchain operations offline looks so much more reliable than online storage or computer apps. After all, we hear news of <a href=\"https:\/\/www.bbc.com\/news\/business-64313624\" target=\"_blank\" rel=\"nofollow noopener\">hacks<\/a> and <a href=\"https:\/\/www.wsj.com\/articles\/blockfi-prepares-for-potential-bankruptcy-as-crypto-contagion-spreads-11668534824?mod=article_inline\" target=\"_blank\" rel=\"nofollow noopener\">bankruptcies<\/a> of online cryptocurrency exchange platforms nearly every month, while apps are clearly vulnerable to <a href=\"https:\/\/www.kaspersky.com\/blog\/snatchcrypto-bluenoroff\/43412\/\" target=\"_blank\" rel=\"noopener nofollow\">regular computer threats<\/a> like malware.<\/p>\n<p>While these considerations are reasonable, investments can\u2019t be totally safeguarded by simply having hardware crypto wallets, for their owners, too, are vulnerable to a number of attacks. Accordingly, these need safeguarding against\u2026<\/p>\n<h2>Hot and cold, hardware and software wallets<\/h2>\n<p>Before we proceed to analyze the risks, let\u2019s briefly recap the difference between the various types of wallets. For starters, no wallet stores the crypto assets themselves. The information about the assets is recorded in the blockchain, while a crypto wallet is just secure storage for the respective private (secret) key. The owner needs the key to record a new transaction to the blockchain \u2014 that is, to make a cryptocurrency transfer. Aside from the secret key, crypto wallets usually store a non-secret public key used to receive transfers.<\/p>\n<p>There are multiple ways to store a private key:<\/p>\n<ol>\n<li>Encrypted on the server. These are online or custodial wallets offered by popular exchanges, including Binance and Coinbase.<\/li>\n<li>In a mobile app on a computer or smartphone.<\/li>\n<li>On a separate offline device.<\/li>\n<li>As an alphanumeric sequence written down on a sheet of paper.<\/li>\n<\/ol>\n<p>In the first and second instances, the key storage is always online; therefore, the key can be used to sign a transaction in the blockchain at any time. These are \u201chot\u201d wallets.<\/p>\n<p>To send money using options three or four, certain extra actions are required: connecting your device to a computer or phone, or entering information from paper. These are \u201ccold\u201d wallets.<\/p>\n<p>A dedicated stand-alone key-storage device is called a hardware wallet; applications designed to store keys on regular computers and smartphones are software wallets.<\/p>\n<p>A hybrid of two and three makes for another viable \u2014 if somewhat exotic \u2014 option: storing the key in a separate smartphone always kept offline. The mix will produce a software wallet, albeit a cold one.<\/p>\n<p>A few words about paper wallets. A paper wallet is a printout of your keys and\/or seed phrase (more on it later), and its uses are limited to receiving money or serving as a backup. To spend your money, you have to submit your private key to an online software solution. That\u2019s when your cold wallet turns into a hot one.<\/p>\n<h2>Types of hardware wallets<\/h2>\n<p>Hardware wallets most commonly look like USB memory sticks or bulky car keys. They usually feature a screen for checking transactions. To sign a transaction, you connect the wallet to a computer or smartphone, initiate a transfer from the computer or smartphone, verify the information on the wallet screen, and confirm the action by entering the PIN code or simply pressing a button. The main advantage of hardware wallets is that they sign operations without sending your private key to the computer \u2014 thereby protecting the data from the simple theft mechanisms.<\/p>\n<p>In addition, many wallets contain extra functionality and can be used as hardware keys for two-factor authentication.<\/p>\n<p>There are also wallets resembling a bank card, and wallets approaching the \u201coffline phone\u201d format, but these are less common. The latter have a fully functional screen and allow signing transactions with QR code scanning. Many of these models have no ports at all other than the charger port, so nothing connects them to the outside world except for the camera and screen.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-crypto-fraud\">\n<h2>Risk number one: loss or destruction<\/h2>\n<p>The hardware wallet owner\u2019s most obvious risk comes from the possibility of losing the thing. To protect the wallet against unauthorized use \u2014 for example, if lost \u2014 use a PIN code or biometrics: these need to be activated in your wallet. Unlike phones and bank cards, long PINs can be used \u2014 up to 50 digits for some models; just remember: the longer \u2013 the better.<\/p>\n<p>Physical destruction of the wallet also destroys the data stored on it, so it\u2019s important to have a backup copy of your private keys. A backup is generated when the crypto wallet itself is created: you\u2019ll see the so-called seed phrase represented by a string of 12 or 24 English words. By entering them in the right order you can re-generate both your public and private keys. Seed phrase generation has been standardized in most blockchain solutions (BIP39 algorithm), so even if, say, a Ledger wallet is lost, you can recover your data to a hardware wallet from another vendor, such as Trezor, or any of the \u201chot\u201d software wallets.<\/p>\n<p>It\u2019s essential not to keep the seed phrase in any readily available digital form, such as a photo on your phone, a text file or the like. Ideally, it should be written down on paper and stashed away in a very safe place like a safe deposit box or a strongbox. It\u2019s even more important never to reveal the seed phrase to anybody, because its sole function is that of recovering your lost crypto wallet.<\/p>\n<h2>Risk number two: phishing and scams<\/h2>\n<p>A hardware wallet provides no protection whatsoever against social engineering. If the victim voluntarily chooses to make a transfer or reveal their seed phrase to a fake \u201ccrypto wallet technical support specialist\u201d, the money will be gone no matter what hardware protection levels are in place. People are ingenuous when it comes to scams: decoys keep changing all the time. Some shining examples include <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fake-trezor-data-breach-emails-used-to-steal-cryptocurrency-wallets\/\" target=\"_blank\" rel=\"nofollow noopener\">data breach emails<\/a> sent to hardware crypto-wallet owners, and <a href=\"https:\/\/forum.trezor.io\/t\/fake-trezor-websites\/173\/17\" target=\"_blank\" rel=\"nofollow noopener\">fake websites<\/a> designed as exact replicas of well-known cryptocurrency exchanges or crypto-wallet providers.<\/p>\n<p>It takes vigilance \u2014 and even paranoid (in the positive sense) mistrustfulness toward everything unexpected \u2014 to prevent the worst from happening. Another great source of help is <a href=\"https:\/\/www.kaspersky.co.in\/lp\/crypto-security?icid=in_kdailyplacehold_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team______\" target=\"_blank\" rel=\"noopener\">the integrated cybersecurity system for computers and smartphones<\/a>, which makes the risk of visiting a phishing site almost nil.<\/p>\n<h2>Risk number three: malware<\/h2>\n<p>A virus-infected computer or smartphone is a common cause for loss of cryptocurrency investments. If the victim uses an online (hot) wallet, the criminals can steal the private key and perform, all by themselves, any transactions they need to empty the wallet. The trick won\u2019t work with a hardware wallet, but other attack vectors can be employed in this case. For example, the moment the victim makes a legitimate transfer, malware can <a href=\"https:\/\/securelist.com\/copy-paste-heist-clipboard-injector-targeting-cryptowallets\/109186\/\" target=\"_blank\" rel=\"noopener\">substitute the destination wallet\u2019s address<\/a> to redirect the money to the criminals. To pull it off, malware monitors the clipboard and, as soon as a crypto wallet address is copied there, replaces it with the scammers\u2019 wallet address.<\/p>\n<p>The threat can be mitigated to some extent by carefully matching the addresses displayed in the hot wallet or on the cold wallet screen, but depending on the device some other issues may come into play: many hardware wallets have a screen that\u2019s too small to adequately read long blockchain addresses. And knowing that the hardware wallet\u2019s integration with the computer application can also be vulnerable to attacks, even the <a href=\"https:\/\/www.ledger.com\/man-middle-attack-risk\" target=\"_blank\" rel=\"nofollow noopener\">address displayed on the computer screen<\/a> can be falsified.<\/p>\n<p>The best strategy is to <a href=\"https:\/\/www.kaspersky.co.in\/lp\/crypto-security?icid=in_kdailyplacehold_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team______\" target=\"_blank\" rel=\"noopener\">ramp up your computer or smartphone protection<\/a>\u00a0to keep malware at bay.<\/p>\n<h2>Risk number four: fake and modified wallets<\/h2>\n<p>Buying a hardware wallet is yet another matter to be approached with care: even as they leave the factory, these devices are already in the crosshairs of criminals. There are reports of crypto wallet buyers being sold <a href=\"https:\/\/np.reddit.com\/r\/ledgerwallet\/comments\/7obot7\/all_my_cryptocurrency_stolen\/\" target=\"_blank\" rel=\"nofollow noopener\">USB memory sticks with Trojan payloads<\/a>, fake units with modified firmware, or a <a href=\"https:\/\/www.coindesk.com\/tech\/2021\/06\/17\/scammers-are-sending-ledger-users-fake-hardware-wallets\/\" target=\"_blank\" rel=\"nofollow noopener\">\u201cfree replacement for a defective device under warranty\u201d<\/a>.<\/p>\n<p>To avoid such threats, never buy hardware crypto wallets secondhand, from online classified ads, or at online auctions. Always try to order them from the vendors\u2019 official online stores. When the package arrives, inspect the device for damage (streaks of glue, scratches, signs of tampering) and match it to the description provided on the official website, where they usually list the main authenticity features and give recommendations on how to recognize a fake.<\/p>\n<h2>Risk number five: physical hacking with memory analysis<\/h2>\n<p>This is the most exotic \u2014 yet not the most unlikely \u2014 threat. Many attacks on popular wallet models (<a href=\"https:\/\/www.ledger.com\/improving-the-ecosystem-disclosure-of-the-trezor-recovery-phrase-extraction-vulnerability\" target=\"_blank\" rel=\"nofollow noopener\">one<\/a>, <a href=\"https:\/\/fortune.com\/crypto\/2023\/02\/09\/cyber-firm-cracks-onekey-crypto-wallets-in-video-raises-questions-hardware-security\/\" target=\"_blank\" rel=\"nofollow noopener\">two<\/a>, <a href=\"https:\/\/cointelegraph.com\/news\/engineer-hacks-trezor-wallet-recovers-2m-in-lost-crypto\" target=\"_blank\" rel=\"nofollow noopener\">three<\/a>, <a href=\"https:\/\/blog.kraken.com\/post\/3662\/kraken-identifies-critical-flaw-in-trezor-hardware-wallets\/\" target=\"_blank\" rel=\"nofollow noopener\">four<\/a>) are based on the fact that by physically breaking the unit apart and connecting its circuitry to special equipment one can manipulate the firmware, read from the memory, or interfere with data transfer among the unit\u2019s components. As a result, it takes minutes to extract the private key or its lightly encrypted version.<\/p>\n<p>Protection against this risk of is two-fold. First, pay particular attention to the physical security of your wallet, protect it from theft, and never leave it unattended. Second, you shouldn\u2019t disregard extra protection measures, such as a <a href=\"https:\/\/trezor.io\/learn\/a\/passphrases-and-hidden-wallets\" target=\"_blank\" rel=\"nofollow noopener\">passphrase <\/a>in Trezor wallets.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-crypto-mining\">\n","protected":false},"excerpt":{"rendered":"<p>Hardware crypto wallets are effective at protecting your cryptocurrency, but they can still be stolen from. Let&#8217;s address the risks their owners need to be protected from.<\/p>\n","protected":false},"author":2722,"featured_media":25548,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2196,9],"tags":[374,992,2172,3005,2233,2684,3207,187,701,527,1898],"class_list":{"0":"post-25547","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"category-tips","9":"tag-bitcoin","10":"tag-blockchain","11":"tag-cryptocurrencies","12":"tag-cryptowallets","13":"tag-ethereum","14":"tag-hardware-wallets","15":"tag-nft","16":"tag-passwords","17":"tag-scam","18":"tag-threats","19":"tag-tips"},"hreflang":[{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/five-threats-hardware-crypto-wallets\/25547\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/five-threats-hardware-crypto-wallets\/20968\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/five-threats-hardware-crypto-wallets\/10658\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/five-threats-hardware-crypto-wallets\/28153\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/five-threats-hardware-crypto-wallets\/25844\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/five-threats-hardware-crypto-wallets\/26308\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/five-threats-hardware-crypto-wallets\/28724\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/five-threats-hardware-crypto-wallets\/35157\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/five-threats-hardware-crypto-wallets\/11425\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/five-threats-hardware-crypto-wallets\/47971\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/five-threats-hardware-crypto-wallets\/20486\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/five-threats-hardware-crypto-wallets\/21239\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/five-threats-hardware-crypto-wallets\/30109\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/five-threats-hardware-crypto-wallets\/33863\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/five-threats-hardware-crypto-wallets\/26166\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/five-threats-hardware-crypto-wallets\/31854\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/five-threats-hardware-crypto-wallets\/31538\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.in\/blog\/tag\/cryptocurrencies\/","name":"cryptocurrencies"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/25547","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/comments?post=25547"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/25547\/revisions"}],"predecessor-version":[{"id":25635,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/25547\/revisions\/25635"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media\/25548"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media?parent=25547"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/categories?post=25547"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/tags?post=25547"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}