Hardware wallets such as the Ledger Nano, Trezor and Keep Key are a secure, user friendly solution for the average person to safely store their cryptocurrencies. They’re quite secure because they generate the wallet’s private keys offline and only broadcast the public key to the internet. However, there are some vulnerabilities which can be exploited to steal funds from the hardware wallet of an unsuspecting user.
Bitcoin Hardware Wallet Tampering
One hardware wallet hack that has come to light occurs when the wallet has been tampered with prior to purchase. This scam is executed by the scammer purchasing a hardware wallet, tampering with it, then reselling it as new through an online store such as Ebay or Amazon.
When initialising a brand new hardware wallet, it first prompts the user to create a paper backup of the wallet. This backup is a 12 or 24 word phrase commonly called a “mnemonic seed” or “recovery phrase.” It’s extremely important to keep these words secure, as they are effectively the password which can recreate the wallet on another device.
The fraud works by the scammer taking note of the recovery phrase of a newly purchased hardware device, then printing it out on an official looking document. This document listing the recovery phrase is then included in the box along with the device for re-sale. The unsuspecting purchaser of the hardware device assumes the manufacturer has included the recovery phrase along with the device and is oblivious to the scam. After the purchaser moves coins onto the device, the scammer “recovers” the victim’s wallet on a new device using their recovery phrase to steal the funds.
How to avoid this scam: it’s important to purchase a hardware wallet through a reputable dealer, preferably directly from the manufacturer. Wallets should be shipped via a reliable freight company and not through the general postal service. Hardware wallets should never be purchased second hand or through online stores such as Ebay, Amazon or Alibaba. Before opening a newly purchased hardware wallet, the box should be checked for tampering. The Trezor has a tamper resistant hologram sticker on the box which detects any meddling.
When backing up your hardware device for the first time, write down the recovery phrase in a safe, private location. Do not write down the recovery phrase in a public area, and also be mindful of any cameras which may be watching. Hardware wallets come with promotional stickers, and it’s a good idea to use the stickers to cover up the cameras on your computer and mobile phone whilst writing down your recovery phrase.
Man in The Middle Attack
A “man in the middle” attack (MITM) is an attack where the scammer secretly relays and possibly alters the communication between two parties who believe are directly communicating with each other. In relation to hardware wallets, a MITM attack occurs when a virus or other malicious software on a computer changes the send address on the wallet’s desktop app. A significant minority of all computers, reportedly as high as 33 percent, are infected with a virus. Specific viruses are able to detect the use of a hardware wallet app and are able to change the send address so that the user obliviously sends funds to the scammer instead of to the intended recipient.
How to avoid this scam: the best way to avoid the man in the middle attack is by purchasing a new computer solely for the purpose of connecting your hardware wallet. This will greatly minimise the computer being infected with a virus. Furthermore, always verify the send address on the display screen of the hardware device prior to sending any funds.
Phishing is the fraudulent attempt to obtain sensitive information such as usernames and passwords by disguising as a trustworthy entity in an electronic communication. In regards to hardware devices, phishing occurs when a hacker contacts a purchaser of a device disguised as the manufacturer and informs them of a desktop app or firmware update. The fraudulent app or firmware update then installs malicious software which compromises the function of the device.
Note that this can occur through platforms such as social media, where an attacker takes control of a wallet manufacturer’s Twitter feed and announces a new software update with links to bogus software.
How to avoid this scam: use a browser extension like Cryptonite by Metacert to better protect yourself from phishing scams and fake twitter accounts.
Hardware wallets are an ideal solution for securing cryptocurrencies. They’re devices made specifically to safely store cryptos while also offering ease of use. They can, however, still be vulnerable to scams, meaning that users must still take care when using them to store and move their crypto assets.