While hardware crypto wallets are an effective protection for your cryptocurrency, they can still be abused. We address the risks their owners need to guard against.
Hardware wallets are considered to be the most reliable cryptocurrency storage solution out there. A special device that signs all of its owner’s blockchain operations offline seems so much more reliable than online storage or computer apps. After all, we hear about hacks and bankruptcies of online cryptocurrency exchanges almost monthly , while apps are clearly vulnerable to regular computer threats like malware.
While these considerations are sound, investments cannot be fully protected by simple hardware crypto wallets, as their owners are also vulnerable to a variety of attacks. Accordingly, they must also be protected from attacks…
Hot, cold, hardware and software wallets
Before we continue with the risk analysis, let’s briefly summarize the difference between the different types of wallets. First of all, no wallet stores the cryptocurrencies themselves. All information about the assets is recorded on the blockchain, while a crypto wallet is just a secure repository for the respective private (secret) key. The owner needs the key to record a new transaction in the blockchain, i.e. to make a cryptocurrency transaction. In addition to the secret key, crypto wallets usually also store a non-secret public key that is used to receive transfers.
There are several ways to store a private key:
- Encrypted on the server. These are online or depot wallets offered by well-known exchanges such as Binance and Coinbase.
- In a mobile app on a computer or smartphone.
- On a separate offline device.
- As an alphanumeric sequence written on a piece of paper.
In the first and second case, the key is always stored online; therefore, it can be used at any time to sign a transaction on the blockchain. These are so-called “hot wallets”.
To send money using options three and four, certain additional actions are required: you need to connect your device to a computer or phone, or enter information on paper. These are “cold” wallets.
A dedicated, standalone device for storing keys is called a hardware wallet; Applications for storing keys on regular computers and smartphones are software wallets.
A combination of these two variants offers another viable – albeit somewhat exotic – option: storing the key in a separate smartphone that is always kept offline. The mix results in a software wallet, albeit a cold wallet.
A few words about paper wallets. A paper wallet is a printed copy of your key and/or seed phrase (more on that later), and its uses are limited to receiving funds or using it as a backup. In order to use your funds, you must submit your private key to an online software solution. Then your cold wallet becomes a hot wallet.
Types of hardware wallets
Hardware wallets usually look like USB sticks or bulky car keys. As a rule, they have a display for transaction control. To sign a transaction, the wallet is connected to a computer or smartphone, initiates a transfer from the computer or smartphone, checks the information on the wallet’s display, and confirms the action by entering the PIN code or simply pressing a button. The main advantage of hardware wallets is that they sign transactions without sending your private key to the computer – this protects the data from simple theft mechanisms.
Also, many wallets include additional features and can be used as hardware keys for two-factor authentication.
There are also wallets that resemble a bank card and wallets that resemble the format of an “offline phone” but are less common. The latter have a working screen and allow transactions to be signed by scanning QR codes. Many of these models do not have any other interfaces apart from the connection for the charger, so that they are not connected to the outside world with the exception of the camera and the screen.
Risk #1: Loss or Destruction
For hardware wallet owners, the most obvious risk is that they could lose it. To protect the wallet against unauthorized use – for example in case of loss – you should use a PIN code or biometric data: These must be activated in your wallet. Unlike mobile phones and bank cards, long PINs can be used – up to 50 digits on some models; remember: the longer – the better.
Physical destruction of the wallet will also destroy the data stored on it, so it is important to have a backup of the private keys. Such a copy is made when the crypto wallet is created: in the form of the so-called seed phrase, which consists of a series of 12 or 24 English words. By typing these words in the correct order, you can regenerate both your public and private keys. The creation of the seed phrase is standardized for most blockchain solutions (BIP39 algorithm), ie even if e.g. For example, if a Ledger wallet is lost, you can store your data on a third-party hardware wallet, e.g. B. Trezor, or one of the “hot” software wallets.
It is important not to store the seed phrase in an easily accessible digital form such as B. in the form of a photo on your mobile phone, a text file or similar. Ideally, it should be written down on paper and kept in a very secure place like a locker or safe. More importantly, do not share the seed phrase with anyone as its only function is to recover your lost crypto wallet.
Risk #2: Phishing and fraud
A hardware wallet in no way protects against social engineering. If the victim voluntarily chooses to make a transaction or share their seed phrase with a bogus “cryptowallet tech support specialist,” all the funds are gone, regardless of what hardware protections were in place. People are inventive when it comes to fraud: the deception maneuvers are constantly changing. Some examples of this include data leak emails sent to hardware crypto wallet owners, or fake websites designed to be perfect replicas of well-known cryptocurrency exchanges or crypto wallet providers.
Preventing worse from happening requires vigilance—and even paranoid (in a good way) distrust of anything unexpected. Also of great help is the integrated cybersecurity system for computers and smartphones , which reduces the risk of visiting a phishing site to almost zero.
Risk #3: Malware
A virus-infected computer or smartphone is a common cause of cryptocurrency investment loss. If the victim uses an online wallet (hot wallet), the criminals can steal the private key and perform any transactions they need on their own to clear the wallet. The trick doesn’t work with a hardware wallet, but other attack vectors can be used in this case. For example, once the victim makes a legitimate transaction, the malware can substitute the address of the target wallet to redirect the funds to the criminals. The malware does this by monitoring the clipboard and replacing the actual wallet address with the address of the scammers’ crypto wallets as soon as it is moved there.
The threat can be mitigated to a certain extent by carefully matching the addresses shown in a hot wallet or on a cold wallet’s display. Depending on the device, however, other problems can also come into play: Many hardware wallets have a display that is too small to adequately read long blockchain addresses. And because the integration of the hardware wallet into the computer application can also be vulnerable to attacks, even the address displayed on the computer screen can be spoofed.
The best strategy is to augment your computer or smartphone protection to ward off malware.
Risk #4: fake and modified wallets
The purchase of a hardware wallet should also be treated with caution: These devices are already in the crosshairs of criminals ex works. There have been reports of crypto wallet buyers receiving USB flash drives with Trojan horse payloads , fake devices with modified firmware, or a “ free replacement for a defective device under warranty ”.
To avoid such threats, you should never buy crypto wallets second-hand, through online classifieds, or at online auctions. Always order them through the official online stores of the providers. Once the package arrives, you should examine the device for damage (sticky residue, scratches, traces of tampering) and compare it with the description on the official website, which usually lists the main authenticity features and gives recommendations on how to spot a knockoff .
Risk #5: Physical hacking with memory analysis
This is the most exotic – but not the least likely – threat. Many attacks on common wallet models ( one , two , three , four ) are based on the fact that one can manipulate the firmware, read the memory or disrupt data transfer between the components of the device by physically disassembling the device and its Connects circuit elements to special devices. This makes it possible to extract the private key or its slightly encrypted version within minutes.
There are two ways to protect against this risk. Firstly, pay special attention to the physical security of your wallet, protect it from theft, and never leave it unattended. Second, you should take additional protective measures, such as B. the use of a passphrase in Trezor wallets, do not ignore.