How Bitcoin can be stolen even when using a hardware wallet.
Hardware wallets might increase security under some threat models but this requires knowledge. Most users lack the required background knowledge and would still loose their cryptocurrency under many different attack models. 
Note: The term "account number" rather than "address" is used throughout this wiki entry in order to avoid confusion.
Hardware wallets [archive] are:
... a physical device on which a user stores their private keys to access their blockchain wallets. These devices don’t have to be electronic. Any physical item that can store a private key is considered a hardware wallet.
From a general perspective, hardware wallets are convenient, secure, and immune to many of the hazards other wallet types can fall victim too.
It is absolutely crucial to understand the concept of an
insecure display versus a
In essence, hardware wallets seek to secure users' funds under the sane assumption that the computer in use may be compromised by malware. Once infected this way, malware can:
- secretly view all user actions without obvious signs;
- manipulate the screen, such as showing one account number instead of another correct account number; and
- capture all key strokes (sniff passwords), download files and perform other malicious actions.
For these reasons the computer display is considered an untrustworthy, an
insecure display, while the display of the hardware device is considered trustworthy, a
secure display. The reason for considering the hardware device's display to be trustworthy is that vendors of hardware wallets enforce a requirement that only signed software must be used. Unless the cryptographic verification process that prevents unsigned software from running on the hardware wallet can be subverted, the hardware wallet is considered to be free of malware and therefore a secure display. In other arenas, this security concept is referred to as "What you see is what you sign" (WYSIWYS [archive]). 
In order to perform cryptocurrency transactions securely, a number of threats must be averted so funds are not lost to attackers.
Table: Hardware Wallet Threats
||Description and Recommendations
|Failure to Understand Basic Threat Model Risk
- Threat: Many users lack basic background knowledge such as the difference between a
secure display and an
insecure display as mentioned in the Introduction chapter of this page.
- Conclusion: The computer screen could be modified by malware to fraudulently ask the user to enter the backup recovery seed phrase (recovery phrase) (perhaps under pretense of seed phrase verification) which would then give the attacker full access to all cryptocurrency holdings of the user.
- Learn how to use hardware wallets in combination with a malware free computer first with tiny amounts of cryptocurrency for testing purposes to learn the basic process. Later be suspicious about changes in the workflow and ask for trustworthy advice before proceeding.
|Recipient Account Number Discovery Risk
- Threat: It is difficult to view one's recipient account number on the hardware wallet's secure display.
- The Ledger Wallet Bitcoin [archive] has a "show address on device" ("show account number") button, which shows the account number on the secure hardware wallet display.
- The Ledger Wallet Ethereum [archive] and other wallets did not have this function at the time of writing (2019).
- myetherwallet [archive] has a "show account number on device" feature, however:
- myetherwallet is browser-based and should therefore be avoided (even when running locally).
- The online version of myetherwallet should be avoided at all cost since the myetherwallet server is an obvious target for hackers.
- It is difficult to us myetherwallet locally in conjunction with a ledger hardware wallet due to browser issues. 
- In some devices, even if the account number is shown it is difficult to read from the display.
- The Ledger Nano S [archive] only has a small display and the account number -- which can be 35-45 random characters long -- and is displayed as ticker text which automatically scrolls over the display at high speed. This means at best it is only possible to view the first few and last few characters, while skipping all those in the middle. This provides an opportunity for attackers to try to create an address where the start and end of the address match, but the middle section is under their control.
- The Ledger Nano Blue [archive] does not have the above problem and shows the full account number at once, providing an opportunity to verify it in full.
- Conclusion: The regular user of a ledger hardware wallet will have difficulty in discovering their own recipient account number in a secure manner, due to the risk of fraudulent modification by malware running on the computer. This means it is also difficult to tell senders of the correct recipient account number without potentially being misled by malware.
- Workaround: Use multiple computers to discover the account number in the hope they are not all compromised.
|Receiving Account Number Transmission Risk
- Threat: When receiving coins -- such as when withdrawing cryptocurrency from the cryptocurrency exchange -- the user's recipient account number is entered into their computer, which is utilizing an insecure display.
- Conclusion: The screen could be modified by malware to fraudulently redirect the withdrawal to an account number held in the attacker's wallet.
- Use withdrawal account number whitelists if they are offered by the sender.
- This issue does not apply if the user can transmit the recipient account number through a trusted channel.
|Account Balance Discovery Risk
- Threat: Even if cryptocurrency has been received on the device, the balance is not shown on the hardware wallet secure display.
- Conclusion: The user might mistakenly believe they have received more value than was actually transferred.
- Workaround: Use multiple computers to check the balance (watch-only accounts), in the hope they are not all compromised.
|Recipient Account Number Transmission Risk
- Threat: When sending cryptocurrency to merchants or cryptocurrency exchanges, the recipient account number is shown on the computer's insecure display. It could be modified by malware to redirect the receiving account number to the attacker. Since the hardware wallet secure display will ask for confirmation (account number and amount), at least smaller transactions are protected. For example if the user has 1 Bitcoin but only wants to send 0.1 Bitcoin, there is an option to abort the transaction if the ledger display asks to confirm a transaction that is larger than expected.
- This issue does not apply if the recipient account number can be verified through a trusted channel. For example, multiple devices can be used (since it is unlikely they are all infected) or a personal meeting with the sender can occur beforehand.
- It is possible to send funds in small installments and then confirm with the recipient via a secure channel they were received. This limits the amount of funds that may be lost to the size of the installment.
|Time of Compromise Matters
- Once funds are on the hardware wallet they are safe - depending on the security of hardware wallet - until the user attempts to spend those funds.
- This means if/when the user's computer is compromised later on (after stocking up funds), less funds are lost but all the aforementioned threats apply.
|Unauthorized Physical Access (attacker gains physical access to the device)
- If the hardware wallet and/or computer are stolen, all funds are safe as long as the user still has the backup recovery seed phrase (recovery phrase). This assumes the attacker is unable to circumvent the hardware wallet PIN entry and/or extract the keys from the device.
- If the user stores the hardware wallet and PIN in the same place and loses it, all funds will be lost.
- If the recovery phrase is lost and hardware wallet or PIN code is lost all funds are irretrievable.
- Compared to full disk encryption:
- usability: It is easier to keep private keys secured.
- The protections afforded by hardware wallet security are not necessarily stronger than computer full disk encryption (such as LUKS in Linux).
- Those hardware wallets that include a Secure Element are generally more secure.
- Some hardware wallets are reported to have been hacked before. Examples:
- For some hardware wallets there might be no public reports yet of attackers who gained physical access but not the PIN code (or recovery phrase) and then managed to steal funds.
- easier to safely split bitcoin / bitcoin cash / bitcoin gold: yes
- easy to carry: yes
- easy to backup: yes
- easy to replace device: yes
- easier than Qubes OS (offline vault VM): yes
- browser support on/off
- ledger device applications do not auto start
- more obscure to attack than a "simple trojan horse": yes
|Low Quality of Randomness
- The quality of randomness required by the device to create the backup recovery seed phrase (recovery phrase) might be too low. An attack might find a a weakness in the Random Number Generator (RNG) which helps to attacker to guess other other user's recovery phrase and thereby steal their cryptocurrency.
- Since well encrypted data is indistinguishable from random data, it would even be possible for an attacker to subvert the production process of a hardware wallet, thereby compromising the RNG. All tests for verification of randomness would pass but the attacker could have user a cryptographic algorithm and private key which turns the apparently random data into predictable data for the attacker only. Thereby the attacker could wait for the hardware wallet to be widely used before stealing huge amounts of cryptocurrency.
- Suspicious and even proven to be broken RNG's exist. See this list of references.
- security-misc [archive] (installed by default in Kicksecure and Whonix) distrusts the CPU for initial entropy at boot as it is not possible to audit, may contain weaknesses or a backdoor.
- Kicksecure and Whonix improve entropy generation due to pre-installed entropy generators. See wiki page Dev/Entropy for details.
- Quote ledger hardware wallet on Quality of randomness [archive]:
Hardware RNGs like the one used in Ledger hardware wallets use several sources of randomness.
- But does not elaborate on that page what these several sources of randomness are.
- Trezor: has a lot more documentation. 
- Conclusion: A hardware wallet should not be trusted with recovery phrase creation.
- Create the recovery phrase on a device with high quality randomness (i.e. a computer). This will be very difficult for most users since this requires a malware free computer to begin with.
- Use a passphrase. Quote ledger hardware wallet [archive]:
The Passphrase is an advanced feature that adds a 25th word of your choosing of max 100 characters to your recovery phrase
- The passphrase needs a good password strength. Ideally at least as strong as the password strength of recovery phrase since the recovery phrase is in question here. However, such as strong passphrase is difficult to generate for most users. (That is why the default workflow that most hardware wallet vendors lay out is for the recovery phrase to be generated by the hardware and not by the user.) Quote Wikipedia:
Human-generated passwords: People are notoriously poor at achieving sufficient entropy to produce satisfactory passwords.
- Simplified: Most human generated passwords are insecure.
- For information on strong password, see the Passwords page.
|Impracticality of Workarounds Risk
- Threat: As denoted by the term, a 'workaround' is not an actual fix. For workarounds to be effective, they require: awareness (of which there is probably very little); wide adoption (very few people are applying these), and easy steps (most are cumbersome due to bad usability).
- Conclusion: It is likely most workarounds will be neglected during various phases due bad usability (difficult to use), limited awareness/skills and/or time pressure.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | Freedom Software / Open Source (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.