Actions

Cryptocurrency Hardware Wallet: Threat Model

From Whonix


Introduction[edit]

Info Note: The term "account number" rather than "address" is used throughout this wiki entry in order to avoid confusion.

Hardware wallets are:

... a physical device on which a user stores their private keys to access their blockchain wallets. These devices don’t have to be electronic. Any physical item that can store a private key is considered a hardware wallet. From a general perspective, hardware wallets are convenient, secure, and immune to many of the hazards other wallet types can fall victim too.

In essence, hardware wallets seek to secure users' funds under the sane assumption that the computer in use may be compromised by malware. Once infected this way, malware can:

  • secretly view all user actions without obvious signs;
  • manipulate the screen, such as showing one account number instead of another correct account number; and
  • capture all key strokes (sniff passwords), download files and perform other malicious actions.

For these reasons the computer display is considered untrustworthy, while the display of the hardware device is considered trustworthy. The reason is only the hardware device vendor enforces a requirement that signed software must be used. Unless the cryptographic verification process can be subverted, the hardware wallet is considered to be free of malware and therefore a secure display. In other arenas, this security concept is referred to as "What you see is what you sign" (WYSIWYS). [1]

Threat Model[edit]

In order to perform cryptocurrency transactions securely, a number of threats must be averted so funds are not lost to attackers. While funds stored on the devices are safe, it is not easy to transfer funds onto the device in a secure fashion; consider the risks below.

Table: Hardware Wallet Threats

Threat Domain Description and Recommendations
Recipient Account Number Discovery Risk
  • Threat: It is difficult to view one's recipient account number on the hardware wallet's secure display.
    • The Ledger Wallet Bitcoin has a "show address on device" ("show account number") button, which shows the account number on the secure hardware wallet display.
    • The Ledger Wallet Ethereum and other wallets did not have this function at the time of writing (2019).
    • myetherwallet has a "show account number on device" feature, however:
      • myetherwallet is browser-based and should therefore be avoided (even when running locally).
      • The online version of myetherwallet should be avoided at all cost since the myetherwallet server is an obvious target for hackers.
      • It is difficult to us myetherwallet locally in conjunction with a ledger hardware wallet due to browser issues. [2]
    • In some devices, even if the account number is shown it is difficult to read from the display.
      • The Ledger Nano S only has a small display and the account number -- which can be 35-45 random characters long -- and is displayed as ticker text which automatically scrolls over the display at high speed. This means at best it is only possible to view the first few and last few characters, while skipping all those in the middle. This provides an opportunity for attackers to try to create an address where the start and end of the address match, but the middle section is under their control.
      • The Ledger Nano Blue does not have the above problem and shows the full account number at once, providing an opportunity to verify it in full.
  • Conclusion: The regular user of a ledger hardware wallet will have difficulty in discovering their own recipient account number in a secure manner, due to the risk of fraudulent modification by malware running on the computer. This means it is also difficult to tell senders of the correct recipient account number without potentially being misled by malware.
  • Workaround: Use multiple computers to discover the account number in the hope they are not all compromised.
Receiving Account Number Transmission Risk
  • Threat: When receiving coins -- such as when withdrawing cryptocurrency from the cryptocurrency exchange -- the user's recipient account number is entered into their computer, which is utilizing an insecure display.
  • Conclusion: The screen could be modified by malware to fraudulently redirect the withdrawal to an account number held in the attacker's wallet.
  • Workarounds:
    • Use withdrawal account number whitelists if they are offered by the sender.
    • This issue does not apply if the user can transmit the recipient account number through a trusted channel.
Account Balance Discovery Risk
  • Threat: Even if cryptocurrency has been received on the device, the balance is not shown on the hardware wallet secure display.
  • Conclusion: The user might mistakenly believe they have received more value than was actually transferred.
  • Workaround: Use multiple computers to check the balance (watch-only accounts), in the hope they are not all compromised.
Recipient Account Number Transmission Risk
  • Threat: When sending cryptocurrency to merchants or cryptocurrency exchanges, the recipient account number is shown on the computer's insecure display. It could be modified by malware to redirect the receiving account number to the attacker. Since the hardware wallet secure display will ask for confirmation (account number and amount), at least smaller transactions are protected. For example if the user has 1 Bitcoin but only wants to send 0.1 Bitcoin, there is an option to abort the transaction if the ledger display asks to confirm a transaction that is larger than expected.
  • Workarounds:
    • This issue does not apply if the recipient account number can be verified through a trusted channel. For example, multiple devices can be used (since it is unlikely they are all infected) or a personal meeting with the sender can occur beforehand.
    • It is possible to send funds in small installments and then confirm with the recipient via a secure channel they were received. This limits the amount of funds that may be lost to the size of the installment.
Time of Compromise Matters
  • Once funds are on the hardware wallet they are safe until the user attempts to spend them.
  • This means if/when the user's computer is compromised later on (after stocking up funds), less funds are lost but all the aforementioned threats apply.
Physical Security
  • If the hardware wallet and/or computer are stolen, all funds are safe. [3]
  • If the user stores the hardware wallet and PIN in the same place and loses it, all funds will be lost.
  • If the mnemonic phrase is lost, all funds are irretrievable.
  • Compared to full disk encryption, it is easier to keep private keys secured. [4]
Usability
  • easier to safely split bitcoin / bitcoin cash / bitcoin gold
  • easy to carry: yes
  • easy to backup: yes
  • easy to replace device: yes
  • easier than Qubes OS (offline vault VM): yes
Usability Issues
  • browser support on/off
  • ledger device applications do not auto start
Miscellaneous
  • more obscure to attack than a "simple trojan horse": yes
Impracticality of Workarounds Risk
  • Threat: As denoted by the term, a 'workaround' is not an actual fix. For workarounds to be effective, they require: awareness (of which there is probably very little); wide adoption (very few people are applying these), and easy steps (most are cumbersome due to bad usability).
  • Conclusion: It is likely most workarounds will be neglected during various phases due to limited awareness/skills or time pressure.

Footnotes[edit]

  1. In other words, just sign what you see.
  2. https://github.com/kvhnuke/etherwallet/issues/558#issuecomment-307307105
  3. This assumes the attacker is unable to circumvent the hardware wallet PIN entry and/or extract the keys from the device.
  4. The protections afforded by hardware wallet security are not necessarily stronger than computer full disk encryption (such as LUKS in Linux).

[advertisement] Looking to Sell Your Company? Contact me.


Have you read our Documentation, Technical Design and Developer Portal links yet?

https | (forcing) onion
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.