Rob Behnke
October 28th, 2022
Centralized crypto exchanges enable users to store their assets in a hosted wallet by retaining control of their private keys. However, successive exploits of crypto exchanges highlight the risks of entrusting private keys to third parties. The challenge has led to the development of increasingly complex non-custodial storage solutions such as hardware wallets (a type of cold wallet), which keep private keys offline.
Unlike hot wallets, which are stored on your computer or mobile device, hardware wallets are physical devices that hold your private keys. This makes them more secure than software wallets, as they are less vulnerable to hacking or malware.
However, despite their reputation as a more secure method of crypto storage, they are not risk-free. We previously discussed some ways to improve the security of hardware wallets. In this article, we will examine 5 of the biggest threats that hardware wallets face.
Hardware wallets are physical devices which means they are vulnerable to the same physical risks as any other gadget, such as being lost, stolen, or damaged. However, with a safe seed phrase, physical threats can be mitigated as crypto assets can be recovered from lost or damaged wallets. Poor configuration of the hardware wallet due to malicious tampering can enable an attacker to physically access the device and obtain the user’s private keys.
These are fault-injection attacks that involve creating errors to disrupt the wallet’s expected behavior without rendering it inoperable. By manipulating voltage modulations (either above or below the expected voltage), an attacker can force a wallet to behave abnormally, granting access to the recovery seed. This attack vector requires the hacker to be in physical possession of the hardware wallet.
The firmware on a hardware wallet can also provide a security concern. If an attacker can modify the firmware on a hardware wallet, they may be able to extract the user’s private keys or undermine the device’s security in some other way. For this reason, it is essential to purchase hardware wallets from trustworthy manufacturers and validate all firmware updates before installation.
Side-channel attacks are a type of vulnerability that exploit the physical characteristics of a system in order to obtain information that would otherwise be inaccessible. One example of a side-channel attack is using electromagnetic emissions from a device to infer the data that is being processed by that device. Side-channel attacks have been used to extract crypto keys from hardware wallets. In order for side-channel attacks to be successful, an attacker must have knowledge of the implementation details of the system they are targeting as well as access to the device.
Even if a hardware wallet is physically safe and well-protected against malware, an attacker could nevertheless attempt to obtain access to the user’s private key via social engineering (eg. phishing emails). Users of hardware wallets should therefore be aware of these types of attacks and how to defend against them.
When considering the right hardware wallet to go for, it is vital to bear in mind that various wallets carry varying degrees of security and tradeoffs in usability. Key differentiating features include physical construction, mobile support, USB connectivity, overall UX, and the range of cryptocurrencies supported by the software.
While hardware wallets are commonly regarded as one of the most secure ways to store cryptocurrency, they remain vulnerable to specific attack vectors. The risks we have examined in this post can be largely mitigated by following some of the steps outlined in our previous article outlining how hardware wallets can be hacked.
Get in touch with us at halborn@protonmail.com to speak to our blockchain security experts about our smart contract audits and how Halborn can help your company secure its assets.