In the Internet forums to bump crypto-newcomers in the short or long-on the advice of, a so-called Hardware Wallet. What is meant is a wallet designed specifically for digital currencies such as Bitcoin, which reminds optically often USB Sticks. Your task is to protect the so-called Seed, from which the private key of a user can be calculated. Who can the Seed of a third prey, has access to the crypto.
The most popular Hardware Wallets come out of the corporate Ledger and Trezor. They cost a portion less than 100 Euro, nevertheless, they are generally regarded as safe – safer, anyway, than Software Wallets, which are programs that operate on computers with an Internet connection, and thus the constant Hack-danger.
On Thursday evening was, however, enthusiasts now also have the trust of crypto in devices like the Ledger Nano S, and the Trezor are One, at least, a bit shaken. The three IT experts, Dmitry Nedospasov, Thomas Roth, and Josh Datko presented at the hacker Congress 35C3 in Leipzig, four-part, very special, but successful attacks on Hardware Wallets. It was not the first hack of this kind, in their mass and diversity of the presented attacks are likely to leave but lasting impression.
many kinds of successful
is managed As the three security researchers, for example, in the vicinity of the slightly more expensive Ledger-model Blue Pin-Code while you are entering a spy. The Code is designed to protect the device is actually from unauthorized access. Also, the experts showed why the seals can’t trust the Security on the packaging of the Wallets all Too easy to remove and re-attach.
As a highlight of their presentation, the researchers explained how they could access to the crypto-assets of a stolen Trezor One to get, among other things, by a deliberately provoked technology dropout, a Glitch .
The one-hour lecture, in which the three of the mobile game of the classic “Snake” on a Nano-S Run, you can watch here as a YouTube Video (and here in the Original English):
the MIRROR have spoken Nedospasov and Roth after her appearance on their findings, and about the possible consequences.
To the people Keylabs Dmitry Nedospasov , 31, Thomas Roth , 27, expert for IT-security. With your research partner Josh Datko , 38, they have a joint company called Keylabs. She advises companies, amongst others also on the topic of crypto-Wallets. Nedospasov lives in Berlin and Moscow, Roth, in Esslingen, Datko in Fort Collins, in the U.S. state of Colorado. According to information the three of the day were before the hacker Convention 35C3 in Leipzig for the first time, all at the same time in the same place.
MIRROR: Who listens to your talk, not trust Hardware Wallets after that. Right?
Thomas Roth: We do not want to say that the devices are per se uncertain. To use a Hardware Wallet, it is still better to manage the crypto-currency on your own Computer. Certain types of attacks, including the attacks on the supply chain or the Chip for example – are for Hardware Wallets, but a risk. It is important that you know what his device is well protected and against what is not.
Dmitry Nedospasov: Who has such a Hardware Wallet with small amounts of it at home, probably less to Worry about than someone who wants to use it to protect crypto in million value.
MIRROR: For most of your attacks, you would have to as a Hacker have a certain Wallet Yes first get your hands on?
Nedospasov: When I save the equivalent of 200,000 euros in my apartment, do I have to expect that someone breaks. The attack on the supply chain, for example, but is safe for hedge funds a greater threat than it is for normal users – for example, if someone knows, that the company Ledger using Wallets and that soon, from France, a package arrives.
Roth: That a messenger can be short in a package to look, if you gonna stick to him for 100 Euro, I think it is at least conceivable.
MIRROR: Ledger model Blue costs 200 euros, three Times more than a Nano. s. And just as the Blue they could spy on the Pin-Code?
Roth: Yes, this is a line from the processor to the Display, which – by the developers unintentionally – strong electro-magnetic emissions. These emissions can be measured and certain digits of entries of the map. You could put a directional antenna in the next room and the Pin read out, before stealing the device.
inside of a Ledger, Blue
MIRROR: Is neglected the topic of IT security in the field of crypto?
Roth: The world of Hardware Wallets is very own. In the Payment and banking devices are built differently, since there are devices that delete everything as soon as you will be screwed. The Hardware Wallets were open, we all.
Nedospasov: You can see that this is a new industry. The manufacturer, based on the previous research. If you should really be sure would be to build the Wallets of other components – this is the company aware of your profit margins. Maybe enough examples of people are not yet aware of, your complete crypto-stolen assets.
MIRROR: How would you store the crypto-currency?
Nedospasov: For smaller amounts I’d to my iPhone with a good App, at least more trust than such a Wallet, but that is just my personal opinion.
MIRROR: And when it comes to larger sums?
Roth: I would think about: What would I do if I had the money in cash? In the case of large sums of money, I would put on a solution of a larger manufacturer with a Hardware security module (HSM), i.e., a combination of Wallets and high-security servers.
Nedospasov: At conferences, I get that the hacked Wallets can be used with a Hundred-million-amounts. There are hedge funds, where you have a device press to your employees every Morning, so in the Hand, the evening is brought back. And others tell that you have your wallet on trips and in hotel rooms.
MIRROR: This is naive. The user of the Hardware to understand-Wallets to little of how the devices work?
Nedospasov: Many buyers is not even clear that it is for attackers to get a list of words on paper written Backup of the Seeds. The device itself, you no longer need, then, to the assets with the list about a Smartphone access. Even colleagues from the Security environment, together beat some of the hands above the head, if I explain it to them. to steal
Roth: The word list is the easiest attack.
MIRROR: , The word list must be kept in a safe place. Just how?
Roth: You could distribute the Seed to ten relatives and friends, so that everyone has their parts, while, for example, seven parts, so I can get the total Seed. So I can distribute the risk.