Jump to content
kanaas

how much should one (dis)trust hardware wallets

Recommended Posts

Today I had a rather scary feeling when I opened the box of a new Trezor T wallet. To be sure that this piece of hardware is genuine, Trezor puts a seal with a hologram over the USB port. But in my case there was no seal (by the "glue restant" one could see and feel that there sure was one removed). I immediately informed Trezor and the reseller about this and they will replace it for another, but most important: they promised to figure out what could be the reason for this to happen.

And now I was wondering: with this kind of hard and firmware build devices: Can hackers this way go after your secret keys and/or funds (even if you've entered pass phrases or accounts created afterwards)
Anyone with with some knowledge about this as a potential problem? How scary can this be?
 

Edited by kanaas

Share this post


Link to post
Share on other sites

A number of people over time have had their coins stolen from ledger wallets they bought from EBay or similar sellers.  The devices had been flashed with various types of new firmware that could subvert the security via one exploit or another.

Your instincts were totally correct.

Share this post


Link to post
Share on other sites
1 minute ago, Tinyaccount said:

A number of people over time have had their coins stolen from ledger wallets they bought from EBay or similar sellers.  The devices had been flashed with various types of new firmware that could subvert the security via one exploit or another.

Your instincts were totally correct.

Yep, was thinking so. But what's also scary here is that there went something wrong in the supply chain as I bought this on a webstore who's on Trezor's list of resellers. This didn't go by second hand or eBay.

Share this post


Link to post
Share on other sites
Just now, kanaas said:

Yep, was thinking so. But what's also scary here is that there went something wrong in the supply chain as I bought this on a webstore who's on Trezor's list of resellers. This didn't go by second hand or eBay.

Yes very true, that is alarming...   but if you think about retail stores they have unvetted folk working there who could potentially do package tampering.  When I was younger at one point I was working in a store that sold among other things,  computer software.  In those days they came in sealed boxes and there was no copy protection on the disks inside.

The employees would routinely open a new game box, copy the disks and the manuals and then professionally reseal them with the store equipment.  Impossible for the punter to know their brand new box had been previously opened.

Things have moved on and it would not be that easy nowadays but so too have the tamper techniques.

This is one reason why I only trust a paper wallet.

Share this post


Link to post
Share on other sites
1 hour ago, panmores said:

But a paper wallet you also have to download from somewhere...

You just generate the key on computer that will never connect to Internet afterwards.

Edited by Janno

Share this post


Link to post
Share on other sites

wow, good instincts @kanaas.  I wouldn't mess with that at all.  This conversation demonstrates how early we are and how badly needed Polysign is @JoelKatz.  David, we are (not so) patiently waiting.  Looking forward to updates.  

Share this post


Link to post
Share on other sites
27 minutes ago, MoonRockets said:

Why dont you just buy wallets from Trezor and Ledger directly; thats what i did..

They still work with folks that you've to trust, but you might be right, at least that's one less in the supply chain....
OTOH, the security hologram seal (being removed) has done its job for me  ;)

Edited by kanaas

Share this post


Link to post
Share on other sites

I bought my first ledger off of amazon. Now I get it from ledger itself. It just makes sense to remove as many variables as possible. Also Great instinct. When I got the ledger I reset it, downloaded new firmware ect.

Share this post


Link to post
Share on other sites

You can buy hardware wallets from anywhere. The only thing that matters is that you set up a new wallet. The device will generate the 24 word key. Scams occur when there is already a 24 word phrase in the box when you open it. That means someone else has your key.

I bought a wallet from a third party vendor and another from Amazon. They don't have my private key because I generated it after they shipped it to me.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...