One-to-one replicas of the Trezor cryptocurrency hardware wallet have been found for sale on the Internet, says the company in a recent blog post, and using them, “…can be a severe threat to your security.”
A Toronto software developer, Amaha Alem, was also emphatic, and said a maker of a counterfeit crypto wallet could steal the associated coins:
“A fake Trezor would be terrible. The perpetrator would have you private keys.”
Trezor says these counterfeit devices are being sold at a “steep discount” now and warns that they are difficult to distinguish from the real thing- all the way down to the holographic seal on the packaging.
A hardware wallet is essentially an enhanced thumb drive used to generate the “private keys” (passwords) that allow a person to send and receive transactions across the Bitcoin (or other) blockchain.
Billions of dollars of cryptocurrency have been stolen from online “hot wallets” in the past, typically but not exclusively on exchanges, which have often stored large pools of crypto in Internet-connected devices to allow quick and voluminous trading.
Offline storage is very important and owning a hardware wallet is essential for any average person seeking to securely hold crypto. Crypto stored online is commonly referred to as a “honey pot” irresistible to hackers.
Yesterday, CI reported on the SIM-swap hacking theft of close to $1 million in crypto from a Silicon Valley executive who was storing it on the Coinbase and Gemini exchanges.
Not all hardware wallets are created equal. They must be purchased from a trusted source, and usually don’t come cheap.
The most trusted names in hardware wallet manufacturing so far are Trezor and Ledger, two companies based in Europe.
Each also comes with a software interface for securely communicating with the wallet when it is connected to the Internet to send and receive crypto.
That software too must be authentic or there is a risk that malware will interfere with the security of a transaction.
According to the Bitcoin Wiki, proper hardware wallets, “…have major advantages over standard software wallets”:
- private keys are often stored in a protected area of a microcontroller, and cannot be transferred out of the device in plaintext
- immune to computer viruses that steal from software wallets
- can be used securely and interactively, private keys never need to touch potentially-vulnerable software
- much of the time, the software is open source, allowing a user to validate the entire operation of the device
A counterfeit device, on the other hand, could be compromised in multiple ways, including:
- malware swaps recipient Bitcoin addresses (to that of an attacker)
- insecure random number generator. “An insecure RNG may create wallet keys that can later be recreated by an attacker, by generating psuedo-randomness that would seem statistically indistinguishable from true randomness yet still be predictable to an advanced attacker.”
- imperfect implementation: “Bugs at the software, firmware or hardware level may allow attackers to break into a hardware wallet and gain unauthorized access to secrets. Even if the design is perfect, proving the security of a hardware or software implementation is a very hard, mostly unsolved problem. To date, no wallet in existence is implemented using provably correct software.”
- compromised production process: “…hardware wallet would be vulnerable to a corrupt production process that introduces intentional or unintentional holes into the final product. The introduction of hardware backdoors is a real concern for high risk financial and military applications.”
- compromised shipping process: “A compromised fulfillment process may substitute or modify secure devices for superficially identical but insecure replacements. Government programs that intercept hardware and modify them in route to insert backdoors are known to exist.”
The company advises buying only from the official Trezor online shop, from Amazon or from “official resellers.”