I think you all know it but the cryptocurrency world is full of surprises, good ones and some not so good. In terms of security we have made a lot of progress over the past few years, and societies like Ledger and many others are at the root of the development of Hardware Wallets, reinforcing cryptocurrency's storing and staking.
However some events and studies revealed that nothing is 100% secure, indeed more and more hackers and masterminds still manage to find solutions and ideas to break the wallet's security barriers. A recent case showed again that these people are really determined, let me drive you through this unbelievable race between security companies and these Kings of Theft.
1. We are going 1 year in the past, during the Trezor's Wallets affair :
On the 12th of March 2019 the french society Ledger published a study to freeze blood, indeed they revealed 5 major flaws on Trezor's wallets, an hardware wallet company. Ledger have a team of experts of security named Ledger Donjon, they discovered those flaws during their work on Trezor One and Trezor T (2 models of hardware wallet from Trezor), only two have been corrected today.
Among those flaws 4 were critical and 1 was minor, the first concerned side channel attacks, basically the PIN code of the wallet could support 15 attempts before blocking the all access. The problem is by analyzing the consummation of the wallet hackers were able to succeed in only 5 attempts. Another flaw was dealing with Scalar Multiplication, an algorithm allowing public keys to become private, the problem with this algorithm is that a simple traffic analysis and a digital oscilloscope managed to easily extract the decryption key.
Others concerned Flash memory bumping attacks and device authentication, an hallucinating one even made possible for an hacker to buy a large number of wallets, take off the security stamp, install a backdoor on the device, reschedule the package and return them to Trezor using the withdrawal period. Between the wickedness of the hackers and the lack of reflection on some wallets it allowed more and more thefts on hardware wallets (a bad thing for wallet who pretend to be fully secure).
2 Things have evolved in terms of security but risks remain :
Like Ledger Donjon others companies decided to invest a lot of their budget into security. It allows them to identify faster and more efficiently possible flaws concerning hardware wallet, however in conjunction the hackers have redoubled efforts to find new tricks and solutions to crack the security barriers. Recently Ledger discovered a flaw on a Shapeshift device (the KeepKey), it has now been patched but it revealed a worrying problem, indeed the hackers don't attack via internet but physically on the wallets.
Indeed Ledger Donjon showed that if the thief managed to steal your wallet physically he easily could access it just by changing the PIN code on the electronic circuit of the wallet. Adding a simple pass phrase was the only way to fix this problem, otherwise the Shapeshift company add finally to modify the electronic circuit itself.
Even the best wallets can crack under these attacks, the Coldcard Mk2 (from Coinkite, however it has been fixed on the Mk3 model) didn't resist under a fault injection attack, basically a strong laser aim the microchip and create faults which create bugs in the device. As a result the traditional limited number of attempts for the PIN code become unlimited, however owning a laser that strong cost around $200.000, thankfully it discourages most of the hackers.
Hardware wallets are the strongest that you can find in terms of security and privacy, however remember that strongest doesn't mean invincible, flaws exist even if they represent a minority. These Kings of Theft are fully determined and find everyday more ways to break through your wallet security. All you can do is protect a maximum your crypto with PIN code and pass phrase, and more important try to keep it away from stealing.
