Hardware wallets: tragic disadvantages and alternatives

Many people are intrigued by the concept of an elegant, highly functional, yet secure device for storing and exchanging cryptocurrencies, that has led to research into hardware wallets.

Gold standard in the field of crypto asset security

It turned out that hardware wallets can be relatively easily hacked by advanced technicians using various methods. These methods depend on the hardware components of each device and their configuration, and therefore, most likely, buying such an expensive crypto wallet is an unnecessary expense for many cryptocurrency lovers.

Hardware wallets are usually reserved for enthusiasts who want to show them off, or those who own a huge amount of assets that require improved security features, such as whales – the biggest asset holders in the cryptocurrency markets.

If you set it up correctly, you can certainly increase the security of your hardware wallets and feel comfortable with your coins and tokens. As an example, you can use the Trezor brand models by selecting an additional 16-word passphrase (in addition to the security ones) that can be hacked within a few minutes after a low-voltage failure from an external controller occurs on the device’s chip to reveal the wallet recovery security phrase. Ledger Nano (both S and X) are also vulnerable to attacks from advanced technical experts.

There is not a single hardware wallet that cannot be hacked in these extreme circumstances.

While this hasn’t been done yet, some experts say they can create a retail product that hacks hardware wallets for as little as $ 75. This is not what you want to hear when you hold large amounts of currencies on a supposedly secure device. Especially after you have been told that they are completely safe, and that they are quite expensive for most people in the world.

The statistical chances of this type of attack are unlikely, but since this information is made public, it is only a matter of time before such a device for hacking hardware wallets appears on the market. Most likely, they already exist on the darknet. Over time, this will make these attacks more common and force security experts to fix issues related to new hardware vulnerabilities.

How to achieve the required level of security

How to achieve the required level of security
How to achieve the required level of security

Many cryptocurrency enthusiasts are fine with using something as simple as a password-protected desktop wallet when running antivirus programs to protect them from backdoors and malware, potentially preventing an attack in most cases.

Many people protect their property with security systems, fire-resistant safes and firearms, which gives a greater sense of protection than their system. Others are quite happy with biometric security on their smartphones, along with mobile wallets with two-factor authentication. If you lead a cautious lifestyle, a smart approach can even be your ticket to financial security.

What if you could achieve a level of security comparable to a hardware wallet with a regular flash drive for less money? A USB drive can direct you in many different directions, including encrypted cold storage (offline storage environment), which is extremely difficult to decrypt, except for the wallet Creator, provided that you use AES-256 encryption and a unique and long passphrase.

Intelligence agencies are able to decrypt the 256-bit AES encryption available to citizens, but they don’t announce it to the world if they have the ability. And it will not be surprising to learn that quantum computing has moved much further than we are told, and this would be an easy job for them.

TrueCrypt, the predecessor of Veracrypt, ceased to exist on may 28, 2014, and they stopped releasing software updates when their employees announced that they would no longer support the project. Since then, almost all users have switched to Veracrypt.

This was the result of the us government’s TrueCrypt volume being hacked by the FBI’s special branch in a time frame that was too short for a typical brute-force attack. This indicates that the feds decoded it in other ways. They could use a backdoor, recover a passphrase from the computer’s RAM, or even use a Keylogger.

Veracrypt offers users more protection against brute force attacks. However, let’s assume that the government has this decryption capability. In this case, the only thing you should be concerned about is whether you are an important target for them. The case mentioned above used TrueCrypt to hide secret government information, rather than to protect their personal finances, which made It a priority target for specialists.

Encrypted flash drives and 7Zip

Encrypted flash drives and 7Zip
Encrypted flash drives and 7Zip

You can go beyond flash drives and make a “live” USB with a pre-configured Linux distribution via VMWare or VirtualBox, for example, Tails OS or BlackArch Linux for advanced users. Ubuntu and Linux Mint would be good distributions for those who are not familiar with Linux terminals, with a clean and intuitive user interface.

Using this method, you have all your resources, including wallets, browsers, and any other desired applications, ready to download with multi-level encryption. You can use a hidden volume via Veracrypt (or similar). From there, you can access encrypted content in a hidden volume in Veracrypt in 7Zip, which are free and have 256-bit AES encryption. If you want, you can put the hidden volume in a 7zip file with other content, protected by a random passphrase.

Never use the same passphrase for each security level. When placing hidden volumes inside hidden volumes, don’t forget the series of passphrases you set, otherwise you will lose access to your wallet. We recommend that you store backups of your passphrases using 256-bit AES encryption in multiple locations.

You may be wondering if you can sort through encrypted flash drives and 7Zip? Yes, you can. But not if you use a thorough and long passphrase. Even if they were bypassing one layer of encryption, they would need to iterate through the next, and still get access to your device for two-factor authentication. For this reason, this is not a concern when set up correctly, since even a talented cracker will need many years to crack a single 256-bit AES-256 passphrase.

DeepSound

Of course, these methods are far from the only encryption software available. Another good alternative presented in the popular Mr Robot show was to use DeepSound, a free steganography software tool that can hide data in audio files such as MP3 and FLAC. These encrypted audio files are written to a CD or mixed with other digital media on your hard drive, and are able to play audio files normally, hiding your data in plain sight using the same 256-bit AES encryption.

But be that as it may, “Never keep all your eggs in one basket” is a proverb that is applied to cryptocurrencies, using various methods to protect multiple wallets. With this work, if one of them is compromised, you will not lose all your assets. In addition, the attacker is likely to think that he found all your finances, although in fact – this is a deliberate bait, with enough funds on it.

“Common sense is not common.” 

Voltaire

Voltaire
Voltaire

It is not possible to emphasize the importance of multiple layers of protection, regardless of what device, encryption types, or alternative methods you use to protect data, especially your finances and other personal information. You must have at least three levels of security, including two-factor authentication, 256-bit AES encryption, and other techniques of your choice. Intermediate and advanced users often say that the best antivirus is common sense. However, just in case, it is recommended that everyone use antivirus software that is constantly updated. Especially if you are not familiar with cryptocurrencies or computer security.

The levels of protection depend not only on what type of encryption you use, but also on the lifestyle you lead. Combine your knowledge in the field of encryption with additional home security. You are much more likely to be threatened by people you know or interact with, whether they are partners, friends, relatives, or significant others. It’s enough for them to know that you have assets to protect.

Your first line of defense should always be common sense. The last line of defense should be your life, but it depends to a large extent on the importance of the content: you don’t spend your cryptocurrency if you are dead. Still, it’s understandable why a man would take a bullet to protect his family’s vast financial assets. As long as there are multiple copies of the public and private keys of the wallets, their families can later access them and withdraw funds, as is the case with the Ledger backup packages that are provided when purchasing models S and X in a pair. Fortunately, this doesn’t happen very often at the moment, but in this case, you need to be prepared for anything.

With enough money, time, and resources, almost anything can be hacked, especially by well-educated and talented people who are prone to it. However, it’s worth looking at another form of caution: social engineering.

The best protection you can have along with the things already mentioned is anonymity. While maintaining as much anonymity as possible, you will be difficult to identify, let alone track, monitor, or potentially become a victim of an attack. In the age of decentralized currencies and exchanges, this is only getting easier and, in many cases, more profitable.

Research shows that no asset is truly secure if you have been identified, tracked, and found with your wallet by cutting-edge technology that nothing prevents them from seeking financial gain.

The reliability of any modern safe, digital or otherwise, depends on the strength of the person holding the keys. The best defense is a good offense, and the best offense is common sense.