Bitcoin Hardware Wallets and Their Vulnerabilities

Bitcoins don’t exist. That is, there is no physical coin with a bitcoin logo, even though attempts have been made to create them. Those that do exist, exist as novelty items, like the one in this image.


When you buy a bitcoin, you buy a line of computer code that a group of people believe has monetary value, just like we believe that a piece of paper has a special value if it has the correct identifying features.


When you buy a bitcoin, you get a private key that allows you and only you to use it. If you do not protect this private key, you are in danger of having it stolen. That’s why you need something called, a ‘bitcoin wallet’. Just as you can protect your money by putting it in a safe or a bank, you can protect your key and bitcoins by putting them in a bitcoin wallet.

Just like banks, some wallets are better than others. Bitcoin wallets can take the form of an app, a software program, a website (cloud), or a removable hardware storage device, like a USB. Wallets that use programs connected to the internet are termed, ‘hot storage’. Those wallets on independent, physically isolated devices are referred to as, ‘cold storage’. It should be quite clear that, especially if you have a considerable investment tied up in bitcoins, a hardware wallet, or cold storage wallet, is preferable, if not mandatory.

Anyone serious about keeping their bitcoins safe will use a hardware wallet. Hardware wallets, being physical devices, must be paid for, unlike some software wallets, which are either free or included in a cloud service. Prices start at just under $100. But, how do you know which hardware wallet is best?

The best hardware wallets will come with their own small screens so that you are even less exposed to malware, like keyloggers, that may be waiting for you to type information on your computer. The image below shows a hardware wallet made by the firm, KeepKey, with its built-in screen.


Of  course, there are other ‘wallets’ that you could use. You could use a separate computer that is not connected to the internet to store your bitcoin data. You could use hardware architecture on an Android device, such as that offered by InZero Systems, which separates the hardware at the kernel level, making what amounts to, two separate devices out of one device. Just be sure that the safe side of the device is not connected to the internet. Or you could write down your private key on a piece of paper.

Hardware Wallet Vulnerabilities

  1. You could lose your wallet

Yes, it can happen. Back in 2013, James Howells threw out an old hard drive when he was cleaning up his desk. Later, he realized that he had stored 7,500 bitcoins on it that he had bought, and then forgot about, years before. That’s right. At today’s rates, he had thrown away $120 million. It’s still buried in a landfill in Wales, if you’re interested.

You might not be as unlucky as James Howells, but you could still misplace or accidentally destroy your hardware wallet. Then what? Well, that’s the end of the story. If someone steals your wallet, they cannot open it without a pin. Three pin attempts will delete everything on the wallet so even the owner can lose all the data if they forget the pin. What if your house burns down? What if you drop the device in the toilet? You get the picture. Hardware wallets have physical vulnerabilities.

For all of these reasons, those who have large investments in bitcoins often buy more than one hardware wallet. One can be kept nearby, while another can be kept in a secure and more distant location, like a safety deposit box in a bank. And don’t forget analog storage. That is, you can always write your private key on a piece of paper and store that in a secure place.

  1. The firmware could be tampered with

bitcoin wallet warning

The above warning is given for one particular hardware wallet for a reason. People have been scammed by buying a wallet from a third party like eBay. In one case, the wallet appeared to work and send bitcoins to a recipient. Only later did the owner realize that all of his bitcoins, $34,000 worth, were missing. Apparently, the wallet was programmed by the seller to send bitcoins to his/her address. Most hardware wallets have to have the firmware programmed into the device to work and should not, in general, work right out of the box.

Such attacks are often referred to as ‘supply chain attacks’. Anyone physically handling a device from the time it is manufactured to the time it is delivered could potentially tamper with it to make it perform to their needs.

  1. Firmware updates

 This is a common attack vector for both regular criminals and nation-states. Basically, the attacker forces a firmware update of the hardware wallet. The user may have set their computer to update programs automatically. The update may reprogram the device to send information, such as the private key, back to the attackers. Often, victims have no idea this has even happened until their bitcoins disappear.

  1. Recovery attacks

 Many hardware wallet companies realize that people, being humans, will make mistakes. They may lose, damage, or otherwise lose access to their wallet. That’s why they use a special way for customers to get their wallets back. It’s called, the ‘recovery phrase’. This is a phrase of 12 to 24 related or unrelated words that can be used to recover lost private keys. An example is given below.

bitcoin wallet phrase

If this message shows up on your computer screen, it can be captured with screen capture malware and there go your bitcoins. Others may store their phrase/words in an accessible file on their regular computer or write it down and put it somewhere in their house, which makes them vulnerable to other forms of attack.

KeepKey uses the phrase recovery technique but advises customers to use it only on a new KeepKey wallet. KeepKey encrypts each letter as you type it into your computer before it is sent to the company to retrieve your private key. This, of course, means that some of your data is stored in the KeepKey cloud, which would make it a target for hackers. Indeed, KeepKey was hacked in early 2017. Company CEO, Darin Stanchfield reported that “the attacker was able to temporarily access one of our sales distribution channels, a vendor we use for shipping and logistics, and our email marketing software account. This means he momentarily had access to a portion of our customer data which included addresses, emails and phone numbers.” This is troubling even if the attacker did not gain access to the private keys of customers. A good attacker could use this personal information to engineer an attack which could trick users into revealing their private keys.

  1. Other Vulnerabilities

In the documentary film about Edward Snowden, Citizen Four, Snowden is seen pulling a blanket over his head before typing in his password.

snowden blanket

Apparently, he was worried about hidden security cameras capturing his password when he typed it in. It could conceivably happen with a hardware wallet. Not only a security camera, but malware which controlled your webcam could, at least in theory, capture information from your bitcoin wallet screen. It could also capture your device’s pin.

In addition, new vulnerabilities recently found in a number of processors could be leveraged to take control of bitcoin wallets, although this is yet to be demonstrated.

As long as the price of bitcoins remains high, criminals will do anything to get their hands on them. Once stolen, the same technology that is used to keep bitcoin owners anonymous will keep those stealing them anonymous as well. The cryptocurrency realm is a dangerous terrain to navigate and threats can appear at any turn in the road. For those with little experience in speculating on cryptocurrency, here be monsters.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s