Crypto Wallets: Software & Hardware Device Safety

Contents

• Introduction
• Hot and Cold Wallets
• Cryptocurrency Transactions
• Mobile Phone Software Wallets
• Web Browser-Based Extension Software Wallet
• Computer (Desktop / Laptop) Based Wallets
• Hardware Wallets (and air-gapped compute)
• Conclusion

Introduction

In the world of cryptocurrency wallets, there is a wide range of products, from purely software, digital/usb hardware, to cold offline metal or media. Navigating these options is hard, it is even harder when there is a lot of misinformation and partially correct information shared with the best intentions. This article will peel back the onion and look at several of these facets considering safety and liveness. We will not explore all possibilities as that could easily fill a large book.

Security is a continuum of “grays” - some darker or lighter than others. We will consider positions of more or less secure and take the position that the term “insecure” implies everything below a given threshold on that continuum.

Hot and Cold Wallets

Hot wallets are typically software cryptocurrency wallets on a mobile phone or computer that can be used to quickly sign a transaction. From a safety perspective, they may or may not use the device’s built-in hardware security module (HSM) (hardware-backed keystore or secure enclave). Sometimes referred to as a warm wallet, it is also possible for a wallet to be an external USB device. In the coming sections, we will look at the system implications because there are great variances, thus the only broad statement that can be made is that in most cases they are a higher risk than a cold wallet but from a liveness perspective, they offer far greater convenience and often a better user experience (UX).

Cold Wallets are typically air-gapped and often associated with long-term holdings. The wallet itself could be as simple as a public address that is sharable and a private key in a safety deposit box never to be used. Sometimes, this is a physical hardware wallet but the same principle applies, if it is cold, it is not signing transactions. Cold wallets are considered highly secure (safety); however, by design liveness is very low to non-existent.

Some people describe hardware wallets as cold wallets and they can be. Personally, I believe that a hardware wallet that is actively used to sign transactions is more of a warm wallet. A true cold wallet would receive funds for long-term storage but would be fully offline and not sign transactions until absolutely required (aka thawed/warmed).

For this article, we will focus on hot and warm wallets.

Cryptocurrency Transactions

Unlike traditional finance (TradFi) where fraud could be claimed and the potential to recover funds exists, in the crypto world, transactions are finalized and cannot be reversed. Losing access to your private key means completely losing access to the funds while a stolen seed phrase (and its derived private keys) means your funds may be swept away / stolen without recourse.

Today, one of the most secure ways to protect against theft of a private key is through the use of a multi-sig wallet. Similar to the concept of co-signers in TradFi, this usually requires a threshold (e.g., 2 of 3) of participants to sign a transaction. The immediate benefit of such a system is that no single compromised private key alone can be used to steal funds. Therefore, lessening the risk of an otherwise higher-risk wallet product. Unfortunately, most multi-sig implementations are complicated for novices.

With multi-sig, the critical importance of a robust and safe seed phrase/key backup is frequently overlooked, or worse, misleadingly suggested that creating extra signers/keys would fully address the limitation. A multi-sig wallet is not a complete backup plan partially because most people do not have/own access to sufficiently geographically distributed guarded/secure locations. And even then, it is subject to the limitations of offline backups.

Examples of multi-sig include: Safe Wallet, various offerings by Casa, and many others.

Mobile Phone Software Wallets

Mobile phones running official versions of Apple’s iOS or Google’s Android have built-in “sandboxing” that limits what applications can do on these devices. For example, unlike a PC, applications do not have carte blanche access to the device. On iOS, they cannot access the files and data of other applications or the systems files; while on Android, they cannot access those things without explicit permission. They cannot screen record without explicit permission, nor can they access the clipboard without explicit permission. By default, neither iOS nor Android allow applications to access the memory used by other applications. When an app wants to share data to another app it either asks the system to launch another app via a link or displays a share sheet to the user. In either case, there is no direct interaction between the apps, and the user is well aware and can see the interaction.

Perhaps most importantly, web browsers running on these devices are equally sandboxed on the operating system. That means that potentially malicious code executing on a website will not have access to applications or application data on the mobile device.

Both official Apple devices and Android Certified Devices (since ~2017) have hardware security capabilities such as a hardware-backed keystore or secure enclave that protects from key exfiltration and provides secure cryptographic operations for applications that are designed to use them.

Both Apple via the App Store and Google via the Google Play Store control the available applications by requiring strict review processes that include static and dynamic analysis. While not impossible, it greatly limits the amount of available malware.

Native applications also have some ability to control their memory usage including the ability to overwrite (zeroize) data in memory or in storage, this can protect against accidental leakage by memory dumps or allocation reassignment.

Essentially, the sandboxing functionality gives apps a space to run while limiting or preventing any adverse effects or direct interactions with other apps. So where do the security concerns come from:

1. A user giving permission such as screen recording or a 3rd party keyboard app that can capture data.
2. An iOS or Android security bug that a malicious actor (often an app) exploits to break out of the sandbox. Usually, these are patched very quickly by Apple and Google but sometimes 3rd party mobile phone vendors can be slow to release those patches.
   1. With Android, while rare and uncommon, the potential for security vulnerabilities is significantly amplified when the user has enabled the installation of applications from sources other than the official Google Play Store (commonly referred to as "side-loading").
   2. It is rare to see a mobile virus, but state-sponsored spying on strategic targets has occurred.
3. Jailbreaking (iOS) and Rooting (Android) are techniques often evoked by the device owner to “free” the system to be more like a PC: install what you want, copy apps, etc. However, this disables the sandboxing security benefits. Essentially, all assumptions and bets are off when it comes to the security state of such devices.

While some sensational stories make the media regarding mobile phone viruses and exploits, they are relatively few and far between for system security issues and patch fixes are quickly made available.

Apps that honor the device’s security can still steal shared data. For example, if you take a screenshot (stored as a picture) or picture of your seed phrase, then any app where the user has granted photo or picture access could find and steal that data. This was the case recently with otherwise useful applications that requested user access to the mobile device’s picture storage to share pictures, while maliciously using optical character recognition (OCR) to identify and steal pictures of seed phrases. Unlike sandboxed applications, the picture storage can be shared. In this case, mitigation is easy and applies to mobile, computers, cloud, etc.: don’t take/keep pictures or screenshots of seed phrases or other highly sensitive information.

In short, if your device is compromised, it is game over; however, compromising a mobile device is more difficult than desktop/laptop computing. You're probably also aware of the risks you've exposed yourself to by doing "less than traditional" things to your device.

When it comes to crypto wallets, these default mobile environments, up-to-date on their patches, are reasonably secure (safety). Crypto wallets that leverage the hardware-backed key management and native memory protection strategies of these platforms dramatically increase the security of their software. Without requiring additional steps, they offer a high degree of liveness, although, without direct browser integration, it can add some hurdles to the user experience.

Web Browser-Based Extension Software Wallet

Web Browsers supporting extensions run on desktops and laptops such as Windows and macOS. As of writing this, there is limited to no support for such extensions for web browsers on mobile devices.

Crypto wallets are often available as web browser extensions for Chrome, Firefox, Edge, Safari, and others. Similar to mobile phones, these browsers provide a “sandbox” for these extensions to operate; however, there are material differences in the associated threat model.

Browser extensions can be granted and may require various permissions to directly interact with both loaded web pages and with the underlying operating system such as Windows or macOS.

Since browsers have broad internet access as well as loading and running code such as javascript and web assembly as part of their core function, their threat risk is high. Browsers have come a very long way and great care is taken by browser vendors to secure and provide rapid security fixes. A crypto wallet extension directly interacting with malicious websites is concerning as great trust must be given to the browser for protection; however, that is not enough. Since there is interaction between the site and extension, there are vectors to attempt attacks.

Even if the website does not attack the extension’s code directly, it can indirectly attempt to trick the user as with the crypto wallet example described here.

Most extensions are not native code, they are usually JavaScript which means they have no means to perform memory management strategies such as zeroization of sensitive data. However, in recent years, browsers have provided cryptographic apis to increase security and protections of such operations.

Malicious applications can use keylogging and screen recording features, which are often available in web browsers and on desktops, to steal confidential information. User consent, approval, and awareness for screen recording differ significantly depending on the browser and operating system.

Computers running these browser extensions provide little to no protections for the active user’s clipboard, thus coping sensitive information such as private keys or seed phrases is a risk. In some cases, we have even seen malware replace addresses on the clipboard. Similarly, there are limited operating system-level protections to prevent a 3rd party malicious application, virus, or malware from capturing keystrokes such as the wallet’s password or accessing the extension’s storage and exfiltrating the wallet.

There is materially greater risk to safety with such an extension over a mobile application. However, some things can be done to reduce this risk. For example, creating a separate browser profile for the extension and only launching that profile when on a trusted website to sign a transaction, then exiting that profile could limit exposure. Additionally, anti-virus and anti-malware solutions along with limiting the installation of 3rd party applications and ensuring the system and web browser are fully up-to-date with security patches. Lastly, crypto wallets that leverage the browser's cryptographic APIs reduce risk as well.

In short, if your computer or browser is compromised, it is game over, so ensuring a protected up-to-date environment is critical.

These types of wallets offer a high degree of liveness and the best user experience overall. However, in following the advice to maintain a second browser profile, a minor user experience inconvenience is added.

Computer (Desktop / Laptop) Based Wallets

Desktop / Laptop computer standalone crypto wallet applications are usually seen in two forms: native or encapsulated web applications (such as an electron application).

Encapsulated web applications install as a standalone app. They utilize common web code such as HTML and JavaScript. The advantage to vendors is that it allows code to be written once for the web such as a website or browser extension and then reused as a standalone app. However, in reusing code, they often hold to the sandboxed limitations of the web browser.

Native applications can control their memory usage including the ability to overwrite (zeroize) data in memory or storage, this can protect against accidental leakage by memory dumps or allocation reassignment; while encapsulated standalone web applications cannot.

Native applications have access to the computer’s hardware-backed security element such as a TPM or secure enclave. If they utilize this, it can greatly improve the cryptographic security and key management and limit the exfiltration of that data. Encapsulated standalone web applications may or may not have full access to that hardware.

Standalone crypto wallets have the benefit over web browser extension-based wallets in that they are not directly exposed via the browser websites visited that may contain malicious attack code.

Unlike mobile iOS and Android, standalone computer applications are not sandboxed and tend to have full or broad access across the active user’s data and clipboard. Similarly, any virus or malware may gain access to capturing keystrokes and screen recording. All of these are exfiltration risks for stealing the data and sending it over the internet.

Like the browser extensions, these crypto wallets are seemingly far less secure (safety) than mobile application wallets. However, depending on the implementation, such as native code utilizing various security strategies (e.g. memory protection and hardware-backed elements) and that they are not directly interacting with untrusted websites, these wallets may offer slightly improved security over their browser counterparts.

Anti-virus and anti-malware solutions along with limiting the installation of 3rd party applications and ensuring the system, web browser, and other 3rd party software are fully up-to-date with security patches can reduce risk.

In short, if your computer is compromised, it is game over, so ensuring a protected up-to-date environment is critical.

These types of wallets offer a reduced degree of liveness and user experience over a direct browser integration.

Hardware Wallets (and air-gapped compute)

External hardware wallets such as a Ledger, Trezor, or others create a separation between the mobile device and the computer. There is still communication between the devices via USB, Bluetooth, NFC, SD-card, or QR code to perform the transaction signing.

In most cases, external hardware wallets provide their own software for integrating with the mobile device or browser. Several mobile, browser, and desktop wallets also provide integrations to hardware wallets which offer the benefits of increased wallet interoperability with various applications.

This means an internet-connected device is still involved and can open the risk to a man-in-the-middle/man-in-the-browser attack vector. In this case, a transaction proposed via an application or website could be replaced via malware before being received by the hardware wallet. It would be up to the user to manually verify that the transaction is the same.

Even though these devices communicate with an internet-connected counterpart mobile device or computer, that channel is designed to limit the communication to specific operations; thereby reducing the risk of the key being stolen or used without the owner's approval.

Also, assuming the hardware wallet is neither left plugged into the USB port nor maintains a persistent Bluetooth connection, the risk vector of malicious code on the internet-connected device attacking the wallet is greatly reduced.

When the hardware is plugged in via USB, accessible via Bluetooth, or opened/electrically wired, it may still be possible to hack it via memory analysis. This is admittedly difficult, but if a flaw is found, it could be trivial to repeat for devices using the same or similar chipsets.

Hardware wallets are designed to contain a dedicated hardware security module designed to prevent the private key from being unintentionally exported. While this type of hardware is possible, we have seen respected vendors mislead customers by incorrectly suggesting that their products were designed as such leading to public controversies regarding this topic.

Most hardware wallets are firmware upgradable which either requires some means to upload new code to the device. This too opens risks that require the owner to carefully check and verify (if possible) that the code is safe. Not all hardware wallets are open source and even those that are often have no way to verify that the downloaded compiled and packaged firmware 100% matches the open source pre-compiled code.

To maximize safety and minimize the likelihood of rogue firmware, it may be best to only use brand-new hardware fresh out of the packaging. However, even if you never upgrade your wallet’s firmware, there is a chance it could have been sold with an already installed malicious firmware (known as a supply chain attack). Not to mention…the existence of counterfeit hardware.

While true for mobile and desktop, phishing and scams are still fully applicable to hardware wallets as well as careful seed phrase handling and backup.

Despite these risks, hardware wallets offer a high degree of safety with a reduced degree of liveness over their pure online software alternatives. Unlike a mobile app that is always available with you on your mobile device, liveness-related experience can further be adversely impacted by not having the hardware wallet accessible when needed.

Conclusion

When considering hot and warm wallets, the safety and liveness tradeoffs can vary greatly across device types. Hardware wallets provide the greatest safety with liveness materially reduced compared to the alternatives. Browser extension wallets and standalone computer application wallets pose the greatest safety risk. Due to the nature of uncompromised mobile operating systems, mobile app wallets offer materially greater safety over browser extensions and computer alternatives. They also offer the best liveness & user experience out of all the options.

All of these options still pose risks and it is important to take precautions to mitigate them. One precaution that can be combined with any/all of the options is to use a multi-sig. This would prevent a compromised private key from resulting in a loss of all your funds. Another mitigation is to ensure a crashed computer, lost phone, or lost hardware wallet does not mean access to losing everything. For that, I’ll mention my employer Secret Shield Inc, as a means for a safe backup of the wallet seed phrase or private key.